• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfSense OpenVPN Server and Tomato OpenVPN Client

Scheduled Pinned Locked Moved OpenVPN
37 Posts 7 Posters 19.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E Offline
    elkosupertech
    last edited by Jul 27, 2013, 8:54 PM

    Just so you know I used this to setup this senario

    https://forums.openvpn.net/topic12384.html

    What I have is a Main Site with 4 VLans (which I only want to give access to 3) and the Remote Site.

    The Main Site has VLAN Management 10.1.0.0/24, VLAN MAIN 10.0.0.0/24, VLAN Phones 10.2.0.0/24 and the remote site which is 10.0.10/24.  The Tunnel seems to be connected as I can ping Tomato's ip address and given by pfSense.

    The problem seems to be that it's not routing.

    Here is the log I pulled off of Tomatoe when it connected:
    info kernel: tun: (C) 1999-2004 Max Krasnyansky maxk@qualcomm.comJul 27 12:55:13 unknown daemon.notice openvpn[2653]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Nov 29 2012
    Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Jul 27 12:55:13 unknown daemon.warn openvpn[2653]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Socket Buffers: R=[112640->131072] S=[112640->131072]
    Jul 27 12:55:13 unknown daemon.notice openvpn[2653]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
    Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link local: [undef]
    Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: UDPv4 link remote: 204.28.248.153:1195
    Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: TLS: Initial packet from 204.28.248.153:1195, sid=8c429fe1 1918d5e2
    Jul 27 12:55:13 unknown daemon.warn openvpn[2669]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=1, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S
    Jul 27 12:55:13 unknown daemon.notice openvpn[2669]: VERIFY OK: depth=0, /C=US/ST=Nevada/L=Elko/O=ELKOSUPERTECH/emailAddress=me@elkosupertech.com/CN=Parents_S2S_SVRCERT
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Jul 27 12:55:16 unknown daemon.notice openvpn[2669]: [Parents_S2S_SVRCERT] Peer Connection Initiated with 204.28.248.153:1195
    Jul 27 12:55:17 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:17 2013
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6207
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4698
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: Auth read bytes,0
    Jul 27 12:55:17 unknown daemon.notice openvpn[2669]: END
    Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: SENT CONTROL [Parents_S2S_SVRCERT]: 'PUSH_REQUEST' (status=1)
    Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
    Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: –ifconfig/up options modified
    Jul 27 12:55:18 unknown daemon.notice openvpn[2669]: OPTIONS IMPORT: route options modified
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP device tun11 opened
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: TUN/TAP TX queue length set to 100
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: /sbin/route add -net 172.18.0.0 netmask 255.255.255.0 gw 172.18.0.5
    Jul 27 12:55:19 unknown daemon.notice openvpn[2669]: Initialization Sequence Completed
    Jul 27 12:55:34 unknown daemon.err openvpn[2669]: event_wait : Interrupted system call (code=4)
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: OpenVPN STATISTICS
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Updated,Sat Jul 27 12:55:34 2013
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP read bytes,0
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TUN/TAP write bytes,0
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP read bytes,6606
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: TCP/UDP write bytes,4937
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: Auth read bytes,16
    Jul 27 12:55:34 unknown daemon.notice openvpn[2669]: END

    When I looked this over it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that.  It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).

    Any assistance would be greatly appreciated./maxk@qualcomm.com

    1 Reply Last reply Reply Quote 0
    • P Offline
      phil.davis
      last edited by Jul 28, 2013, 7:12 AM

      it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that.  It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).

      OpenVPN does "magic" in its protocol. For example, on a pfSense OpenVPN site-to-site client end it has routes to ".5", but actually I can't ping ".5" and can ping ".1" - the OpenVPN server end only responds "really" to .1, but internally uses the other little /30 subnets (.5 .6, .9 .10 …) for communicating with each connected client. That is a feature of OpenVPN, not specific to Tomato.
      Because the pfSense at the server end is the centre of it all (has direct routes to all the subnets), the routing should just work.
      I would first check that the firewall rules on the OpenVPN tab at the server end are allowing traffic. Easy first thing is to add an allow all to all rule and see if you can start pinging stuff in the VLANs. Then make the rules tougher as you require.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • E Offline
        elkosupertech
        last edited by Jul 29, 2013, 5:59 PM

        Thank you for your response.  I will double check this when I get home.  I do remember though that the Firewall had an OpenVPN tab and if memory serves me correctly, it had an allow everything rule.  I am a little new with pfSense and had previously had been using Astaro Gateway (until they changed the home license to not include a Site-to-site VPN setup).

