I can't see other computers when connected to my OpenVPN

tclarkbar · Jan 18, 2011, 5:30 AM

Long time lurker, first post. Networking is more of a hobby than a career so here I sit.

I was able to follow the sticky on setting up OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior). For the most part I used most of the settings recommended that fit my network.

I am to the point that I can connect to my pfsence router (1.2.3-Release) from an outside network, however I cannot see any of the other computers within the network.

For testing purposes I am tethering to my Droid from my laptop running Windows7. OpenVPN gives me an address of 192.168.200.6. When I run ipconfig, I do notice that I don't have a default gateway and my subnet is 255.255.255.252 (as apposed to 255.255.255.0 when inside the network)

My home network is 192.168.1.1/24

I think that I may have a firewall rule messed up. But I don't really know where to go from here to continue troubleshooting. Any help/advice would be great.

Thanks

Edit:
I've been trying to follow this info on bridging:
http://goo.gl/erHDL & http://goo.gl/gWU5E

When I add this line to my OpenVPN server custom options, I cannot connect anymore
server-bridge 192.168.1.1 255.255.255.0 192.168.200.0 192.168.200.255

and I am not entirely sure where this is refering to:
"and then go edit /conf/config.xml."

SeventhSon · Jan 18, 2011, 7:42 AM

@tclarkbar:

When I run ipconfig, I do notice that I don't have a default gateway

That's not good, that should be the pfSense OpenVPN Server IP. Could be and option in the client as well.

I think that I may have a firewall rule messed up. But I don't really know where to go from here to continue troubleshooting. Any help/advice would be great.

If you're unsure either turn on logging for that rule and default deny rule or if it's a testing setup, make a firewall rule to pass all on the interfaces involved.

When I add this line to my OpenVPN server custom options, I cannot connect anymore
server-bridge 192.168.1.1 255.255.255.0 192.168.200.0 192.168.200.255

and I am not entirely sure where this is refering to:
"and then go edit /conf/config.xml."

You need to go to Diagnostic - Edit File and edit /conf/config.xml then add the the lines in the guide.

jai23155 · Feb 3, 2011, 11:21 AM

hey, it's been a week since i am searching for this. mine is same problem. please reply me if you find a solution. thanks

Cry Havok · Feb 3, 2011, 5:41 PM

jai23155 why don't you provide details of your configuration so we can tell if you're suffering from exactly the same problem as you think, or if it's completely unrelated.

jai23155 · Feb 3, 2011, 6:26 PM

hi, my configuration
main office LAN-192.168.10.0/24 behind pfsense
looking to set up open vpn client for remote users. created certificates, keys and config files. open vpn server on pfsense box.
protocol tcp
local port 1194
address pool 192.168.12.0/24
local network 192.168.10.0/24
cryptograohy bf-cbc (128 bit)
PKI
disable netbios
lzo compression

tried from a pc which is outside lan, can connect to pfsense box, but neither ping any pc on LAN nor browse windows shares on server.
when connected it is giving a ip at web GUI. but there is no ip on interface when i did ipconfig /all, it is showing a self assigned ip (168.254.37.38).
the pc outside the LAN is server 2008 (i am testing from) if it makes any difference. when i tested it from my home (win 7 laptop), i can see the adress assigned on interface 192.168.12.6, dhcp server 192.168.12.5; but subnet is 255.255.255.252 rather than 255.255.255.0.
i am already running IPsec tunnel between two of our sites. there is no open vpn tab in firewall and no process running for openVPN.
please find attached to see my openvpn server config. thanks

Cry Havok · Feb 3, 2011, 6:49 PM

The inability to browser shares has been discussed many times - that's usually down to attempting to use WINS on a routed network without using a WINS server.

Can you post a screenshot of the server settings and a copy of the client configuration file, as well as the client log.

jai23155 · Feb 3, 2011, 7:00 PM

please find attached server config.
client config:
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ovpn_client1.crt
key ovpn_client1.key
ns-cert-type server
comp-lzo
pull
verb 3
we are using server 2008 r2 as domain controller and wins server which is at 192.168.10.xxx.

Cry Havok · Feb 4, 2011, 11:57 AM

Can I suggest that you push the DNS and WINS servers for the LAN and set the NetBIOS mode to p.

