New OpenVPN setup for road-warriors - connected but no routing
-
I have a newly-setup pfSense firewall and need to set up the OpenVPN for users to connect their laptops.
I've managed to get the client connecting to the firewall okay, I see it connected at the client and also in the list on the firewall, I think the problem is either with routing or with rules.
I am running the OpenVPN client "as administrator", so it shouldn't have any problem with creating routes etc.
Part of the problem is that I'm not sure what sort of diagnostic steps to take next, i.e. what should be able to ping where, and so on. Apologies if I've not provided enough info, I just wasn't sure what to tell :)
The LAN subnet is 10.10.0.0/24
The VPN subnet is 172.29.0.0/24My home ip address is 172.29.14.100
The subnet at home is 172.29.14.0/24Here's my route table at home:
=========================================================================== Interface List 24…00 ff 88 de fc 9e ......TAP-Windows Adapter V9 12...f4 6d 04 97 b3 68 ......Intel(R) 82579V Gigabit Network Connection 17...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1 18...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8 1...........................Software Loopback Interface 1 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.29.14.1 172.29.14.100 10 10.10.0.0 255.255.255.0 172.29.0.5 172.29.0.6 30 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.29.0.1 255.255.255.255 172.29.0.5 172.29.0.6 30 172.29.0.4 255.255.255.252 On-link 172.29.0.6 286 172.29.0.6 255.255.255.255 On-link 172.29.0.6 286 172.29.0.7 255.255.255.255 On-link 172.29.0.6 286 172.29.14.0 255.255.255.0 On-link 172.29.14.100 266 172.29.14.100 255.255.255.255 On-link 172.29.14.100 266 172.29.14.255 255.255.255.255 On-link 172.29.14.100 266 192.168.64.0 255.255.255.0 On-link 192.168.64.1 276 192.168.64.1 255.255.255.255 On-link 192.168.64.1 276 192.168.64.255 255.255.255.255 On-link 192.168.64.1 276 192.168.233.0 255.255.255.0 On-link 192.168.233.1 276 192.168.233.1 255.255.255.255 On-link 192.168.233.1 276 192.168.233.255 255.255.255.255 On-link 192.168.233.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 172.29.0.6 286 224.0.0.0 240.0.0.0 On-link 192.168.233.1 276 224.0.0.0 240.0.0.0 On-link 192.168.64.1 276 224.0.0.0 240.0.0.0 On-link 172.29.14.100 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 172.29.0.6 286 255.255.255.255 255.255.255.255 On-link 192.168.233.1 276 255.255.255.255 255.255.255.255 On-link 192.168.64.1 276 255.255.255.255 255.255.255.255 On-link 172.29.14.100 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 24 286 fe80::/64 On-link 17 276 fe80::/64 On-link 18 276 fe80::/64 On-link 12 266 fe80::/64 On-link 18 276 fe80::21b3:c7b1:1154:b236/128 On-link 12 266 fe80::6d13:2082:832:51ff/128 On-link 17 276 fe80::ad39:9096:d008:a290/128 On-link 24 286 fe80::f13e:a604:2a0c:d944/128 On-link 1 306 ff00::/8 On-link 24 286 ff00::/8 On-link 17 276 ff00::/8 On-link 18 276 ff00::/8 On-link 12 266 ff00::/8 On-link =========================================================================== Persistent Routes: NoneAnd my IP config:
Windows IP Configuration Host Name . . . . . . . . . . . . : Megavec Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : myworkdomain.co.uk Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : myworkdomain.co.uk Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-88-DE-FC-9E DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::f13e:a604:2a0c:d944%24(Preferred) IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : 24 July 2013 16:43:50 Lease Expires . . . . . . . . . . : 24 July 2014 16:43:50 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 172.29.0.5 DHCPv6 IAID . . . . . . . . . . . : 553713544 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-CE-4B-ED-F4-6D-04-97-B3-68 DNS Servers . . . . . . . . . . . : 10.10.0.35 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection Physical Address. . . . . . . . . : F4-6D-04-97-B3-68 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::6d13:2082:832:51ff%12(Preferred) IPv4 Address. . . . . . . . . . . : 172.29.14.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 22 July 2013 13:39:42 Lease Expires . . . . . . . . . . : 29 July 2013 13:39:42 Default Gateway . . . . . . . . . : 172.29.14.1 DHCP Server . . . . . . . . . . . : 172.29.14.1 DHCPv6 IAID . . . . . . . . . . . : 267676932 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-CE-4B-ED-F4-6D-04-97-B3-68 DNS Servers . . . . . . . . . . . : 194.168.4.100 194.168.8.100 NetBIOS over Tcpip. . . . . . . . : Enabled -
The routes on the client look good - there is a route to 10.10.0.0/24 across the OpenVPN.
Have you got rule/s on the OpenVPN tab of Firewall Rules at the pfSense server end?
You have to explicitly allow (pass) incoming traffic arriving on the OpenVPN heading for the LAN 10.10.0.0/24. For testing, put an allow any to any rule on the OpenVPN tab. If that works then you can make the rule more restrictive as needed.
From the Windows client end you can:tracert 10.10.0.1 (use an IP address of a device on the server-end LAN)
Then you can see where the packets are routed and what hops do/don't answer.
-
Okay, so I do have a rule on the OpenVPN tab (see attached vpn1.png and vpn2.png for VPN and LAN rules).
