Configuring VPN win7 clients with pfsense

LeCygne

@johnpoz:

Yeah once you vpn in, depending on what firewall rules you put in place you can access anything you want on your network.  I vpn into my home network pretty much every day.  I am on now - yes I can print to my printer if I want, I can remote desktop to any box on my network, I can access my file shares, etc. etc. etc.

D:>net view \storage.local.lan
Shared resources at \storage.local.lan

My storage server

Share name  Type  Used as  Comment

–-----------------------------------------------------------------------------
J           Disk
Media       Disk
Molly       Disk
temp        Disk
The command completed successfully.

Thats my NAS on my home network, while I am here at work.

So tell me what are rules will i use ?

thank you .

johnpoz

You wouldn't use any rules really unless you want to limit or block something - wizard should create the default rule

IPv4 * * * * * * none   OpenVPN pfsense wizard

The above is what I have in my openvpn tab

LeCygne

@johnpoz:

You wouldn't use any rules really unless you want to limit or block something - wizard should create the default rule

IPv4 * * * * * * none   OpenVPN pfsense wizard

The above is what I have in my openvpn tab

What is subnet' ip address are you using and for vpn' clients ?

johnpoz

You can use whatever you want.. I use 2 different ones for tcp or udp connections I use

NO TCP / 443 10.0.200.0/24 pfsense tcp
NO UDP / 1194 10.0.8.0/24 pfsense udp

Just use something that is unlikely to conflict with the network segment connecting to you.

LeCygne

@johnpoz:

You can use whatever you want.. I use 2 different ones for tcp or udp connections I use

NO TCP / 443 10.0.200.0/24 pfsense tcp
NO UDP / 1194 10.0.8.0/24 pfsense udp

Just use something that is unlikely to conflict with the network segment connecting to you.

So why i could not see any device on my network also i can't ping any device except my pfsense ?

i have a rule like your rule on my WAN and LAN

johnpoz

Are we to just guess your setup?  For all I know you have host firewalls blocking ping.  What does could not see mean?  Are you talking like a windows browse list - thats not going to happen over different segments and a nat.  You could run a wins server if you want to have browselists across segments.

For all we know you have 192.168.1.0/24 on your pfsense lan side and remote network is also 192.168.1.0/24 – are you sending your route, is the client getting the route?

Post up your openvpn config, did you do a traceroute from the client that could not ping your pfsense box?  Is he sending the traffic down the tunnel?

LeCygne

@johnpoz:

Are we to just guess your setup?  For all I know you have host firewalls blocking ping.  What does could not see mean?  Are you talking like a windows browse list - thats not going to happen over different segments and a nat.  You could run a wins server if you want to have browselists across segments.

For all we know you have 192.168.1.0/24 on your pfsense lan side and remote network is also 192.168.1.0/24 – are you sending your route, is the client getting the route?

Post up your openvpn config, did you do a traceroute from the client that could not ping your pfsense box?  Is he sending the traffic down the tunnel?

tunnel network : 192.168.10.0/24
my lan:192.168.1.0/24

after connecting to my network i got 192.168.10.6 (windows told me that )

after that i can ping only pfsense box

tell me exactly what are you looking about openvpn confi because there are many fields with vpn confi .

Also about i could't see any device i mean at least i ping them (my devices:pritner,computers,servers)
and sharing files .

i hope what i told you to be helpful .

thank you .

johnpoz

And where are you connecting from?  What is that network?

Post up output of route print after you connect.

Do a traceroute to the IP your trying to ping.

So what if there are multiple fields, here attached is mine.. And then the client config from client export.  Just snipped out part of public IP for privacy.
–
dev tun
persist-tun
persist-key
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 24.13.xx.xx 443 tcp
tls-remote pfsense-openvpn
pkcs12 pfsense-TCP-443-johnpoz.p12
tls-auth pfsense-TCP-443-johnpoz-tls.key 1
ns-cert-type server
comp-lzo

LeCygne

@johnpoz:

And where are you connecting from?  What is that network?

Post up output of route print after you connect.

Do a traceroute to the IP your trying to ping.

