Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.0.3 + OpenVPN, resolving problems.

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zleeper
      last edited by

      suspected that myself in the beginning, but everything gets set properly to the client when connected :/

      do tell if i should provide some conf. info that might help to resolve this issue.

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon
        last edited by

        So, from the client connected, show the ipconfig /all, a nslookup for a host and for its FQDN. That should have the answer in there.

        1 Reply Last reply Reply Quote 0
        • Z
          zleeper
          last edited by

          don't really know what info ipconfig /all gives, so heres some with ifconfig and netstat.

          nslookup google.com
          Server: XXX.179.18.2
          Address: XXX.179.18.2#53

          Non-authoritative answer:
          Name: google.com
          Address: 173.194.32.39
          Name: google.com
          Address: 173.194.32.40
          Name: google.com
          Address: 173.194.32.41
          Name: google.com
          Address: 173.194.32.46
          Name: google.com
          Address: 173.194.32.32
          Name: google.com
          Address: 173.194.32.33
          Name: google.com
          Address: 173.194.32.34
          Name: google.com
          Address: 173.194.32.35
          Name: google.com
          Address: 173.194.32.36
          Name: google.com
          Address: 173.194.32.37
          Name: google.com
          Address: 173.194.32.38

          ifconfig -a
          lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
          options=3 <rxcsum,txcsum>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
          inet 127.0.0.1 netmask 0xff000000
          inet6 ::1 prefixlen 128
          gif0: flags=8010 <pointopoint,multicast>mtu 1280
          stf0: flags=0<> mtu 1280
          en0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
          options=2b <rxcsum,txcsum,vlan_hwtagging,tso4>ether c8:2a:14:04:84:fd
          media: autoselect (none)
          status: inactive
          en1: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
          ether e0:f8:47:37:15:f8
          inet6 fe80::e2f8:47ff:fe37:15f8%en1 prefixlen 64 scopeid 0x5
          inet 10.0.2.178 netmask 0xffffff00 broadcast 10.0.2.255
          media: autoselect
          status: active
          p2p0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 2304
          ether 02:f8:47:37:15:f8
          media: autoselect
          status: inactive
          fw0: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 4078
          lladdr 70💿60:ff:fe:d1:70:10
          media: autoselect <full-duplex>status: inactive
          vboxnet0: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
          ether 0a:00:27:00:00:00
          tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
          inet 10.11.0.6 –> 10.11.0.5 netmask 0xffffffff
          open (pid 60243)


          netstat -rn
          Routing tables

          Internet:
          Destination        Gateway            Flags        Refs      Use  Netif Expire
          0/1                10.11.0.5          UGSc          72        0    tun0
          default            10.0.2.1          UGSc          11        0    en1
          10.0.2/24          link#5            UCS            4        0    en1
          10.0.2.1          54:4:a6:d3:d4:3d  UHLWIir        3    6196    en1  1112
          10.0.2.47          link#5            UHRLWIi        0      30    en1
          10.0.2.98          98:3:d8:e8:12:13  UHLWIi          0        0    en1    382
          10.0.2.178        127.0.0.1          UHS            0      100    lo0
          10.0.2.255        ff:ff:ff:ff:ff:ff  UHLWbI          0      16    en1
          10.11/24          10.11.0.5          UGSc            0        0    tun0
          10.11.0.5          10.11.0.6          UHr          135        0    tun0
          XXX.247.8.53/32    10.0.2.1          UGSc            1        0    en1
          127                127.0.0.1          UCS            0        0    lo0
          127.0.0.1          127.0.0.1          UH            10  145126    lo0
          128.0/1            10.11.0.5          UGSc          58        0    tun0
          169.254            link#5            UCS            0        0    en1
          192.168.3          10.11.0.5          UGSc            1        0    tun0

          Internet6:
          Destination                            Gateway                        Flags        Netif Expire
          ::1                                    link#1                          UHL            lo0
          fe80::%lo0/64                          fe80::1%lo0                    UcI            lo0
          fe80::1%lo0                            link#1                          UHLI            lo0
          fe80::%en0/64                          link#4                          UCI            en0
          fe80::%en1/64                          link#5                          UCI            en1
          fe80::e2f8:47ff:fe37:15f8%en1          e0:f8:47:37:15:f8              UHLI            lo0
          ff01::%lo0/32                          fe80::1%lo0                    UmCI            lo0
          ff01::%en0/32                          link#4                          UmCI            en0
          ff01::%en1/32                          link#5                          UmCI            en1
          ff02::%lo0/32                          fe80::1%lo0                    UmCI            lo0
          ff02::%en0/32                          link#4                          UmCI            en0
          ff02::%en1/32                          link#5                          UmCI            en1</up,pointopoint,running,simplex,multicast></broadcast,running,simplex,multicast></full-duplex></up,broadcast,smart,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,smart,running,simplex,multicast></rxcsum,txcsum,vlan_hwtagging,tso4></up,broadcast,smart,running,simplex,multicast></pointopoint,multicast></rxcsum,txcsum></up,loopback,running,multicast>

          1 Reply Last reply Reply Quote 0
          • Z
            zleeper
            last edited by

            forgot to add this also.

            dig @ns1.XXXXXXXX.YYY google.com
            dig: couldn't get address for 'ns1.XXXXXXXX.YYY': not found

            dig @XXX.179.18.2 google.com +short
            173.194.32.40
            173.194.32.41
            173.194.32.46
            173.194.32.32
            173.194.32.33
            173.194.32.34
            173.194.32.35
            173.194.32.36
            173.194.32.37
            173.194.32.38
            173.194.32.39

            nslookup ns1.XXXXXXXX.YYY
            Server: XXX.179.18.2
            Address: XXX.179.18.2#53

            Name: ns1.XXXXXXXX.YYY
            Address: XXX.179.18.2

            1 Reply Last reply Reply Quote 0
            • S
              SeventhSon
              last edited by

              what does resolv.conf say when connected, I think there might be multiple dns servers in there, you normal one and the one through the vpn.

              No too sure how to fix this on *nix though, don't use the client on linux myself.

              1 Reply Last reply Reply Quote 0
              • Z
                zleeper
                last edited by

                When connected resolv.conf gets updated with the DNS server from the VPN config (same as for the pfsense installation)

                should i add an allow line for port 53 tcp/udp in the firewall rule list for OpenVPN? or might it be something like that thats missing?

                1 Reply Last reply Reply Quote 0
                • S
                  SeventhSon
                  last edited by

                  by default there is a deny all rule, so you would have to allow that, yes. I would start off with allow all, to see that the vpn/routing/dns parts are working, and then lock it down.

                  1 Reply Last reply Reply Quote 0
                  • Z
                    zleeper
                    last edited by

                    There were actually problems on 2 sides :)

                    First one was FW rules to allow communication from openvpn :)

                    now i'm trying to figure out how to  push dns configuration to the openvpn client :)

                    1 Reply Last reply Reply Quote 0
                    • S
                      SeventhSon
                      last edited by

                      There is the option under OpenVPN: Server:
                      "Provide a DNS server list to clients"
                      you can enter DNS servers there

                      and if you want all traffic to go through the tunnel:
                      "Force all client generated traffic through the tunnel. "

                      1 Reply Last reply Reply Quote 0
                      • Z
                        zleeper
                        last edited by

                        found the options myself :)
                        but thanx for all the help! :)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.