I ran a trace from the home machine (172.29.0.6) to my office machine (10.10.0.122), and it timed out on all hops. The same with the firewall's LAN address (```
-
-
- Request timed out."
-
I'm not sure if I should be able to ping LAN-to-VPN, but I tried that just in case :) That also times out, but the first hop does get to 10.10.0.3 (the pfSense LAN IP) okay, and times out after that.     -
-
At the TOP of your LAN interface firewalls, why don't you temporarily put in a pass all to anywhere rule just until your VPN is working correctly and then after that go back to being restrictive that way you won't be wondering if its a firewall rule breaking your setup.
Also, is there a reason you selected TAP vs. TUN? I always use TUN + Layer 3 with NAT to tunnel clients back to a particular subnet, and give them full internet Access + network access to resources on the LAN and each other as well.
-
Post your server1.conf and network map.
Also, have we tried the easy stuff like turning off the windows firewall?
-
Yep - The bubba list for windows installs.
1. Export a Windows package
2. Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
3. If you didn't install as admin, uninstall - Then install as admin.
4. If still blocked, turn off the Windows Firewall. Turn off all the firewalls during testing till it works. -
At the TOP of your LAN interface firewalls, why don't you temporarily put in a pass all to anywhere rule just until your VPN is working correctly and then after that go back to being restrictive that way you won't be wondering if its a firewall rule breaking your setup.
I've added that now
Also, is there a reason you selected TAP vs. TUN? I always use TUN + Layer 3 with NAT to tunnel clients back to a particular subnet, and give them full internet Access + network access to resources on the LAN and each other as well.
No particular reason - I can try changing that.
Post your server1.conf and network map.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local my.wan.ip.address tls-server server 172.29.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 10.10.0.0 255.255.255.0" push "dhcp-option DOMAIN myworkdomain.co.uk" push "dhcp-option DNS 10.10.0.35" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip floatAlso, have we tried the easy stuff like turning off the windows firewall?
Yep.
-
I hate to assume anything so I'm going to repeat this bit again.
Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
(I also prefer TUN for your setup) -
That's fine, it's always likely that I've made a daft mistake :)
I did just uninstall and re-install as admin, just in case, and even run the client as admin to be sure, and it doesn't seem to make a difference.
Is there any change to moving to TUN apart from changing the server and client settings to the "tun" option?
-
Yes - You have to export your client config again and reinstall it on windows.
So, uninstal the old one then reinstall the new one.
Also make sure your firewall rules in pfsense on the openvpn tab pass to anywhere, just like your LAN rule.(I'm all IPV4 here, so if this is a IPV6 glitch, all bets are off)
-
No idea what I'm missing now. I have some images of my current setup.
I'll try a full removal of the client from the PC and clean up whatever I can see, and try again. As it's connecting but not routing, it smells like the problem of not installing as admin, even though I definitely did.
I assume that if the correct routes are created and visible in "route print", then admin isn't the problem?
-
Still using the TAP adapter? Seriously want you to reconsider using TUN for you own sanity.
Openvpn Should come with a warning that says "Don't use TAP unless you absolutely intend to bridge to your server network or absolutely require layer2".
As a mater of fact, Some openvpn tools do say something like that. To get TAP to work, you will need IPs assigned, so DHCP start and end range. Probably want bridging. Probably want LZO compression on no matter what you use. Probably want type-of-service checked…But, unless you can tell me why you need TAP, probably need to dump it and use TUN for this.
-
Ah, sorry my bad - I had tried both, so think I must've changed it back before screenies. I'll set it to TUN now and test again just to be sure! I also found the "Management Interface" option for the client download, and the newer version of OpenVPN, so I'll get through those…
-
Something just occured to me. What versions of openvpn client export package are you on? If you go to your packages, is there an update available for it? Its a one button push to update that. Basically you just press the little pkg button out to the right. Before you export a new TUN adapter (You have to export a new config each time you make a server change to be safe), please make sure client export package is latest one.
-
Doesn't appear to be, I only installed it a few days ago too - I'm on 1.0.11
-
If its not offering an update there, you version is current. We are on the same thing.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
Tue Jul 30 16:07:21 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013 Enter Management Password: Tue Jul 30 16:07:27 2013 Control Channel Authentication: using 'firewall-udp-1194-mark-tls.key' as a OpenVPN static key file Tue Jul 30 16:07:27 2013 UDPv4 link local (bound): [undef] Tue Jul 30 16:07:27 2013 UDPv4 link remote: [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:27 2013 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this Tue Jul 30 16:07:29 2013 [MyVPN_Server] Peer Connection Initiated with [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:31 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 30 16:07:31 2013 open_tun, tt->ipv6=0 Tue Jul 30 16:07:31 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{27851D99-6A01-467F-965E-44884FAA8B29}.tap Tue Jul 30 16:07:31 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.29.0.6/255.255.255.252 on interface {27851D99-6A01-467F-965E-44884FAA8B29} [DHCP-serv: 172.29.0.5, lease-time: 31536000] Tue Jul 30 16:07:31 2013 Successful ARP Flush on interface [22] {27851D99-6A01-467F-965E-44884FAA8B29} Tue Jul 30 16:07:36 2013 Initialization Sequence Completed -
All firewalls off on the windows box?
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
I don't understand what are you trying to do there.
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2 IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252This for sure again looks like /30.