OpenVPN client cannot ping LAN from VPN subnet
-
Hello-
I'm new to pfsense thus this message. I've operated OpenVPN on a linux router for at least ten years so it's a challenge adapting to pfsense's OpenVPN methodology! :)
I've set up keys the way they should be and can accomplish a successful handshake between a Windows 7 client and the OpenVPN server running on pfsense. However, I cannot get past the pfsense router. I can ping pfsense but nothing out in the LAN. The docs says that routing is automatically added by pfsense when an OpenVPN server is set up in pfsense version 2.0.x. Is that true?
If so, what am I doing wrong? I've added a rule in the OVPN tab allowing TCP/UDP/ICMP traffic inbound into the OpenVPN interface as follows:
pass in quick on openvpn proto tcp all flags S/SA keep state label "USER_RULE: allow TCP/UDP traffic into VPN tunnel"
pass in quick on openvpn proto udp all keep state label "USER_RULE: allow TCP/UDP traffic into VPN tunnel"
pass in quick on openvpn inet proto icmp all keep state label "USER_RULE: allow ICMP traffic into VPN tunnel"
pass in quick on openvpn inet from any to 192.168.101.0/24 flags S/SA keep state label "USER_RULE"Do I need to add rules elsewhere?
If pfsense doesn't automatically add routing, what steps do I need to allow clients into the LAN?
~Doug
-
Go to the OpenVPN Server Settings and add this:
Advanced configuration:
push "route 192.168.101.0 255.255.255.0";
fixed this issue for me.
-
Umm.
Now I cannot seem to do a proper handshake anymore. I do seem to get an initial packet from [AF_INET]<wan address="">:1194 but then it times out after 60 secs. The server openvpn.log is filled with "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Now I see that the WAN card seems to ahve issues. For example I cannot ping www.google.com successfully. I'm wondering if OpenVPN causes problems with name resolution on the WAn card when a connection is attempted between an OpenVPN client and the server? Has anyone seen this issue before?
~Doug</wan>
-
[2.0.2-RELEASE][admin@pfsense.dawnsign.com]/root(13): /etc/rc.banner ; ifconfig ; ping -c 3 8.8.8.8 ; ping -c 3 www.google.com ; netstat -r -n *** Welcome to pfSense 2.0.2-RELEASE-pfSense (i386) on pfsense *** WAN (wan) -> vx0 -> 69.xxx.xxx.xxx LAN (lan) -> fxp0 -> 192.168.101.253 OPT1 (opt1) -> xl0 -> NONE vx0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:a0:24:78:61:ce inet6 fe80::2a0:24ff:fe78:61ce%vx0 prefixlen 64 scopeid 0x1 inet 69.xxx.xxx.xxx netmask 0xfffffff0 broadcast 69.198.101.223 nd6 options=43 <performnud,accept_rtadv>xl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=80009 <rxcsum,vlan_mtu,linkstate>ether 00:10:5a:85:91:11 inet6 fe80::210:5aff:fe85:9111%xl0 prefixlen 64 scopeid 0x2 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=2049 <rxcsum,vlan_mtu,polling,wol_magic>ether 00:1c:c0:75:5c:26 inet6 fe80::21c:c0ff:fe75:5c26%fxp0 prefixlen 64 scopeid 0x3 inet 192.168.101.253 netmask 0xffffff00 broadcast 192.168.101.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 pflog0: flags=100 <promisc>metric 0 mtu 33200 enc0: flags=0<> metric 0 mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nd6 options=43 <performnud,accept_rtadv>PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss PING www.google.com (74.125.239.20): 56 data bytes --- www.google.com ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 69.198.101.209 UGS 0 118 vx0 69.xxx.xxx.xxx/28 link#1 U 0 415 vx0 69.xxx.xxx.xxx link#1 UHS 0 0 lo0 127.0.0.1 link#7 UH 0 75 lo0 192.168.101.0/24 link#3 U 0 535 fxp0 192.168.101.253 link#3 UHS 0 0 lo0 208.67.220.220 69.198.101.209 UGHS 0 16 vx0 208.67.222.222 69.198.101.209 UGHS 0 16 vx0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%vx0/64 link#1 U vx0 fe80::2a0:24ff:fe78:61ce%vx0 link#1 UHS lo0 fe80::%xl0/64 link#2 U xl0 fe80::210:5aff:fe85:9111%xl0 link#2 UHS lo0 fe80::%fxp0/64 link#3 U fxp0 fe80::21c:c0ff:fe75:5c26%fxp0 link#3 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 ff01:1::/32 fe80::2a0:24ff:fe78:61ce%vx0 U vx0 ff01:2::/32 fe80::210:5aff:fe85:9111%xl0 U xl0 ff01:3::/32 fe80::21c:c0ff:fe75:5c26%fxp0 U fxp0 ff01:7::/32 ::1 U lo0 ff02::%vx0/32 fe80::2a0:24ff:fe78:61ce%vx0 U vx0 ff02::%xl0/32 fe80::210:5aff:fe85:9111%xl0 U xl0 ff02::%fxp0/32 fe80::21c:c0ff:fe75:5c26%fxp0 U fxp0 ff02::%lo0/32 ::1 U lo0 [2.0.2-RELEASE][admin@pfsense.dawnsign.com]/root(14):</performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></rxcsum,vlan_mtu,polling,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,vlan_mtu,linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>I've observed that upon rebooting each time, most times I'm able to ping 8.8.8.8 within 30 seconds and then I'm unable to ping anymore. In very few instances, I cannot even ping successfully upon rebooting.
