Trying to get LAN access, can only ping myself
-
Post client config, server settings, firewall rules from openvpn tab, routing table from PFsense and routing table from client when connected.
Client Config:
dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 173.16.39.88 1194
tls-remote vpnuser
auth-user-pass
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzoServer Settings:
servermode: remote access (ssl/tls + user auth)
proto: udp
device mode: tun
interface: wan
localport: 1194Peer CA: VPN Server CA
Peer Cert Rev: None Created
Server Cert: my user cert (CA:VPN Server CA) * In Use
DH Parameters Length 2048
Shared: Auto generate
Encryption Alg: AES-256-CBC
No hardware crypto
cert depth: one (client+server)tunnel network: 192.168.2.0/24
bridge dhcp: checked
bridge interface: lanlocal network: 10.0.0.0/24
conncurrent connections: 10
compression: checkeddynamic ip: checked
address pool: checkedadvanced config:
push "route 10.0.0.0 255.255.255.0";firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpnSee attached for routing table from pfsense
Local Client Routes:
Interface List
19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.186.2 192.168.186.129 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.4 255.255.255.252 On-link 192.168.2.6 286
192.168.2.6 255.255.255.255 On-link 192.168.2.6 286
192.168.2.7 255.255.255.255 On-link 192.168.2.6 286
192.168.186.0 255.255.255.0 On-link 192.168.186.129 266
192.168.186.129 255.255.255.255 On-link 192.168.186.129 266
192.168.186.255 255.255.255.255 On-link 192.168.186.129 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.6 286
224.0.0.0 240.0.0.0 On-link 192.168.186.129 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.6 286
255.255.255.255 255.255.255.255 On-link 192.168.186.129 266Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
19 286 fe80::/64 On-link
12 266 fe80::/64 On-link
12 266 fe80::81b1:8393:5628:5a3c/128
On-link
19 286 fe80::a472:6f0a:696a:46ff/128
On-link
1 306 ff00::/8 On-link
19 286 ff00::/8 On-link
12 266 ff00::/8 On-linkPersistent Routes:
NoneHope this helps, let me know if I forgot something or if you need anything else.
Thanks!
 -
Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?
What client are you on? Windows 7 unless you run openvpn as admin it won't create the route.
So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.
What remote network are you on? So you run 172.16 /?? /16?? on your pfsense lan? That could easy be in conflict with what your remote network is.
Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.
Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense? What is in your openvpn tab? Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?
-
pfsense 2.0.1-release
client is windows 8 VM I have run it as admin. Here is its connection log:I just realized you were replying to the other guy.
Wed Oct 03 12:31:46 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Oct 03 12:31:52 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Oct 03 12:31:52 2012 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
Wed Oct 03 12:31:52 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Oct 03 12:31:52 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Wed Oct 03 12:31:52 2012 LZO compression initialized
Wed Oct 03 12:31:52 2012 UDPv4 link local (bound): [undef]:1194
Wed Oct 03 12:31:52 2012 UDPv4 link remote: 173.16.39.88:1194
Wed Oct 03 12:31:52 2012 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Wed Oct 03 12:31:54 2012 [userid] Peer Connection Initiated with 173.16.39.88:1194
Wed Oct 03 12:31:56 2012 TAP-WIN32 device [Local Area Connection] opened: \.\Global{D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}.tap
Wed Oct 03 12:31:56 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
Wed Oct 03 12:31:56 2012 Successful ARP Flush on interface [19] {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}
Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists. [status=5010 if_index=19]
The route addition failed: The object already exists.
Wed Oct 03 12:32:02 2012 Initialization Sequence Completed -
Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?
What client are you on? Windows 7 unless you run openvpn as admin it won't create the route.
So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.
What remote network are you on? So you run 172.16 /?? /16?? on your pfsense lan? That could easy be in conflict with what your remote network is.
Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.
Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense? What is in your openvpn tab? Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?
Thanks Johnpoz for your answer.
My version of pfsense is 2.0.1 and my remote network openvpn is 2.2.2. i'am administrator of my computer ( window 7 ).