        Then again I flubbed up on the phone VLAN by using only TCP/UDP traffic and not Any which I found later because of an issue with one of the phones trying to contact a server in the Management VLAN.  Figured that one out!

        Again thanks, and I'll get back to this.

        DJ

        1 Reply Last reply Reply Quote 0
        • E Offline
          elkosupertech
          last edited by Jul 29, 2013, 6:03 PM

          One more thing that might be worth mentioning.  I CAN get the tunnel to work by having tomato use a NAT on it, but then it doesn't route back through.

          DJ

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by Jul 29, 2013, 6:05 PM

            Have you tried to check the "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)." button? Never liked the net30 thing.

            1 Reply Last reply Reply Quote 0
            • E Offline
              elkosupertech
              last edited by Jul 29, 2013, 7:02 PM

              Doktornotor,

              I have never heard of those options.  Where would I look for them?  Please let me know.

              DJ

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by Jul 29, 2013, 7:11 PM

                @elkosupertech:

                I have never heard of those options.  Where would I look for them?  Please let me know.

                Well, in the OpenVPN server configuration on your pfSense box. At least it's definitely there with 2.1RCs.

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by Jul 29, 2013, 7:44 PM

                  Its in 2.03 also.

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    elkosupertech
                    last edited by Jul 30, 2013, 12:35 AM

                    I am sending you what I have on the VPN page.  I don't see that option.  I also checked on the Firewall and it is showing that its allowing everything.

                    http://www.elkosupertech.com/f/pfsense.elkosupertech.pdf?attredirects=0&d=1

                    I made the change of adding the Virtual address option but still it's not working.

                    DJ

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by Jul 30, 2013, 12:44 AM Jul 30, 2013, 12:42 AM

                      No option for topology…
                      What version pfsense?

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        elkosupertech
                        last edited by Jul 30, 2013, 1:03 AM

                        2.0.3-RELEASE (amd64)

                        DJ

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          kejianshi
                          last edited by Jul 30, 2013, 1:04 AM

                          Thats exactly what I'm using.
                          Hmmm - Must be you get different options when setting up a point to point tunnel not using a wizard.

                          1 Reply Last reply Reply Quote 0
                          • E Offline
                            elkosupertech
                            last edited by Jul 30, 2013, 1:07 AM

                            I did use the Wizard for this.  My original post shows the options I selected when I set this up.  I am thinking of redoing the setup but they didn't recommend those options.  Would you tell me what options I should select or any other changes that should be made?

                            DJ

                            1 Reply Last reply Reply Quote 0
                            • K Offline
                              kejianshi
                              last edited by Jul 30, 2013, 1:12 AM

                              I take it back - I don't have that topology option either.  Not sure what I was thinking earlier.
                              I have two of those but not the topology one.

                              1 Reply Last reply Reply Quote 0
                              • K Offline
                                kejianshi
                                last edited by Jul 30, 2013, 1:24 AM

                                Did you set up rules on the firewall to allow/pass Openvpn to anywhere?

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by Jul 30, 2013, 8:30 AM Jul 30, 2013, 8:27 AM

                                  @kejianshi:

                                  I take it back - I don't have that topology option either.  Not sure what I was thinking earlier.
                                  I have two of those but not the topology one.

                                  Important note: You MUST use device type tun, NOT tap. Otherwise the option is just not there. (Read the OVPN docs for details.)

                                  1 Reply Last reply Reply Quote 0
                                  • K Offline
                                    kejianshi
                                    last edited by Jul 30, 2013, 1:52 PM

                                    Yeah - I definitely thought I saw that option before and now I definitely know I don't in my 2.03 
                                    I'm looking at my TUN tunnels that are up and working.  Odd.  I must have been mistaken.

                                    1 Reply Last reply Reply Quote 0
                                    • E Offline
                                      elkosupertech
                                      last edited by Jul 31, 2013, 3:46 AM

                                      As far as I can tell, OpenVPN's settings on the Firewall are set to allow all.

                                      1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by Jul 31, 2013, 1:40 PM

                                        The last time I had to config Tomato as a client it had a quirk where, for whatever reason, I had to add this to the Tomato client config:

                                        
                                        keepalive 10 60
                                        ping-timer-rem
                                        

                                        And then it started connecting and working as expected.

                                        Other than that it was a fairly standard static key config, nothing too special.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • E Offline
                                          elkosupertech
                                          last edited by Aug 2, 2013, 3:12 AM

                                          I have entered this on the Tomato side and still no joy.  Any other suggestions?

                                          DJ

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 37
                                          • First post
                                            20/37
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received