New OpenVPN setup for road-warriors - connected but no routing
-
Something just occured to me. What versions of openvpn client export package are you on? If you go to your packages, is there an update available for it? Its a one button push to update that. Basically you just press the little pkg button out to the right. Before you export a new TUN adapter (You have to export a new config each time you make a server change to be safe), please make sure client export package is latest one.
-
Doesn't appear to be, I only installed it a few days ago too - I'm on 1.0.11
-
If its not offering an update there, you version is current. We are on the same thing.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
Tue Jul 30 16:07:21 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013 Enter Management Password: Tue Jul 30 16:07:27 2013 Control Channel Authentication: using 'firewall-udp-1194-mark-tls.key' as a OpenVPN static key file Tue Jul 30 16:07:27 2013 UDPv4 link local (bound): [undef] Tue Jul 30 16:07:27 2013 UDPv4 link remote: [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:27 2013 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this Tue Jul 30 16:07:29 2013 [MyVPN_Server] Peer Connection Initiated with [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:31 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 30 16:07:31 2013 open_tun, tt->ipv6=0 Tue Jul 30 16:07:31 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{27851D99-6A01-467F-965E-44884FAA8B29}.tap Tue Jul 30 16:07:31 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.29.0.6/255.255.255.252 on interface {27851D99-6A01-467F-965E-44884FAA8B29} [DHCP-serv: 172.29.0.5, lease-time: 31536000] Tue Jul 30 16:07:31 2013 Successful ARP Flush on interface [22] {27851D99-6A01-467F-965E-44884FAA8B29} Tue Jul 30 16:07:36 2013 Initialization Sequence Completed
-
All firewalls off on the windows box?
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
I don't understand what are you trying to do there.
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2 IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252
This for sure again looks like /30.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
Nitpick away - whatever it takes :)
My remote test PC is on a 172.29.14.0 subnet with a mask 255.255.255.0, at the moment the IP is 172.29.14.100
My pfSense LAN subnet is 10.10.0.0 with mask 255.255.255.0, and the IP is 10.10.0.3
The server "Tunnel Network" is 172.29.0.0/24
The sever "Local Network" is 10.10.0.0/24The client "Tunnel Network" is 172.29.0.0/24
The client "Local Network" is 10.10.0.0/24The firewall is now disabled on the PC. Not sure what the Virgin SuperHub might be doing though - although as the tunnel is established and I can see that in the pfSense status, I assume any intermediary firewalls just see "traffic", not anything specific.
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
-
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
Please, tick the proper checkbox so that this net30 topology is NOT used.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
-
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
I am on TUN now.
-
Well, then it's not available in 2.0.3. Time to upgrade. :P
-
2.0.3 is the latest I could find. You folks running the 2.1 RC?
-
You can go to 2.1RC
http://snapshots.pfsense.org/
But honestly, this should work fine on 2.03. It should be a 5 minute setup from start to finish.
Some basic little thing is broken and its possible its not even anything to do with pfsense.
I'll read you config again.
-
Thanks. Tomorrow I'll probably delete all the settings and start from scratch - I made some wrong turns at the start that may be lingering.
-
OK - This is broken. Why is it set up as peer to peer now?
Server mode (I suggest Remote Access. SSL/TLS)
protocol UDP
device mode TUN
-
You don't need 2.1 to make it work… Problem is peer to peer. You don't want that.
-
This is a bit odd. The server is set to "Remote Access (SSL/TLS + User Auth)", but the client is now set to Peer-to-peer, and the only options available are the two "peer to peer" ones.
-
Recommendation - Delete the server and the client.
Use the wizard and set it up again using TUN from the very beginning.
It sounds big deal but should be a few minutes.
I'm sure 2.1 works fine but 2.3 isn't broken either.
You just got a bit twisted around. Thats all.