PfSense OpenVPN Server and Tomato OpenVPN Client
-
it seems to want to use 172.18.0.5 as the Gateway for the Tunnel but Tomato can't ping that. It can ping 172.18.0.6 and 172.18.0.1 (Which is the Tunnel addresses BTW).
OpenVPN does "magic" in its protocol. For example, on a pfSense OpenVPN site-to-site client end it has routes to ".5", but actually I can't ping ".5" and can ping ".1" - the OpenVPN server end only responds "really" to .1, but internally uses the other little /30 subnets (.5 .6, .9 .10 …) for communicating with each connected client. That is a feature of OpenVPN, not specific to Tomato.
Because the pfSense at the server end is the centre of it all (has direct routes to all the subnets), the routing should just work.
I would first check that the firewall rules on the OpenVPN tab at the server end are allowing traffic. Easy first thing is to add an allow all to all rule and see if you can start pinging stuff in the VLANs. Then make the rules tougher as you require. -
Thank you for your response. I will double check this when I get home. I do remember though that the Firewall had an OpenVPN tab and if memory serves me correctly, it had an allow everything rule. I am a little new with pfSense and had previously had been using Astaro Gateway (until they changed the home license to not include a Site-to-site VPN setup).
Then again I flubbed up on the phone VLAN by using only TCP/UDP traffic and not Any which I found later because of an issue with one of the phones trying to contact a server in the Management VLAN. Figured that one out!
Again thanks, and I'll get back to this.
DJ
-
One more thing that might be worth mentioning. I CAN get the tunnel to work by having tomato use a NAT on it, but then it doesn't route back through.
DJ
-
Have you tried to check the "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)." button? Never liked the net30 thing.
-
Doktornotor,
I have never heard of those options. Where would I look for them? Please let me know.
DJ
-
I have never heard of those options. Where would I look for them? Please let me know.
Well, in the OpenVPN server configuration on your pfSense box. At least it's definitely there with 2.1RCs.
-
Its in 2.03 also.
-
I am sending you what I have on the VPN page. I don't see that option. I also checked on the Firewall and it is showing that its allowing everything.
http://www.elkosupertech.com/f/pfsense.elkosupertech.pdf?attredirects=0&d=1
I made the change of adding the Virtual address option but still it's not working.
DJ
-
No option for topology…
What version pfsense? -
2.0.3-RELEASE (amd64)
DJ
-
Thats exactly what I'm using.
Hmmm - Must be you get different options when setting up a point to point tunnel not using a wizard. -
I did use the Wizard for this. My original post shows the options I selected when I set this up. I am thinking of redoing the setup but they didn't recommend those options. Would you tell me what options I should select or any other changes that should be made?
DJ
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one. -
Did you set up rules on the firewall to allow/pass Openvpn to anywhere?
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one.Important note: You MUST use device type tun, NOT tap. Otherwise the option is just not there. (Read the OVPN docs for details.)
-
Yeah - I definitely thought I saw that option before and now I definitely know I don't in my 2.03
I'm looking at my TUN tunnels that are up and working. Odd. I must have been mistaken. -
As far as I can tell, OpenVPN's settings on the Firewall are set to allow all.
-
The last time I had to config Tomato as a client it had a quirk where, for whatever reason, I had to add this to the Tomato client config:
keepalive 10 60 ping-timer-rem
And then it started connecting and working as expected.
Other than that it was a fairly standard static key config, nothing too special.
-
I have entered this on the Tomato side and still no joy. Any other suggestions?
DJ
-
Get in touch with Tomato guys… DD-WRT had OpenVPN buggy as hell more often than not, I doubt it's any better with Tomato.