If you're still having problems after that don't forget to post the rest of the information I asked for ;)

jai23155 · Feb 4, 2011, 12:22 PM

did what you said. but no use, still same result. i couldn't even see my open vpn service running in status or in firewall.
my client config is
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ovpn_client2.crt
key ovpn_client2.key
ns-cert-type server
comp-lzo
pull
verb 3
i am already running an IPsec tunnel between two sites. is there any ipsec opn client softwares, so that i dont have to struggle with openvpn.
thanks

Cry Havok · Feb 4, 2011, 12:37 PM

As you're consistently not supply the requested client logs it's hard to help you. Of course, if you haven't started the OpenVPN service that might explain why it isn't working.

As for IPsec clients, there are some good options and if you look in the IPsec forum you'll find various options.

jai23155 · Feb 4, 2011, 2:07 PM

sorry, forgot to paste log file, here it is
Fri Feb 04 14:03:25 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Fri Feb 04 14:03:25 2011 WARNING: –ping should normally be used with --ping-restart or --ping-exit
Fri Feb 04 14:03:25 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 04 14:03:25 2011 LZO compression initialized
Fri Feb 04 14:03:25 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Feb 04 14:03:25 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 04 14:03:25 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Feb 04 14:03:25 2011 Local Options hash (VER=V4): '69109d17'
Fri Feb 04 14:03:25 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri Feb 04 14:03:25 2011 Attempting to establish TCP connection with 194.105.164.81:1194
Fri Feb 04 14:03:25 2011 TCP connection established with 194.105.164.81:1194
Fri Feb 04 14:03:25 2011 TCPv4_CLIENT link local: [undef]
Fri Feb 04 14:03:25 2011 TCPv4_CLIENT link remote: 194.105.164.81:1194
Fri Feb 04 14:03:25 2011 TLS: Initial packet from 194.105.164.81:1194, sid=7725128e 2a69e6c7
Fri Feb 04 14:03:26 2011 VERIFY OK: depth=1, /C=UK/ST=NA/L=Aberdeen/O=EFCGROUP/CN=pfsense/emailAddress=IT@efcgroup.net
Fri Feb 04 14:03:26 2011 VERIFY OK: nsCertType=SERVER
Fri Feb 04 14:03:26 2011 VERIFY OK: depth=0, /C=UK/ST=NA/O=EFCGROUP/CN=server/emailAddress=IT@efcgroup.net
Fri Feb 04 14:03:27 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 04 14:03:27 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 04 14:03:27 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 04 14:03:27 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 04 14:03:27 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 04 14:03:27 2011 [server] Peer Connection Initiated with 194.105.164.81:1194
Fri Feb 04 14:03:29 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 04 14:03:30 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,dhcp-option DNS 192.168.10.115,dhcp-option WINS 192.168.10.115,dhcp-option NBT 2,dhcp-option DISABLE-NBT,route 192.168.12.1,ping 10,ping-restart 60,ifconfig 192.168.12.6 192.168.12.5'
Fri Feb 04 14:03:30 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 04 14:03:30 2011 OPTIONS IMPORT: –ifconfig/up options modified
Fri Feb 04 14:03:30 2011 OPTIONS IMPORT: route options modified
Fri Feb 04 14:03:30 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 04 14:03:30 2011 ROUTE default_gateway=95.131.64.1
Fri Feb 04 14:03:30 2011 TAP-WIN32 device [Local Area Connection 5] opened: \.\Global{2DC55850-9ABE-45DB-9A1F-284E136D85FD}.tap
Fri Feb 04 14:03:30 2011 TAP-Win32 Driver Version 9.7
Fri Feb 04 14:03:30 2011 TAP-Win32 MTU=1500
Fri Feb 04 14:03:30 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.12.6/255.255.255.252 on interface {2DC55850-9ABE-45DB-9A1F-284E136D85FD} [DHCP-serv: 192.168.12.5, lease-time: 31536000]
Fri Feb 04 14:03:30 2011 Successful ARP Flush on interface [20] {2DC55850-9ABE-45DB-9A1F-284E136D85FD}
Fri Feb 04 14:03:35 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri Feb 04 14:03:35 2011 Route: Waiting for TUN/TAP interface to come up…
Fri Feb 04 14:03:40 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri Feb 04 14:03:40 2011 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 04 14:03:41 2011 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down

