New OpenVPN setup for road-warriors - connected but no routing
-
If its not offering an update there, you version is current. We are on the same thing.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
Tue Jul 30 16:07:21 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013 Enter Management Password: Tue Jul 30 16:07:27 2013 Control Channel Authentication: using 'firewall-udp-1194-mark-tls.key' as a OpenVPN static key file Tue Jul 30 16:07:27 2013 UDPv4 link local (bound): [undef] Tue Jul 30 16:07:27 2013 UDPv4 link remote: [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:27 2013 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this Tue Jul 30 16:07:29 2013 [MyVPN_Server] Peer Connection Initiated with [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:31 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 30 16:07:31 2013 open_tun, tt->ipv6=0 Tue Jul 30 16:07:31 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{27851D99-6A01-467F-965E-44884FAA8B29}.tap Tue Jul 30 16:07:31 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.29.0.6/255.255.255.252 on interface {27851D99-6A01-467F-965E-44884FAA8B29} [DHCP-serv: 172.29.0.5, lease-time: 31536000] Tue Jul 30 16:07:31 2013 Successful ARP Flush on interface [22] {27851D99-6A01-467F-965E-44884FAA8B29} Tue Jul 30 16:07:36 2013 Initialization Sequence Completed
-
All firewalls off on the windows box?
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
I don't understand what are you trying to do there.
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2 IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252
This for sure again looks like /30.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
Nitpick away - whatever it takes :)
My remote test PC is on a 172.29.14.0 subnet with a mask 255.255.255.0, at the moment the IP is 172.29.14.100
My pfSense LAN subnet is 10.10.0.0 with mask 255.255.255.0, and the IP is 10.10.0.3
The server "Tunnel Network" is 172.29.0.0/24
The sever "Local Network" is 10.10.0.0/24The client "Tunnel Network" is 172.29.0.0/24
The client "Local Network" is 10.10.0.0/24The firewall is now disabled on the PC. Not sure what the Virgin SuperHub might be doing though - although as the tunnel is established and I can see that in the pfSense status, I assume any intermediary firewalls just see "traffic", not anything specific.
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
-
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
Please, tick the proper checkbox so that this net30 topology is NOT used.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
-
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
I am on TUN now.
-
Well, then it's not available in 2.0.3. Time to upgrade. :P
-
2.0.3 is the latest I could find. You folks running the 2.1 RC?
-
You can go to 2.1RC
http://snapshots.pfsense.org/
But honestly, this should work fine on 2.03. It should be a 5 minute setup from start to finish.
Some basic little thing is broken and its possible its not even anything to do with pfsense.
I'll read you config again.
-
Thanks. Tomorrow I'll probably delete all the settings and start from scratch - I made some wrong turns at the start that may be lingering.
-
OK - This is broken. Why is it set up as peer to peer now?
Server mode (I suggest Remote Access. SSL/TLS)
protocol UDP
device mode TUN
-
You don't need 2.1 to make it work… Problem is peer to peer. You don't want that.
-
This is a bit odd. The server is set to "Remote Access (SSL/TLS + User Auth)", but the client is now set to Peer-to-peer, and the only options available are the two "peer to peer" ones.
-
Recommendation - Delete the server and the client.
Use the wizard and set it up again using TUN from the very beginning.
It sounds big deal but should be a few minutes.
I'm sure 2.1 works fine but 2.3 isn't broken either.
You just got a bit twisted around. Thats all.
-
I'll try it again tomorrow - getting frazzled now :)
Just deleted both configs, used the wizard to setup the server bit (seemed to create a tun setup anyway) but a new client still only allows server mode Peer to Peer.
-
Did you try shooting it with a 12 gauge shotgun? (Teasing)
Thats odd. I've never seen anything like that before. It should allow you to configure remote access. Thats very basic.
I wonder… Do you have user accounts and certs set up on your pfsense other than Admin? Because you need too. It required.
If pfsense thinks there are no users and no user certs it might not present you remote access options.
