Create openvpn connection

hossam.khalili

yes i still have conflict route

this's my server settings

---

server mode :  reomte access (ssl/tls + user auth )

backend of authentication : local DB

protocol : udp

device mode : tun

interface : pppoe

local port : 1194

tls authentication :  enable

peer certificate authority :  vpn

Server Certificate :  openvpvtest1 (CA : vpn )*in use

DH Parameters Length : 1024 bit

Encryption algorithm :  bf–cbc (128 bit)

Hardware Crypto : no hardware crypto

Tunnel Network : 10.0.1.0/24

Local Network : 10.0.0.0/24

Concurrent connections : 2

Compression : enable

Inter-client communication :

Dynamic IP :  enable

Address Pool :  enable

---

thanks.

Nachtfalke

If you still have subnet conflict than you have to solve this first.
you have the same subnet (10.0.0.0/24) on two points.
change this!!! restart openvpn server and try again.

hossam.khalili

I solved my conflict problem by check redirect gateway from openvpn server settings

redirect gateway : Force all client generated traffic through the tunnel.

but still can't ping or map my network drive

this my new openvpn log file

---

Tue Nov 15 13:17:02 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Nov 15 13:17:11 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Nov 15 13:17:11 2011 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
Tue Nov 15 13:17:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 15 13:17:12 2011 Control Channel Authentication: using 'jrcfw01-udp-1194-tls.key' as a OpenVPN static key file
Tue Nov 15 13:17:12 2011 LZO compression initialized
Tue Nov 15 13:17:12 2011 UDPv4 link local (bound): [undef]:1194
Tue Nov 15 13:17:12 2011 UDPv4 link remote: 212.38.147.97:1194
Tue Nov 15 13:17:12 2011 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Tue Nov 15 13:17:16 2011 [openvpntest1] Peer Connection Initiated with 212.38.147.97:1194
Tue Nov 15 13:17:19 2011 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{2E40862B-D349-4AC8-977A-C169CB28BF1E}.tap
Tue Nov 15 13:17:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.1.6/255.255.255.252 on interface {2E40862B-D349-4AC8-977A-C169CB28BF1E} [DHCP-serv: 10.0.1.5, lease-time: 31536000]
Tue Nov 15 13:17:19 2011 Successful ARP Flush on interface [15] {2E40862B-D349-4AC8-977A-C169CB28BF1E}
Tue Nov 15 13:17:24 2011 Initialization Sequence Completed

---

any suggestion
thanks.

Nachtfalke

Did you create Firewall rules according to the tunnel network (subnet) on the new OpenVPN firewall tab ?

hossam.khalili

on the new openVPN tab I found this rule

protocol    source    port    Destination    Port    Gateway    Queue

*            *          *            *            *          *          none

is this enough ? or I need to add something else.

thanks.

Nachtfalke

This is enough. It allows all traffic from all OpenVPN connections to everywhere.

Can you do a tracert from the OpenVPN Client and check till which point/hop the traffic comes ?
Are you sure that the firewall of the destination's host is correctly configured? Perhaps try with complete turned off firewall first.

can you post a screenshot or something else of your network topology ?

hossam.khalili

hello,

thanks for reply, i do nothing on the destination host

should i do something on it ? ;D

hossam.khalili

this's my network environment

office 1
pfsense 2.0-RELEASE (i386)
LAN      : 10.0.0.0/24
WAN    : 212.38.142.254

• i have more than one LAN in this office

office 2 
pfsense 2.0-RELEASE (i386)
LAN      :  10.0.1.0/24
WAN    : 212.38.142.151

Nachtfalke

on office1 you have to:

push "route 10.0.0.0 255.255.255.0";

So the client (office2) gets an route through openvpn to your LAN on office1.
If you configured this correct and configured the correct firewall rules on both sites than this should be possible:

pfsense (office2) from GUI can ping pfsense (office1) and clients on office1 LAN and vice versa.

So now I am not sure at all but you need additional configuration on the client (office2) so that the LAN(s) behind this router are reachable.
On office1 you could add a client specific override for the client (office2). Add this in advanced options:

iroute 10.0.1.0 255.255.255.0;

Restart OpenVPN Server (office1) and Client (office2).

But take a look here:
http://forum.pfsense.org/index.php/topic,12888.0.html

marvosa

Ok, after a week of this…I may be alone here, but I feel like if we had all the particulars up front, this issue would've been solved several days ago.  Lets go back to the beginning... please give us explicit details on what you're trying to do.

At first, it sounded like you were trying to get a road warrior setup going.  Now it looks like you may be doing site to site... instead of us speculating and taking pot shots, let us know what you're doing and provide ALL the details so we can help you.  Also a network map would be helpful.

hossam.khalili

Okay, it's working now
i change the client machine
thanks for all of you

other thing can i make it automatically connect when windows start i mean on startup windows XP ?