New OpenVPN setup for road-warriors - connected but no routing
-
Yep - The bubba list for windows installs.
1. Export a Windows package
2. Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
3. If you didn't install as admin, uninstall - Then install as admin.
4. If still blocked, turn off the Windows Firewall. Turn off all the firewalls during testing till it works. -
At the TOP of your LAN interface firewalls, why don't you temporarily put in a pass all to anywhere rule just until your VPN is working correctly and then after that go back to being restrictive that way you won't be wondering if its a firewall rule breaking your setup.
I've added that now
Also, is there a reason you selected TAP vs. TUN? I always use TUN + Layer 3 with NAT to tunnel clients back to a particular subnet, and give them full internet Access + network access to resources on the LAN and each other as well.
No particular reason - I can try changing that.
Post your server1.conf and network map.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local my.wan.ip.address tls-server server 172.29.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 10.10.0.0 255.255.255.0" push "dhcp-option DOMAIN myworkdomain.co.uk" push "dhcp-option DNS 10.10.0.35" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip floatAlso, have we tried the easy stuff like turning off the windows firewall?
Yep.
-
I hate to assume anything so I'm going to repeat this bit again.
Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
(I also prefer TUN for your setup) -
That's fine, it's always likely that I've made a daft mistake :)
I did just uninstall and re-install as admin, just in case, and even run the client as admin to be sure, and it doesn't seem to make a difference.
Is there any change to moving to TUN apart from changing the server and client settings to the "tun" option?
-
Yes - You have to export your client config again and reinstall it on windows.
So, uninstal the old one then reinstall the new one.
Also make sure your firewall rules in pfsense on the openvpn tab pass to anywhere, just like your LAN rule.(I'm all IPV4 here, so if this is a IPV6 glitch, all bets are off)
-
No idea what I'm missing now. I have some images of my current setup.
I'll try a full removal of the client from the PC and clean up whatever I can see, and try again. As it's connecting but not routing, it smells like the problem of not installing as admin, even though I definitely did.
I assume that if the correct routes are created and visible in "route print", then admin isn't the problem?
-
Still using the TAP adapter? Seriously want you to reconsider using TUN for you own sanity.
Openvpn Should come with a warning that says "Don't use TAP unless you absolutely intend to bridge to your server network or absolutely require layer2".
As a mater of fact, Some openvpn tools do say something like that. To get TAP to work, you will need IPs assigned, so DHCP start and end range. Probably want bridging. Probably want LZO compression on no matter what you use. Probably want type-of-service checked…But, unless you can tell me why you need TAP, probably need to dump it and use TUN for this.
-
Ah, sorry my bad - I had tried both, so think I must've changed it back before screenies. I'll set it to TUN now and test again just to be sure! I also found the "Management Interface" option for the client download, and the newer version of OpenVPN, so I'll get through those…
-
Something just occured to me. What versions of openvpn client export package are you on? If you go to your packages, is there an update available for it? Its a one button push to update that. Basically you just press the little pkg button out to the right. Before you export a new TUN adapter (You have to export a new config each time you make a server change to be safe), please make sure client export package is latest one.
-
Doesn't appear to be, I only installed it a few days ago too - I'm on 1.0.11
-
If its not offering an update there, you version is current. We are on the same thing.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
Tue Jul 30 16:07:21 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013 Enter Management Password: Tue Jul 30 16:07:27 2013 Control Channel Authentication: using 'firewall-udp-1194-mark-tls.key' as a OpenVPN static key file Tue Jul 30 16:07:27 2013 UDPv4 link local (bound): [undef] Tue Jul 30 16:07:27 2013 UDPv4 link remote: [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:27 2013 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this Tue Jul 30 16:07:29 2013 [MyVPN_Server] Peer Connection Initiated with [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:31 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 30 16:07:31 2013 open_tun, tt->ipv6=0 Tue Jul 30 16:07:31 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{27851D99-6A01-467F-965E-44884FAA8B29}.tap Tue Jul 30 16:07:31 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.29.0.6/255.255.255.252 on interface {27851D99-6A01-467F-965E-44884FAA8B29} [DHCP-serv: 172.29.0.5, lease-time: 31536000] Tue Jul 30 16:07:31 2013 Successful ARP Flush on interface [22] {27851D99-6A01-467F-965E-44884FAA8B29} Tue Jul 30 16:07:36 2013 Initialization Sequence Completed -
All firewalls off on the windows box?
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
I don't understand what are you trying to do there.
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2 IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252This for sure again looks like /30.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
Nitpick away - whatever it takes :)
My remote test PC is on a 172.29.14.0 subnet with a mask 255.255.255.0, at the moment the IP is 172.29.14.100
My pfSense LAN subnet is 10.10.0.0 with mask 255.255.255.0, and the IP is 10.10.0.3
The server "Tunnel Network" is 172.29.0.0/24
The sever "Local Network" is 10.10.0.0/24The client "Tunnel Network" is 172.29.0.0/24
The client "Local Network" is 10.10.0.0/24The firewall is now disabled on the PC. Not sure what the Virgin SuperHub might be doing though - although as the tunnel is established and I can see that in the pfSense status, I assume any intermediary firewalls just see "traffic", not anything specific.
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
-
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
Please, tick the proper checkbox so that this net30 topology is NOT used.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
-
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
I am on TUN now.