I suspected a flaky NIC and replaced a 3Com 509b card with a 3Com 595 card to no effect. I replaced the switch but no dice. It appears that the issue is within pfsense. I disabled pf ('pfctl -d') and still am unable to ping 8.8.8.8 successfully.
Is pfsense borked? What steps can I take to investigate this further?
~Doug
-
I restored from a previous backup that didn't contain any configuration information for OpenVPN. Ping now works. And doesn't stop working after 30 seconds of being up. So far so good.
I imported the pfsense certificate authority certificate and key (ca.crt & ca.key) into the Cert Manager CA Authority tab from our older Linux-based router which used easyrsa to generate those certificates/keys. Then I went to the client certificate tab and imported Firewall.crt & Firewall.key from our Linux-based router to a 'Firewall' certificate entry. I also imported a client certificate and key into a new client certificate entry called DougSampson.
I went to the OpenVPN configuration and imported the contents of the ta.key into the TLS-Authentication box. For the Peer Certificate Authority I chose the Firewall Certificate Authority certificate (ca.crt in this case) and for the Peer Certificate Revocation List I chose the Firewall Certificate Authority entry (we didn't employ a CRL list on our Linux-based router). For the Server Certificate, I chose the Firewall server certificate (in this case, the Firewall.crt) for the Server Certificate box. I chose 1024 bits for the DH Parameter Length. We had a dh1024.pem file from our Linux-based router but didn't know where to put it- there's no box for selecting the dh1024.pem file. It currently sits in the /root/easyrsa4pfsense/keys folder. POSTSCRIPT: I now notice 'dh /etc/dh-parameters.1024' in server1.conf. Should I replace the contents of that file with the contents from the /root/easyrsa4pfsense/keys/dh1024.pem?
The contents of server1.conf is as follows:
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 69.xxx.xxx.xxx tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 5 push "route 192.168.101.0 255.255.255.0" push "dhcp-option DOMAIN dawnsign.com" push "dhcp-option DNS 192.168.101.1" push "dhcp-option DNS 192.168.101.4" push "dhcp-option DNS 192.168.101.7" push "dhcp-option DNS 192.168.101.254" push "dhcp-option NTP 192.168.101.254" push "dhcp-option NTP 192.168.101.4" push "dhcp-option WINS 192.168.101.4" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo passtos persist-remote-ip float push "route 192.168.102.0 255.255.255.0"Content of client.ovpn:
client dev tun proto udp remote 69.xxx.xxx.xxx 1194 resolve-retry infinite nobind persist-key persist-tun ca ca.crt cert DougSampson.crt key DougSampson.key tls-auth ta.key 1 comp-lzo verb 3The client config file worked just fine with our existing Linux-based router running OpenVPN.
Now when I try to connect, it fails with a TLS handshake error. Here is what the openvpn.log spits out:
Feb 28 10:07:05 pfsense openvpn[11729]: event_wait : Interrupted system call (code=4) Feb 28 10:07:05 pfsense openvpn[11729]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1542 10.0.8.1 10.0.8.2 init Feb 28 10:07:05 pfsense openvpn[11729]: SIGTERM[hard,] received, process exiting Feb 28 10:07:05 pfsense openvpn[48656]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 6 2012 Feb 28 10:07:05 pfsense openvpn[48656]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 28 10:07:05 pfsense openvpn[48656]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Feb 28 10:07:05 pfsense openvpn[48656]: TUN/TAP device /dev/tun1 opened Feb 28 10:07:05 pfsense openvpn[48656]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 28 10:07:05 pfsense openvpn[48656]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up Feb 28 10:07:05 pfsense openvpn[48656]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.0.8.1 10.0.8.2 init Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link local (bound): [AF_INET]69.xxx.xxx.xxx:1194 Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link remote: [undef] Feb 28 10:07:05 pfsense openvpn[50174]: Initialization Sequence Completed Feb 28 10:08:06 pfsense openvpn[50174]: <ovpn client="" ip="" addr="">:51681 Re-using SSL/TLS context Feb 28 10:08:06 pfsense openvpn[50174]: <ovpn client="" ip="" addr="">:51681 LZO compression initialized Feb 28 10:09:06 pfsense openvpn[50174]: <ovpn client="" ip="" addr="">:51681 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Feb 28 10:09:06 pfsense openvpn[50174]: <ovpn client="" ip="" addr="">:51681 TLS Error: TLS handshake failed</ovpn></ovpn></ovpn></ovpn>Moreover, the pfsense server stops being able to ping! After rebooting, I'm unable to ping at all.
It looks like there is a misconfiguration error somewhere in there and I cannot figure it out. Can anyone spot any errors? I notice that in the server1.conf file, the cipher is specified but it is not specified in the client config file. Is this an error? Are there any other errors?
~Doug