Trying to get LAN access, can only ping myself

ace_ventura · Oct 3, 2012, 7:44 PM

Thanks for your help though, much appreciated.

johnpoz · Oct 3, 2012, 7:52 PM

yeah windows 7 needs to run as admin to add the route, but it seems the new beta version of openvpn client has gotten around that? You could try the new beta 2.3_beta1

myke · Oct 4, 2012, 10:12 AM

Hi,
Here my conf :

Client Config

dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 109.6.229.83 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzo

Server Settings :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
route 172.16.0.0 255.255.248.0

firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpn

IPv4 Table de routage

Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.75 20
0.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
10.0.8.0 255.255.255.252 On-link 10.0.8.2 286
10.0.8.2 255.255.255.255 On-link 10.0.8.2 286
10.0.8.3 255.255.255.255 On-link 10.0.8.2 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
172.16.0.0 255.255.248.0 10.0.8.1 10.0.8.2 30
192.168.0.0 255.255.255.0 On-link 192.168.0.75 276
192.168.0.75 255.255.255.255 On-link 192.168.0.75 276
192.168.0.255 255.255.255.255 On-link 192.168.0.75 276
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 10.0.8.2 286
224.0.0.0 240.0.0.0 On-link 192.168.0.75 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 10.0.8.2 286
255.255.255.255 255.255.255.255 On-link 192.168.0.75 276

My Lan Office network is 192.168.0.0 , My pfsense Lan is 172.16.0.0/21 and The tunnel network 10.0.8.0/24

So what can i do now ?
Thanks.

phil.davis · Oct 4, 2012, 12:03 PM

push "route 172.16.0.0 255.255.248.0"
route 172.16.0.0 255.255.248.0

Your server config has both route and push route with the same address. As I understand it, the server is on the pfSense that has LAN 172.16.0.0/21 - so the server should have only:

push "route 172.16.0.0 255.255.248.0"

Then it will tell ("push a route to") clients that connect saying that it is the way to reach 172.16.0.0/21

The extra:

route 172.16.0.0 255.255.248.0

will confuse the routing - this tells pfSense that 172.16.0.0/21 can be reached by sending packets out this OpenVPN server - which is not correct.

myke · Oct 4, 2012, 1:20 PM

I remove the extra route and i'm still serching my issue.

myke · Oct 4, 2012, 4:38 PM

hello,
i try with server mode Peer to Peer in a other pfsense box.

With the same parameter i have internet but i can't ping the computer and AP on the Lan pfsense.

there's a problem when we use OpenVpn with multi wan,failover , and Captive Portal ?

i don't know where is blocking cause no rules blocked the traffic….

myke · Oct 5, 2012, 12:21 PM

I'm back.
I try with Ipsec but i've got the same issue… :'(

phil.davis · Oct 5, 2012, 12:43 PM

local 192.168.1.1

This looks wrong in your server config. It should be the WAN IP that the server is on. I am guessing that the server is not on a private address like 192.168.1.1
I just noticed this issue on Redmine http://redmine.pfsense.org/issues/2582 and confirmed the problem. If you change your static IP on WAN, then pfSense does not update the OpenVPN conf files. If you go to each OpenVPN server and client and edit+save again, the conf files are generated again and have the new WAN IP in the "local n.n.n.n" line.

myke · Oct 5, 2012, 1:55 PM

Hi,

Thanks Davis but i have the same result, i can reach my pfsense Lan.

I try with an SDSL router with the Wan IP but exactly the same issues…..

Here my server1.conf :

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 81.252.136.49
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 8
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
comp-lzo

Thanks Phil Davis but

myke · Oct 8, 2012, 7:52 AM

Hi,
I just reboot my pfsense and my VPN works now….

Thanks for the help.