Server OPENVPN Server problem
-
ok I see…. so after changing Interface IP on the client from right one (10.0.8.0/24) to the wrong one (192.168.99.0/24)
I can ping each other and on pfsence client:ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=15.586 ms
^C
--- 192.168.10.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.586/15.586/15.586/0.000 msnetstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 0 297425 dc0
x.x.x.x 127.0.0.1 UGHS 0 0 lo0
x.x.x.0/23 link#3 UC 0 0 dc0
x.x.x.x 00:01:5c:22:3c:41 UHLW 2 0 dc0 1199
x.x.x.x 127.0.0.1 UGHS 0 3 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
192.168.10.0/24 192.168.99.1 UGS 0 13 tun0
192.168.99.0/24 link#2 UC 0 2 em0
192.168.99.1 192.168.99.2 UH 1 0 tun0
192.168.99.109 00:04:f2:16:30:e9 UHLW 1 253487 em0 781
192.168.99.115 00:bb:46:8a:f3:bb UHLW 1 4282 em0 1185Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%fxp0/64 link#1 UC fxp0
fe80::20e:4eff:fe9e:a22c%fxp0 00:0e:4e:9e:a2:2c UHL lo0
fe80::%em0/64 link#2 UC em0
fe80::21b:21ff:fe08:810b%em0 00:1b:21:08:81:0b UHL lo0
fe80::%dc0/64 link#3 UC dc0
fe80::2bb:46ff:fe8a:f3bb%dc0 00:bb:46:8a:f3:bb UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
fe80::20e:4eff:fe9e:a22c%tun0 link#8 UHL lo0
ff01:1::/32 link#1 UC fxp0
ff01:2::/32 link#2 UC em0
ff01:3::/32 link#3 UC dc0
ff01:4::/32 ::1 UC lo0
ff01:8::/32 link#8 UC tun0
ff02::%fxp0/32 link#1 UC fxp0
ff02::%em0/32 link#2 UC em0
ff02::%dc0/32 link#3 UC dc0
ff02::%lo0/32 ::1 UC lo0
ff02::%tun0/32 link#8 UC tun0well so what can be done in order to make it right tun0? recreate vpn tunnel on the client side from scracth?
-
After you remove the static route from the system, you should just need to restart the OpenVPN process (edit/save the openvpn instance, don't need to change anything)
And then it should put the right routes in.
OpenVPN handles the routs itself, you don't need to add any static routes to the system.
-
wholly smoke !!!! it works !!!
In the future if I add any static route under SYSTEM>STATIC ROUTES on the client or server side is that going to affect tun0 again?
Thank You for your help.
-
Only if the routes you add overlap the networks you want to use the VPN.
-
understand
Thank You very much for your help.
-
is that ok If I ask one more question based on the routing?
-
Never ask to ask - just ask. If you think it would get buried in a thread, just start a new thread. It's a community, everyone can help. :-)
-
Simply just do not want to be like rest of ….. begging ..... asking .... pushy .... etc....
1. I have added to my scenario DD-WRT with OPenVpn and simply connected using SHARED KEY (easiest one) so now it looks like:
DDWRT ------ OpenVPN 10.0.7.0/30-----PFSENCE A 1.2.3-------OpenVpn 10.0.8.0/30-------PFSENCE B 1.2.3
192.168.1.1 192.168.99.1 192.168.10.1So clients behind DDWRT and PFSENCE A can ping each other and clients between PFSENCE A and PFSENCE B. What static route should I add (if any) and does it have to be under SYSTEM (STATIC ROUTES) in PFSENCE and respectively in DDWRT to be able ping clients behind DD_WRT and PFSENCE B?
Or just extra line with route "X.X.X.X MASK" to each Open VPN client like in DDWRT:
remote X.X.X.X
port
proto udp
dev tun
ifconfig 10.0.7.1 10.0.7.2
route 192.168.99.0 255.255.255.0
ROUTE 192.168.10.0 255.255.255.0 ???????????????
secret /tmp/static.key
ping 10AND PFSENCE B:
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport
push "dhcp-option DISABLE-NBT"
route 192.168.99.0 255.255.255.0
ROUTE 192.168.1.0 255.255.255.0 ???????????????????????
secret /var/etc/openvpn_server0.secret
comp-lzo
persist-remote-ip
float
comp-lzo
cipher AES-128-CBC
verb 3
mute 102. I see that PFSENCE 1.2.3 does not have TLS_AUTH option in GUI so If I just add in server/client file config --- will it work? Or have to fallow this link http://forum.pfsense.org/index.php/topic,2747.msg16214.html#msg16214 (does it applied to 1.2.3 ?)
I have added 2nd question and this is not a good sign ...... :)
-
On pfSense B, add "route 192.168.1.1 255.255.255.0;" to the custom options.
On DD-WRT, it needs "route 192.168.10.1 255.255.255.0;" - That should be all you need.As for TLS on 1.2.3, I'm not sure what all you need. I've never tried it (I only use 2.0 these days) - but if someone has a howto, it may work.
-
Thank You, this is all what I needed in this topic and got even more answers than I expected.
-
have answer to my question regarding TLS-AUTH
simply go to PACKAGE MANAGER and install OpenVPN-Enhancements (TLS-auth and client/server-options)
unfortunately, it cannot be uninstall-ed later so do not know if affects anything …..
Cheers,
-
regarding the static routing ….
I can ping from XP client behind PFSENCE B DD_WRT and vice versa, but cannot ping any client behind ddwrt like XP .... (after turning off local firewall)
XP1 ----DDWRT------PFSENCEA-------PFSENCEB------XP2 so XP1 cannot ping XP2 and vice versa.
Could be missing gateway on DD-wrt? there is setup IP 192.168.1.1 mask: /24 but no default gateway .....
