PfSense OpenVPN Server and Tomato OpenVPN Client

elkosupertech · Jul 27, 2013, 8:54 PM

Just so you know I used this to setup this senario

https://forums.openvpn.net/topic12384.html

What I have is a Main Site with 4 VLans (which I only want to give access to 3) and the Remote Site.

The Main Site has VLAN Management 10.1.0.0/24, VLAN MAIN 10.0.0.0/24, VLAN Phones 10.2.0.0/24 and the remote site which is 10.0.10/24. The Tunnel seems to be connected as I can ping Tomato's ip address and given by pfSense.

The problem seems to be that it's not routing.

Here is the log I pulled off of Tomatoe when it connected:
info kernel: tun: (C) 1999-2004 Max Krasnyansky maxk@qualcomm.comJul 27 12:55:13 unknown daemon.notice openvpn[2653]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Nov 29 2012
Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link local: [undef]
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link remote: 204.28.248.153:1195
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: TLS: Initial packet from 204.28.248.153:1195, sid=8c429fe1 1918d5e2
Jul 27 12:55:13 unknown daemon.warn openvpn[2669]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=1, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S
Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=0, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S_SVRCERT
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: [Parents_S2S_SVRCERT] Peer Connection Initiated with 204.28.248.153:1195
Jul 27 12:55:17 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:17 2013
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6207
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4698
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Auth read bytes,0
Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: END
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: SENT CONTROL [Parents_S2S_SVRCERT]: 'PUSH_REQUEST' (status=1)
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: route options modified
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP device tun11 opened
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP TX queue length set to 100
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 172.18.0.0 netmask 255.255.255.0 gw 172.18.0.5
Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: Initialization Sequence Completed
Jul 27 12:55:34 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:34 2013
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6606
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4937
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Auth read bytes,16
Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: END

When I looked this over it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that. It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).

Any assistance would be greatly appreciated./maxk@qualcomm.com

phil.davis · Jul 28, 2013, 7:12 AM

it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that. It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).

OpenVPN does "magic" in its protocol. For example, on a pfSense OpenVPN site-to-site client end it has routes to ".5", but actually I can't ping ".5" and can ping ".1" - the OpenVPN server end only responds "really" to .1, but internally uses the other little /30 subnets (.5 .6, .9 .10 …) for communicating with each connected client. That is a feature of OpenVPN, not specific to Tomato.
Because the pfSense at the server end is the centre of it all (has direct routes to all the subnets), the routing should just work.
I would first check that the firewall rules on the OpenVPN tab at the server end are allowing traffic. Easy first thing is to add an allow all to all rule and see if you can start pinging stuff in the VLANs. Then make the rules tougher as you require.

elkosupertech · Jul 29, 2013, 5:59 PM

Thank you for your response. I will double check this when I get home. I do remember though that the Firewall had an OpenVPN tab and if memory serves me correctly, it had an allow everything rule. I am a little new with pfSense and had previously had been using Astaro Gateway (until they changed the home license to not include a Site-to-site VPN setup).

Then again I flubbed up on the phone VLAN by using only TCP/UDP traffic and not Any which I found later because of an issue with one of the phones trying to contact a server in the Management VLAN. Figured that one out!

Again thanks, and I'll get back to this.

DJ

elkosupertech · Jul 29, 2013, 6:03 PM

One more thing that might be worth mentioning. I CAN get the tunnel to work by having tomato use a NAT on it, but then it doesn't route back through.

DJ

doktornotor · Jul 29, 2013, 6:05 PM

Have you tried to check the "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)." button? Never liked the net30 thing.

elkosupertech · Jul 29, 2013, 7:02 PM

Doktornotor,

I have never heard of those options. Where would I look for them? Please let me know.

DJ

doktornotor · Jul 29, 2013, 7:11 PM

@elkosupertech:

I have never heard of those options. Where would I look for them? Please let me know.

Well, in the OpenVPN server configuration on your pfSense box. At least it's definitely there with 2.1RCs.

kejianshi · Jul 29, 2013, 7:44 PM

Its in 2.03 also.

elkosupertech · Jul 30, 2013, 12:35 AM

I am sending you what I have on the VPN page. I don't see that option. I also checked on the Firewall and it is showing that its allowing everything.

http://www.elkosupertech.com/f/pfsense.elkosupertech.pdf?attredirects=0&d=1

I made the change of adding the Virtual address option but still it's not working.

DJ

kejianshi · Jul 30, 2013, 12:44 AM

No option for topology…
What version pfsense?

elkosupertech · Jul 30, 2013, 1:03 AM

2.0.3-RELEASE (amd64)

DJ

kejianshi · Jul 30, 2013, 1:04 AM

Thats exactly what I'm using.
Hmmm - Must be you get different options when setting up a point to point tunnel not using a wizard.

elkosupertech · Jul 30, 2013, 1:07 AM

I did use the Wizard for this. My original post shows the options I selected when I set this up. I am thinking of redoing the setup but they didn't recommend those options. Would you tell me what options I should select or any other changes that should be made?

DJ

kejianshi · Jul 30, 2013, 1:12 AM

I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one.

kejianshi · Jul 30, 2013, 1:24 AM

Did you set up rules on the firewall to allow/pass Openvpn to anywhere?

doktornotor · Jul 30, 2013, 8:30 AM

@kejianshi:

I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one.

Important note: You MUST use device type tun, NOT tap. Otherwise the option is just not there. (Read the OVPN docs for details.)

kejianshi · Jul 30, 2013, 1:52 PM

Yeah - I definitely thought I saw that option before and now I definitely know I don't in my 2.03
I'm looking at my TUN tunnels that are up and working. Odd. I must have been mistaken.

elkosupertech · Jul 31, 2013, 3:46 AM

As far as I can tell, OpenVPN's settings on the Firewall are set to allow all.

jimp · Jul 31, 2013, 1:40 PM

The last time I had to config Tomato as a client it had a quirk where, for whatever reason, I had to add this to the Tomato client config:


keepalive 10 60
ping-timer-rem

And then it started connecting and working as expected.

Other than that it was a fairly standard static key config, nothing too special.

elkosupertech · Aug 2, 2013, 3:12 AM

I have entered this on the Tomato side and still no joy. Any other suggestions?

DJ