So what if there are multiple fields, here attached is mine.. And then the client config from client export.  Just snipped out part of public IP for privacy.
–
dev tun
persist-tun
persist-key
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 24.13.xx.xx 443 tcp
tls-remote pfsense-openvpn
pkcs12 pfsense-TCP-443-johnpoz.p12
tls-auth pfsense-TCP-443-johnpoz-tls.key 1
ns-cert-type server
comp-lzo

after connecting to my pfsense this is what i got :

Sun Feb 17 20:45:14 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Sun Feb 17 20:45:17 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sun Feb 17 20:45:17 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Feb 17 20:45:17 2013 Control Channel Authentication: using 'pfsense-udp-1195-internal-ca-tls.key' as a OpenVPN static key file
Sun Feb 17 20:45:17 2013 LZO compression initialized
Sun Feb 17 20:45:17 2013 UDPv4 link local (bound): [undef]:1194
Sun Feb 17 20:45:17 2013 UDPv4 link remote: 37.xxx.xxx.xxx:1195
Sun Feb 17 20:45:17 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Feb 17 20:45:20 2013 [internal-ca] Peer Connection Initiated with 37.xxx.xxx.xxx:1195
Sun Feb 17 20:45:23 2013 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{BFEE7338-93E9-47C0-8501-430F8AC797C1}.tap
Sun Feb 17 20:45:23 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {BFEE7338-93E9-47C0-8501-430F8AC797C1} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Sun Feb 17 20:45:23 2013 Successful ARP Flush on interface [23] {BFEE7338-93E9-47C0-8501-430F8AC797C1}
Sun Feb 17 20:45:28 2013 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Sun Feb 17 20:45:28 2013 Initialization Sequence Completed

after pinging 192.168.1.1 :

reqeust timed out

Also :

Tracing route to 192.168.1.1 over a maximum of 30 hops

  1    55 ms    55 ms    53 ms  192.168.200.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *

thank you .

LeCygne

Also :

dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 37.xxx.xxx.xxx 1195
tls-remote internal-ca
auth-user-pass
pkcs12 pfsense-udp-1195-internal-ca.p12
tls-auth pfsense-udp-1195-internal-ca-tls.key 1
comp-lzo

johnpoz

And what part do you not understand about this???

WARNING: potential route subnet conflict between **local LAN [192.168.1.0[/b]/255.255.255.0] and **remote VPN [192.168.1.0[/b]/255.255.255.0]

Your networks on both sides are the SAME!!!!  NOT going to work!!

You have

192.168.1.0/24 –- tunnel --- 192.168.1.0/24

Does not work like that..  Even if client that is directly connected to the tunnel sends his traffic down the tunnel.  And a client on the vpn side sees the traffic - its going to be from a 192.168.1.0 address, never going to send it back to pfsense because that is the vpn boxes LOCAL network, no need to talk to pfsense.

You need this

192.168.A.0/24 –- tunnel --- 192.168.B.0/24

You can not have the same network on both sides of a tunnel and expect it to work without doing some fancy NATing of the connection..  If your remote network is 192.168.1.0, make your local network 192.168.72.0/24 or something - that is unlikely to be used anywhere that would be remote into your network.****

johnpoz

Hmm also, so your pfsense box default gateway for clients on vpn side?  If so then road warrior that uses the tunnel IP as its source should be able to talk to clients on the vpn side even with a dupe IP.

Site to site would be a major issue! But if the box on the vpn side is not using pfsense as default gateway - then again your not going to be able to talk..

So I notice you point dns to 192.168.1.1, but in your address bar your access pfsense at 192.168.1.254..  So this box your trying to talk to at 192.168.1.1 in your traceroute - is his default gateway off 192.168.1.0/24 the pfsense box at 192.168.1.254?

What is this 192.168.1.1 box?  What is his default gateway?

LeCygne

@johnpoz:

Hmm also, so your pfsense box default gateway for clients on vpn side?  If so then road warrior that uses the tunnel IP as its source should be able to talk to clients on the vpn side even with a dupe IP.

Site to site would be a major issue! But if the box on the vpn side is not using pfsense as default gateway - then again your not going to be able to talk..

So I notice you point dns to 192.168.1.1, but in your address bar your access pfsense at 192.168.1.254..  So this box your trying to talk to at 192.168.1.1 in your traceroute - is his default gateway off 192.168.1.0/24 the pfsense box at 192.168.1.254?

What is this 192.168.1.1 box?  What is his default gateway?

Look

my remote network (my office) 192.168.1.0/24
DNS,DHCP server                    192.168.1.1
Default gateway                      192.168.1.254 (pfsense box)

Tunnel network (as you saw before) 192.168.1.200.0/24

my local network (my house) 192.168.10.0/24
DNS,DHCP server                192.168.10.1
Default gateway                  192.168.10.1 (a gateway , there is no a pfsense box)

with that settings should be able to see all devices on the remote network ? (because i will try them tonight )

thank you

johnpoz

Yes there should be no reason why you can not access stuff on the remote network, unless they are running host firewalls?

