Openvpn problem with 2rc1
-
Hi everyone,
this is my topology:
LAN: Multiple subnets of 172.90.0.0/16 with OSPF routing protocol
Default gateway: juniper firewall connected by point-to-point OSPF link: 172.90.0.0/30 (Juniper is 172.90.0.1) (WAN Juniper interface has public static IP, let's say 8.8.8.7)
PFSense role and position:
LAN Interface: connected by subnet 172.90.0.4/30 (172.90.0.5 PFSense)
WAN: connected with static public IP (different from juniper, lets say 8.8.8.8)
PFSense Static Routes:
172.90.0.0/16 gw 172.90.0.6 (for LAN connections)
0.0.0.0/0 gw 8.8.8.1 (that is the remote ISP router)PFsense should work has OVPN concentrator.
I managed to crete SSL/TLS+Auth connection from a remote client.
PFsense correctly assigns a /30 subnet to ovpn connection taken from address pool 172.90.254.0/24
PFsense correctly pushes route 172.90.0.0/16 to remote client.
Connection is correctly established!!
However, client can't go anywhere in 172.90.0.0/16I've tried the wizard, it configured firewall rules. The problem is routing or firewalling, I'm sure. OVPN connection is correct and stable. I simply can't go anywhere. I have double-checked static routes on pfsense and on router 172.90.0.6. Everything here is fine.
Funny thing is that I've managed to make all work with PFsense 1.2.3
On PFsense 2 there is something different I can't understand.
Any suggestion? -
You should need more firewall rules on pfSense 2.0 than on 1.2.3.
Double check those especially under OpenVPN tab. -
It wasn't a problem connected with firewall rules!
address pool (tunnel network): 172.90.254.0/24
PFSense creates the interface ovpns1
from ifconfig:
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
inet 172.90.254.1 –> 172.90.254.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474No one is connected in VPN, so WHY is the interface UP?!?
Why it uses 172.90.254.0/30 subnet?!?
If I connect with OVPN client, PFSense assigns to me 172.90.254.1, gw 172.90.254.2.... WHY?!?!
It's not right at all! It seems really a BUG.
Why does the interface ovpns1 stay always on?
I've managed to make it work, but I have to configure a client override with tunnel network 172.90.254.4/30.
This way PFSense assigns to me 172.90.254.5, gw 172.90.254.6, and IT WORKS.
However, no TUN interfaces area created!
There's alway and only:
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
inet 172.90.254.1 --> 172.90.254.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast> -
Most of that is just how OpenVPN works.
ovpns1 is the tun interface. With PKI mode, the server side only ever shows one interface. The server's interface is always up. OpenVPN uses /30 networks out of your larger pool, one /30 for each client connection. The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.
You don't provide enough detail about your OpenVPN server config to speculate as to why you are seeing the other behaviors, but OpenVPN works correctly when properly configured.
-
The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.
That was the point: I was given .2->.1 and it didn't work.
Unfortunately, I've deleted pfsense, so I can't paste my conf, but it was auto-generated by the wizard: no strange configuration, tun mode, tunnel network 172.90.254.0/24.Without client override, server gave me 172.90.254.2->.1 (same address as ovpns1 interface) and it didn't obviously work.
I had other openvpn server, but I'm not sure that they took the first /30 out of the address pool. I'm quite sure that they created different tun virtual interfaces, one for each connected client (tun0, tun1…)As far as my client conf is concerned, it is always the same: it didn't work without client override of the tunnel network.
This is my client configuration:
script-security 2
port 1194
remote XXX.XXX.XXX.XXX 1194
dev tun
tun-mtu 1500
proto udp
tls-client
client
nobind
ca xxxx.crt
cert xxxxx.crt
key xxxxxxx.key
dh xxxxxx.pem
auth-nocache
keepalive 10 120
ns-cert-type server
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass -
The tun interface bit may be OS specific then but on FreeBSD, a PKI server only has one tun interface, and on 2.0 that is renamed, so it's always ovpns <number>where the number is the id of the vpn instance.
I just went through the wizard, setup an OpenVPN instance, exported a config, and had a successful client connection with no problems, routing how I like.
My client config is:
dev tun persist-tun persist-key proto udp cipher AES-128-CBC tls-client client resolv-retry infinite remote 192.168.197.148 1209 auth-user-pass pkcs12 pfsense-udp-1209.p12 tls-auth pfsense-udp-1209-tls.key 1 comp-lzo
And FYI, my /var/etc/openvpn/server1.conf
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.197.148 tls-server server 10.16.10.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env lport 1209 management /var/etc/openvpn/server1.sock unix push "route 192.168.1.0 255.255.255.0" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float push "route 192.168.3.0 255.255.255.0" ```</number>
-
I tried again from scratch.
Now it works.
I wasn't even able to do firewall rules on ovpn tunnels. Now they match correctly.
I tried to remember what I've done the previous time.
The problem was probably related to a misleading tutorial that suggested to assign a new interface to ovpns1. I tried this conf but it didn't work. I rolled back, but I think that the conf has been hopeless corrupted.
Thank you, you've been precious!