Fri Feb 04 14:04:06 2011 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 192.168.12.5
Fri Feb 04 14:04:06 2011 Warning: route gateway is not reachable on any active network adapters: 192.168.12.5
Fri Feb 04 14:04:06 2011 Route addition via IPAPI failed [adaptive]
Fri Feb 04 14:04:06 2011 Route addition fallback to route.exe
OK!
Fri Feb 04 14:04:06 2011 C:\WINDOWS\system32\route.exe ADD 192.168.12.1 MASK 255.255.255.255 192.168.12.5
Fri Feb 04 14:04:06 2011 Warning: route gateway is not reachable on any active network adapters: 192.168.12.5
Fri Feb 04 14:04:06 2011 Route addition via IPAPI failed [adaptive]
Fri Feb 04 14:04:06 2011 Route addition fallback to route.exe
OK!
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 95.131.64.1 p=0 i=17 t=4 pr=3 a=763 h=0 m=31/0/0/0/0
95.131.64.0 255.255.248.0 95.131.64.61 p=0 i=17 t=3 pr=3 a=760 h=0 m=286/0/0/0/0
95.131.64.61 255.255.255.255 95.131.64.61 p=0 i=17 t=3 pr=3 a=760 h=0 m=286/0/0/0/0
95.131.71.255 255.255.255.255 95.131.64.61 p=0 i=17 t=3 pr=3 a=760 h=0 m=286/0/0/0/0
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=800 h=0 m=306/0/0/0/0
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=800 h=0 m=306/0/0/0/0
127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=800 h=0 m=306/0/0/0/0
169.254.0.0 255.255.0.0 169.254.117.131 p=0 i=20 t=3 pr=3 a=115 h=0 m=286/0/0/0/0
169.254.117.131 255.255.255.255 169.254.117.131 p=0 i=20 t=3 pr=3 a=115 h=0 m=286/0/0/0/0
169.254.255.255 255.255.255.255 169.254.117.131 p=0 i=20 t=3 pr=3 a=115 h=0 m=286/0/0/0/0
192.168.10.0 255.255.255.0 192.168.12.5 p=0 i=17 t=4 pr=3 a=0 h=0 m=31/0/0/0/0
192.168.12.1 255.255.255.255 192.168.12.5 p=0 i=17 t=4 pr=3 a=0 h=0 m=31/0/0/0/0
224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=800 h=0 m=306/0/0/0/0
224.0.0.0 240.0.0.0 95.131.64.61 p=0 i=17 t=3 pr=3 a=763 h=0 m=286/0/0/0/0
224.0.0.0 240.0.0.0 169.254.117.131 p=0 i=20 t=3 pr=3 a=763 h=0 m=286/0/0/0/0
255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=800 h=0 m=306/0/0/0/0
255.255.255.255 255.255.255.255 95.131.64.61 p=0 i=17 t=3 pr=3 a=763 h=0 m=286/0/0/0/0
255.255.255.255 255.255.255.255 169.254.117.131 p=0 i=20 t=3 pr=3 a=763 h=0 m=286/0/0/0/0
SYSTEM ADAPTER LIST
TAP-Win32 Adapter V9
Index = 20
GUID = {2DC55850-9ABE-45DB-9A1F-284E136D85FD}
IP = 169.254.117.131/255.255.0.0
MAC = 00:ff:2d:c5:58:50
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASE OBTAINED = Fri Feb 04 14:04:06 2011
DHCP LEASE EXPIRES = Fri Feb 04 14:04:06 2011
DNS SERV =
Broadcom NetXtreme Gigabit Ethernet #4
Index = 17
GUID = {0CC3C516-5227-47CA-861F-AFCCEEE265C0}
IP = 95.131.64.61/255.255.248.0
MAC = 00:25:64:3b:76:a5
GATEWAY = 95.131.64.1/255.255.255.255
DNS SERV = 79.170.43.250/255.255.255.255
Broadcom NetXtreme Gigabit Ethernet #3
Index = 16
GUID = {A55B484F-D466-4FF5-9C76-FA7BC34CEA66}
IP = 0.0.0.0/0.0.0.0
MAC = 00:25:64:3b:76:a6
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASE OBTAINED = Fri Feb 04 14:04:06 2011
DHCP LEASE EXPIRES = Fri Feb 04 14:04:06 2011
DNS SERV =
Fri Feb 04 14:04:06 2011 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

thanks

jai23155 · Feb 4, 2011, 3:54 PM

anyway, i got IPsec vpn client up and running in few minutes. but, i really want to know how to get open vpn up ?? thanks

Cry Havok · Feb 4, 2011, 9:15 PM

The log shows the problem, and even links you to a FAQ entry telling you what to check - see here. If you're using Windows Vista or Windows 7 ensure you run the client as an Administrator (right click -> run as administrator).