My pfsense lan is 172.16.0.0/21 and my network in the office is 192.168.0.0/24.
In my firewalls logs i see my ping is ok but no responding.
I can just access to my pfsense and i don't have internet.
I will post full server config tomorow.
Thanks for the help :)
-
ace where is your route table - this shows that addition failed
Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists. [status=5010 if_index=19]
edit: ok you posted it before, notice there is no route to your 10.0.0.0/24 on there - see mine.
My pfsense lan is 192.168.1.0/24 and in my route table and my connection info
Wed Oct 03 12:26:23 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.0.200.5 Wed Oct 03 12:26:23 2012 Route addition via IPAPI succeeded [adaptive]=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.56.41.1 10.56.41.136 10 10.0.200.1 255.255.255.255 10.0.200.5 10.0.200.6 1 10.0.200.4 255.255.255.252 10.0.200.6 10.0.200.6 30 10.0.200.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.56.41.0 255.255.255.0 10.56.41.136 10.56.41.136 10 10.56.41.136 255.255.255.255 127.0.0.1 127.0.0.1 10 10.255.255.255 255.255.255.255 10.0.200.6 10.0.200.6 30 10.255.255.255 255.255.255.255 10.56.41.136 10.56.41.136 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 10.0.200.5 10.0.200.6 1 224.0.0.0 240.0.0.0 10.0.200.6 10.0.200.6 30 224.0.0.0 240.0.0.0 10.56.41.136 10.56.41.136 10 255.255.255.255 255.255.255.255 10.0.200.6 3 1 255.255.255.255 255.255.255.255 10.0.200.6 9 1 255.255.255.255 255.255.255.255 10.0.200.6 6 1 255.255.255.255 255.255.255.255 10.0.200.6 7 1 255.255.255.255 255.255.255.255 10.0.200.6 5 1 255.255.255.255 255.255.255.255 10.0.200.6 10.0.200.6 1 255.255.255.255 255.255.255.255 10.0.200.6 2 1 255.255.255.255 255.255.255.255 10.56.41.136 10.56.41.136 1 Default Gateway: 10.56.41.1 ===========================================================================192.168.1.0 255.255.255.0 10.0.200.5 10.0.200.6 1
-
Is that not the output of "route print" that i pasted above?
I will paste again in case its different this time.
===========================================================================
Interface List
19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.186.2 192.168.186.129 10
10.0.0.0 255.255.255.0 192.168.2.5 192.168.2.6 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.1 255.255.255.255 192.168.2.5 192.168.2.6 30
192.168.2.4 255.255.255.252 On-link 192.168.2.6 286
192.168.2.6 255.255.255.255 On-link 192.168.2.6 286
192.168.2.7 255.255.255.255 On-link 192.168.2.6 286
192.168.186.0 255.255.255.0 On-link 192.168.186.129 266
192.168.186.129 255.255.255.255 On-link 192.168.186.129 266
192.168.186.255 255.255.255.255 On-link 192.168.186.129 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.6 286
224.0.0.0 240.0.0.0 On-link 192.168.186.129 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.6 286
255.255.255.255 255.255.255.255 On-link 192.168.186.129 266Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
19 286 fe80::/64 On-link
12 266 fe80::/64 On-link
12 266 fe80::81b1:8393:5628:5a3c/128
On-link
19 286 fe80::a472:6f0a:696a:46ff/128
On-link
1 306 ff00::/8 On-link
19 286 ff00::/8 On-link
12 266 ff00::/8 On-linkPersistent Routes:
None -
now it shows
10.0.0.0 255.255.255.0 192.168.2.5 192.168.2.6 30
so should be working - you sure your host is just not answering? Do a traceroute
D:>tracert -d 192.168.1.100
Tracing route to 192.168.1.100 over a maximum of 30 hops
1 189 ms 218 ms 249 ms 10.0.200.1
2 168 ms 130 ms 266 ms 192.168.1.100 -
seems to be working now, i'm not sure what changed. before I couldn't ping anything.