If youh have problems, please show your connection info and route print.  And traceroute

LeCygne

@johnpoz:

Yes there should be no reason why you can not access stuff on the remote network, unless they are running host firewalls?

If youh have problems, please show your connection info and route print.  And traceroute

Okay as i told you i will try them…thank you man .

LeCygne

Hi…also nothing happen and as usual i could ping only pfsense box and i could't see any device on the remote network...(i forget to what you said to me about print route command but tonight i will post it here)

but i want to ask you : what rules need i to and on which will i apply them (WAN,LAN,vpnServer) ?

thank you .

johnpoz

You shouldn't need any special rules - so unless you have changed the defaults your fine..  Did you run the openvpn wizard so it created your openvpn rules… here are my rules.

Now I did open up my lan rule to have * source vs lan net, but I don't think you really need to do that..  I had that as test I think for something else.  While at work today I will change that and verify access to lan, etc.

And you would need Wan rule to allow your openvpn connection - but your stating that your connecting, so I have to assume you have that rule in place or you would never connect.

To be honest, you run the wizard for the openvpn and put in the info and your done!  You should not be having so many problems.

LeCygne

Hi…i could ping only linux machines (from my house) but i could't see them (i mean : start logo,computer,network,here there is no any device a printer a server...etc,only my machine .)

and (from my office) i could ping that machine on my network (my house) from only linux machines

and please take a look below :

from my house,the output of the route print command :

Interface List
 25...00 ff 49 eb 71 95 ......TAP-Win32 Adapter V9
 23...00 ff a6 3a 86 34 ......Anchorfree HSS VPN Adapter
 10...00 1e 90 c6 30 64 ......VIA Rhine II Compatible Fast Ethernet Adapter
  1...........................Software Loopback Interface 1
 21...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #4
 11...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2
 13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #3
 15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #5
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #6
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1     192.168.10.6     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0    192.168.200.5    192.168.200.6     30
     192.168.10.0    255.255.255.0         On-link      192.168.10.6    276
     192.168.10.6  255.255.255.255         On-link      192.168.10.6    276
   192.168.10.255  255.255.255.255         On-link      192.168.10.6    276
    192.168.200.1  255.255.255.255    192.168.200.5    192.168.200.6     30
    192.168.200.4  255.255.255.252         On-link     192.168.200.6    286
    192.168.200.6  255.255.255.255         On-link     192.168.200.6    286
    192.168.200.7  255.255.255.255         On-link     192.168.200.6    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.10.6    276
        224.0.0.0        240.0.0.0         On-link     192.168.200.6    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.10.6    276
  255.255.255.255  255.255.255.255         On-link     192.168.200.6    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 21     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 21     58 2001::/32                On-link
 21    306 2001:0:9d38:6ab8:8:296d:3f57:f5f9/128
                                    On-link
 10    276 fe80::/64                On-link
 25    286 fe80::/64                On-link
 21    306 fe80::/64                On-link
 21    306 fe80::8:296d:3f57:f5f9/128
                                    On-link
 10    276 fe80::1c4a:a172:f43c:76d0/128
                                    On-link
 25    286 fe80::f4a3:af91:392b:4309/128
                                    On-link
  1    306 ff00::/8                 On-link
 21    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
 25    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

the output of the tracert command (also from my house):

Tracing route to RAAFAT-780 [192.168.1.30]
over a maximum of 30 hops:

  1    54 ms    55 ms    54 ms  192.168.200.1
  2    56 ms    56 ms    54 ms  RAAFAT-780 [192.168.1.30]

Trace complete.

Please note my machine (my house) could know the name of my (linux) machine (my office) RAAFAT-780

finally,the log of openVPN:

Fri Feb 22 15:07:05 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Fri Feb 22 15:07:12 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Feb 22 15:07:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 22 15:07:12 2013 Control Channel Authentication: using 'pfsense-udp-1195-internal-ca-tls.key' as a OpenVPN static key file
Fri Feb 22 15:07:12 2013 LZO compression initialized
Fri Feb 22 15:07:12 2013 UDPv4 link local (bound): [undef]:1194
Fri Feb 22 15:07:12 2013 UDPv4 link remote: 37.x.x.x:1195
Fri Feb 22 15:07:12 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 22 15:07:14 2013 [internal-ca] Peer Connection Initiated with 37.x.x.x:1195
Fri Feb 22 15:07:16 2013 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{49EB7195-A813-4005-B4D6-943F98EA8734}.tap
Fri Feb 22 15:07:16 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {49EB7195-A813-4005-B4D6-943F98EA8734} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Fri Feb 22 15:07:16 2013 Successful ARP Flush on interface [25] {49EB7195-A813-4005-B4D6-943F98EA8734}
Fri Feb 22 15:07:21 2013 Initialization Sequence Completed

thank you .