I had assumed these road warriors of yours had limited user accounts installed on pfsense.
You can get away with creating just 1 user and one user cert and allowing multiple concurrent connections by that user, but its better to set up one user account per "road warrior". You just go into system > user manager and add users, passwords and user certs.
Then you might have much better luck.
-
I do have a user I set up that I've been using for testing, and that's the one I've been using in the OpenVPN client downloader
-
Hang on, do I even need the "client" tab on the OpenVPN config? Going to try a manual approach as per: http://forum.pfsense.org/index.php?topic=22115.0
-
Getting the shotgun ready now. Just recreated everything manually, and no difference. VPN client connects fine, lights go green, routes are created, but nothing is passed.
-
When you want to connect a windows machine to a pfsense for the purposes of tunneling, its a server client relationship. Not peer to peer. I think just a straight up simple TUN tunnel is the way and those are made with wizard.
-
TUN is what I've been trying :(
I'm going to try it on a different remote computer, in case it's something wonky installed on my PC. Hopefully that's it, although it'll be annoying :)
-
I don't think thats it. While you arwe doing that, I'm going to get some coffee and try to find why you are not getting anything other than "peer" as options. Because thats not right. Not on pfsense 2.03 for sure.
-
Gah, just installed the Android client on my phone and it seemed to work right off the bat. Going to try a different remote machine.
-
hahahahahahahahahahahahah…. DAMN WINDOWS!!!!!!!
(Still doesn't explain your limited tunnel options to me)
-
Okay, so works on my Android phone and an Ubuntu VM I just spun up, but not on either of my Windows 8 computers. Guess there's something with the OpenVPN client on Windows 8…
-
Windows 8 firewalls?
Was the install ran as admin?Beyond that, I cant even imagine what.
-
Well I'll be… Once I worked out it's a Windows 8 + OpenVPN problem, I had something to Google, and came upon this post by Luis Silva.
You have to start the Network Connections service, which is normally set to "Manual", and only runs when the "network connections" dialog is open. Start that service, and the VPN client works!!
-
Thank you for helping me with this problem. I have learned something useful…
(True statement - Although, wasn't it supposed to be the other way around!)
Windows 8myopenvpn....
-
I'd suggest a new thread on Windows 8myopenvpn…. actually.
-
You have to start the Network Connections service, which is normally set to "Manual", and only runs when the "network connections" dialog is open. Start that service, and the VPN client works!!
You know, having huge blinking tiles everywhere is so much more important than network connectivity…
-
I'd suggest a new thread on Windows 8myopenvpn…. actually.
You mean here? I'm happy to write a quick post specifically for Windows 8 to help people find this info :)
-
Windows 8 looks like something designed for either the vision impaired or for exclusive use of kindergarteners or both.
But yeah, I suspect this solution will be something lots of people who moved beyond windows 7 will need to know.
-
I think you should white it up and maybe it will get "stickied" if something like it doesn't already exist or a fix isn't already in the works.
I don't use windows 8 or 7 or Vista… Or ME or... But I digress. -
Gah, just installed the Android client on my phone and it seemed to work right off the bat. Going to try a different remote machine.
What app and settings were used for it to make it work ? Do you mind sharing the pfsense rules that allow traffic to cross through the VPN? I've been reading your very good troubleshooting logic and I believe I am almost there. Thanks
-
Not to beat a dead horse, but has anyone run into this with windows 7? I have three machines that I am trying to Use and all are getting this same thing… Network connections are started on all...
It's the exact same symptoms though, connection just fine, but once connected I can only ping out tot he firewall. No network access.
-
I know it's an older thread but I wanted to throw out two things that helped me. We have a CARP setup so two routers.
-
router2 couldn't ping the OpenVPN-LAN subnet. Routes looked fine. Solution: reboot router2.
-
When testing, router1 worked fine. Router2 connected and I could ping the router but not further. Solution: devices on the LAN are set to the CARP alias IP as their gateway, so the VPN through router2 will only work if CARP failover is in effect so that IP is shifted to router2.
-