PfSense OpenVPN Server and Tomato OpenVPN Client
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one. -
Did you set up rules on the firewall to allow/pass Openvpn to anywhere?
-
I take it back - I don't have that topology option either. Not sure what I was thinking earlier.
I have two of those but not the topology one.Important note: You MUST use device type tun, NOT tap. Otherwise the option is just not there. (Read the OVPN docs for details.)
-
Yeah - I definitely thought I saw that option before and now I definitely know I don't in my 2.03
I'm looking at my TUN tunnels that are up and working. Odd. I must have been mistaken. -
As far as I can tell, OpenVPN's settings on the Firewall are set to allow all.
-
The last time I had to config Tomato as a client it had a quirk where, for whatever reason, I had to add this to the Tomato client config:
keepalive 10 60 ping-timer-remAnd then it started connecting and working as expected.
Other than that it was a fairly standard static key config, nothing too special.
-
I have entered this on the Tomato side and still no joy. Any other suggestions?
DJ
-
Get in touch with Tomato guys… DD-WRT had OpenVPN buggy as hell more often than not, I doubt it's any better with Tomato.
-
When pfsense is connected to something else and its broken, I get the feeling that people don't come here because they feel its a pfsense issue. I think they come here because no one will answer their questions in other places. haha.
-
OpenVPN is pretty standard, despite quirks from the router firmware involved.
Given that things have changed from the start to now, it might help to know exactly what settings are in use on both sides as it is right now.
-
Here are the configs I have currently:
pfSense:
OpenVPN: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo3MGM3ZWZmNGIzNGI0YzNi
Client Specific Override: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDozOGVlMjZjZDU0OGFjZWEwTomato
Basic: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo0OGQ0N2YxNzY5M2M1NjY3
Advanced: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo1OWRjM2M3YmVjYjI0MTU1If you need more please let me know. Thank you for all your help!
DJ
P.S. This Tomato router used to connect up with an Astaro Security appliance before they changed their licensing on it so I know that side works. The only change I did with tomato was change the Keys for the new server.
-
The client basic config for tomato links to the pfsense config.
-
I edited the links, but just in case https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo0OGQ0N2YxNzY5M2M1NjY3
Thanks again!
DJ
-
Why do you have it on Remote Access SSL/TLS and not Peer to Peer SSL/TLS?
-
I would move it to Peer-to-Peer SSL/TLS, kill the user auth.
Other than the user+pass auth, I don't see anything odd about it from the settings.
We'd need to see the OpenVPN logs from both sides to say much more.
-
Well according to the instructions I used (very first post) that was the recommended way. I am open to changing any of the settings I have. Also I have stated that I can get it to work (one way) by turning on NAT on the Tomato side so that network then communicates though that way.
DJ
-
Change made. And still same issue. Here are the logs from Tomato:
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.1,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: –ifconfig/up options modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: route options modified
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP device tun11 opened
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP TX queue length set to 100
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 172.18.0.1 netmask 255.255.255.255 gw 172.18.0.5
Aug 2 10:40:34 unknown daemon.notice openvpn[10117]: Initialization Sequence Completed
Aug 2 10:40:38 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:38 2013
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug 2 10:40:38 unknown daemon.notice openvpn[10117]: END
Aug 2 10:40:42 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:42 2013
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug 2 10:40:42 unknown daemon.notice openvpn[10117]: END
Aug 2 10:40:59 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:40:59 2013
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,3060
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6659
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,8205
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: Auth read bytes,32
Aug 2 10:40:59 unknown daemon.notice openvpn[10117]: END
Aug 2 10:41:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…
Aug 2 10:41:50 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: Updated,Fri Aug 2 10:41:50 2013
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,6883
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,7004
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,12925
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: Auth read bytes,112
Aug 2 10:41:50 unknown daemon.notice openvpn[10117]: END
Aug 2 10:42:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…and from pfSense:
Aug 2 10:38:28 openvpn[567]: event_wait : Interrupted system call (code=4)
Aug 2 10:38:29 openvpn[567]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[567]: SIGTERM[hard,] received, process exiting
Aug 2 10:38:29 openvpn[26832]: OpenVPN 2.2.2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Aug 2 10:38:29 openvpn[26832]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 2 10:38:29 openvpn[26832]: TUN/TAP device /dev/tun1 opened
Aug 2 10:38:29 openvpn[26832]: /sbin/ifconfig ovpns1 172.18.0.1 172.18.0.2 mtu 1500 netmask 255.255.255.255 up
Aug 2 10:38:29 openvpn[26832]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[28114]: UDPv4 link local (bound): 204.28.248.153:1195
Aug 2 10:38:29 openvpn[28114]: UDPv4 link remote: [undef]
Aug 2 10:38:29 openvpn[28114]: Initialization Sequence Completed
Aug 2 10:38:29 openvpn[28114]: IPv6 in tun mode is not supported in OpenVPN 2.2
Aug 2 10:39:23 openvpn[28114]: 74.34.62.30:48938 Re-using SSL/TLS context
Aug 2 10:39:26 openvpn[28114]: 74.34.62.30:48938 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:48938
Aug 2 10:40:05 openvpn[28114]: 74.34.62.30:64452 Re-using SSL/TLS context
Aug 2 10:40:07 openvpn[28114]: 74.34.62.30:64452 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:64452
Aug 2 10:40:28 openvpn[28114]: 74.34.62.30:41811 Re-using SSL/TLS context
Aug 2 10:40:31 openvpn[28114]: 74.34.62.30:41811 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:41811 -
Was that all the logs needed? Please let me know.
-
I've been trying to figure a solution to my problem and it seems to me that it thinks the gateway is on 172.18.0.5 but it sees the tomato client on 172.18.0.6. Even stranger is that it's routing table shows to access the network behind tomato, to go to 172.18.0.2. Is there a reason that pf Sense is so confused?
-
That is not pfSense, it's OpenVPN. And that is normal.
For example, here is one site-to-site tunnel I have using SSL/TLS setup for multiple clients (some bits snipped):
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet 192.168.239.1 --> 192.168.239.2 netmask 0xffffffff ... 192.168.a.0/24 192.168.239.2 UGS 0 685847 ovpns1 192.168.b.0/24 192.168.239.2 UGS 0 0 ovpns1 192.168.239.0/24 192.168.239.2 UGS 0 0 ovpns1 192.168.239.2 link#10 UH 0 0 ovpns1</up,pointopoint,running,multicast>And on the client side:
ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet 192.168.239.6 --> 192.168.239.5 netmask 0xffffffff ... 192.168.z.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.y.0/24 192.168.239.5 UGS 0 14557 ovpnc1 192.168.x.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.239.0/24 192.168.239.5 UGS 0 0 ovpnc1 192.168.239.5 link#13 UH 0 0 ovpnc1</up,pointopoint,running,multicast>OpenVPN assigns addresses that way. Some exposed to the OS on the server side, others internal to OpenVPN on the server side. That is all completely normal for an SSL/TLS multi-site setup. The iroutes in OpenVPN client-specific overrides tell it which subnets are reachable via specific certificates.