C:\Users\Mitch>tracert -d 192.168.1.100
Tracing route to 192.168.1.100 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.186.2
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 -
well in your first post you had no route - so no your not going to be able to get to anything on the other side of the tunnel.
In your second post you did, so that makes sense why its working now, and was not before.
Why would you trace to my 192.168.1.100 address??? Did I really have to spell out to use an IP on your pfsense lan vs my example ;)
-
haha because i was on call at the time and not really paying attention to what i was doing, lol i'm sorry I feel like an idiot.
I'm guessing its because the client wasn't run as administrator, which is odd since I explicitly told it to the first time.
just for giggles ill prove myself now LOL
C:\Users\Mitch>tracert -d 10.0.0.11
Tracing route to 10.0.0.11 over a maximum of 30 hops
1 14 ms 10 ms 10 ms 192.168.2.1
2 11 ms 10 ms 10 ms 10.0.0.11Trace complete.
-
Thanks for your help though, much appreciated.
-
yeah windows 7 needs to run as admin to add the route, but it seems the new beta version of openvpn client has gotten around that? You could try the new beta 2.3_beta1
-
Hi,
Here my conf :Client Config
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 109.6.229.83 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzoServer Settings :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
route 172.16.0.0 255.255.248.0firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpnIPv4 Table de routage
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.75 20
0.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
10.0.8.0 255.255.255.252 On-link 10.0.8.2 286
10.0.8.2 255.255.255.255 On-link 10.0.8.2 286
10.0.8.3 255.255.255.255 On-link 10.0.8.2 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
172.16.0.0 255.255.248.0 10.0.8.1 10.0.8.2 30
192.168.0.0 255.255.255.0 On-link 192.168.0.75 276
192.168.0.75 255.255.255.255 On-link 192.168.0.75 276
192.168.0.255 255.255.255.255 On-link 192.168.0.75 276
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 10.0.8.2 286
224.0.0.0 240.0.0.0 On-link 192.168.0.75 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 10.0.8.2 286
255.255.255.255 255.255.255.255 On-link 192.168.0.75 276My Lan Office network is 192.168.0.0 , My pfsense Lan is 172.16.0.0/21 and The tunnel network 10.0.8.0/24
So what can i do now ?
Thanks. -
push "route 172.16.0.0 255.255.248.0"
route 172.16.0.0 255.255.248.0Your server config has both route and push route with the same address. As I understand it, the server is on the pfSense that has LAN 172.16.0.0/21 - so the server should have only:
push "route 172.16.0.0 255.255.248.0"
Then it will tell ("push a route to") clients that connect saying that it is the way to reach 172.16.0.0/21
The extra:
route 172.16.0.0 255.255.248.0
will confuse the routing - this tells pfSense that 172.16.0.0/21 can be reached by sending packets out this OpenVPN server - which is not correct.
-
I remove the extra route and i'm still serching my issue.
-
hello,
i try with server mode Peer to Peer in a other pfsense box.With the same parameter i have internet but i can't ping the computer and AP on the Lan pfsense.
there's a problem when we use OpenVpn with multi wan,failover , and Captive Portal ?
i don't know where is blocking cause no rules blocked the traffic….
-
I'm back.
I try with Ipsec but i've got the same issue… :'( -
local 192.168.1.1This looks wrong in your server config. It should be the WAN IP that the server is on. I am guessing that the server is not on a private address like 192.168.1.1
I just noticed this issue on Redmine http://redmine.pfsense.org/issues/2582 and confirmed the problem. If you change your static IP on WAN, then pfSense does not update the OpenVPN conf files. If you go to each OpenVPN server and client and edit+save again, the conf files are generated again and have the new WAN IP in the "local n.n.n.n" line. -
Hi,
Thanks Davis but i have the same result, i can reach my pfsense Lan.
I try with an SDSL router with the Wan IP but exactly the same issues…..
Here my server1.conf :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 81.252.136.49
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 8
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
comp-lzoThanks Phil Davis but
-
Hi,
I just reboot my pfsense and my VPN works now….Thanks for the help.