johnpoz

"but i could't see them "

And when do you think linux machines are going to show up in a windows browse list??  Are the running samba and participating in that nonsense?

If you can ping 1 machine on your work network from your vpn client, then you have access to the network - other machine not resolving or not answering ping is unlikely to have anything to do with the vpn connection.. More like firewall blocking it at the host or maybe its OFF? ;)  As to resolving via host name only, your not pointing at pfsense for dns - so what does that IP your pointing to for dns run.  Query it directly for hosts you want resolve?  Do they resolve?

If you want  boxes to show up in windows browse list across segments then your going to have to run wins!  And even if on same network – it can take 45 minutes for a browselist to populate..

I would suggest you read up on how windows browselist work -- and again they have NOTHING to do with network access, file sharing or name resolution - NOTHING!  Its a BS little list that is not real time, is not very stable and does not work across network segments, etc. etc..

https://www.microsoft.com/en-us/download/details.aspx?id=5590
Windows Computer Browsing for SOHO Networks with Microsoft Windows

https://www.microsoft.com/en-us/download/details.aspx?id=21205
Troubleshooting Computer Browsing on SOHO Networks with Microsoft Windows

Pfsense and openvpn have nothing to do with this - and your not pointing to pfsense for your name resolution for your vpn clients, so it has nothing to do with that.

You can ping a machine across your vpn connection - therefore your vpn is UP!!  There is NO point to the browselist in the first place, use name resolution to resolve your computer names be it dns, wins or broadcast which is not going to work in your current setup.  You don't know the names of the machines you need to access?  Then what the hell your accessing the network in the first place for??

But sure if you want to get the browselist to work across segments then your going to have to run wins, and understand how it works.  Good luck, its a pointless endeavor ;)

If you wanted the network browse list to work, you would have to create a bridged vpn where your road warrior got an IP on your lan and then browselist would work.. But it would most likely take at min 15 minutes to start to show anything, upwards of 45 minutes.  I would assume your box thinks its the master browser for the segment it came up on, and whatever your workgroup name is.

Why do you think you need or even want a browselist?  Now what you can do it query your work networks browse master for a list.

So for example using browstat, don't believe it will work on 7x64.  You can do a browstat dumpnet and get your transports, one would be your vpn device, then you use that to query the browselist on your work network...

D:\Dropbox\tools>browstat dumpnet

List of transports currently bound to the browser

1 \Device\NetBT_Tcpip_{46B7FF42-B5F2-44F2-9EAE-1F0BAF7B4932}
    2 \Device\NetBT_Tcpip_{791A8563-34BD-4681-A0F6-281494D295C8}

You can see which one it would be by mac, so I have highlighted the mac portions

Ethernet adapter ovpn:

Connection-specific DNS Suffix  . : local.lan
       Description . . . . . . . . . . . : TAP-Win32 Adapter V9
       Physical Address. . . . . . . . . : 00-FF-79-1A-85-63

D:\Dropbox\tools>browstat view 2 \storage
Remoting NetServerEnum to \storage on transport \Device\NetBT_Tcpip_{791A8563-34BD-4681-A0F6-281494D295C8} with flags ffffffff
4 entries returned.  4 total. 4094 milliseconds

\I5-W7             NT   06.01 (W,S,PQ,NT)
\KIM-PC            NT   06.01 (W,S,NT)
\STORAGE           NT   06.01 (W,S,NT,SS,PBR,BBR,MBR)    My storage server
\W7X64-VM          NT   06.01 (W,S,NT)

Those are the 4 boxes on in my home network that are participating in the browselist.  No its not listing my linux boxes, they don't have samba installed - no its not listing pfsense, etc. etc.

I know that \storage is my browse master, since I have setup my network that way.  Not really a fan of the browselist, just don't see the point of it.  But there is always a way to skin the cat..  Just not seeing why it matter if you can browse your remote network?

LeCygne

But why i can't ping any windows machine ? (only linux machine)