Pfsense 2.1 Wan in DSL DMZ for OpenVPN server only
-
This is the error message I just got
Sun Sep 22 00:27:31 2013 [b2b.pf.trickhosting.biz] Peer Connection Initiated with [AF_INET]67.140.246.1:1194
Sun Sep 22 00:27:33 2013 RESOLVE: Cannot parse IP address: 255
Sun Sep 22 00:27:33 2013 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.254.0
Sun Sep 22 00:27:33 2013 TUN/TAP device tun0 opened
Sun Sep 22 00:27:33 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep 22 00:27:33 2013 /sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
SIOCADDRT: File exists
Sun Sep 22 00:27:33 2013 ERROR: Linux route add command failed: external program exited with error status: 7
Sun Sep 22 00:27:33 2013 Initialization Sequence Completed -
How are you running the openvpn script?
Also, what EXACTLY did you put in the script? Please show me.
-
sudo openvpn location to config
Here is the kernel route when connected
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default pfs2.h.trickhos 0.0.0.0 UG 0 0 0 eth1
10.0.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.8.0 * 255.255.255.0 U 1 0 0 eth1
192.168.254.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0Client Config
dev tun
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 67.140.246.1 1194 udp
route 192.168.254.0 255 255 255.0
tls-remote b2b.pf.trickhosting.biz
auth-user-pass
pkcs12 /etc/openvpn/b2b.pf-udp-1194-mmidgett.p12
tls-auth /etc/openvpn/b2b.pf-udp-1194-mmidgett-tls.key 1
ns-cert-type server
comp-lzo -
I also don't run the client to client.
I run remote access user auth (This tunnel is only for ubuntu because its PITA)
local DB
UDP
TUN
WAN interface
port (pick one)
TLS authentication of TLS packets
IPV4 Tunnel network 10.1.20/24 (pick one)
redirect gateway - force all traffic
compression checked
type of service checked
inter-client comms allowed checked
Duplicate connects checkeddynamic IP checked
Address Pool Checked
DNS Default Domain (I give it one like myvpntunnel)
DNS Servers - use 8.8.8.8 if you likeThen I export the OpenVPN Connect (iOS/Android) inline config
I insert the line I told you about earlier
then I execute the file as sudo openvpn –config '/home/minimint/Downloads/udp1199client/1199udpclient.ovpn'
Enter your own path to file.
(If that doesn't do it, you have bigger problems than I had)
-
Still doesn't work….Even as last resort I tried windows vista....
Both systems connect and I can reach the lan ip of the Pfsense but no any of the clients
Remeber that the WAN and the LAN are on the same subnet with the WAN being in the DMZ of the DSL modem
Something is funky
-
Do you have an allow RULE on openvpn? Have any blocking rules?
-
No blocking rules and the OpenVpn rules are all allow.
-
Well… I felt really useful for a few minutes... Then not so much ;D
-
As as last resort I can leave the WAN in the DMZ of the DSL router. Change the LAN subnet to something else, move all wired devices inside LAN. I can then just do an allow rule of the 3 wireless clients from the WAN to LAN and or I could use OpenVPN the way that its supposed tool from those wireless clients to reach the LAN
All this seems like a big hassle….I have done this once with openvpn+linux+bridge ports with a single nic while my wife was in labor.. Heck I did it remotly using logmein to get a winbows desktop inside to setup the port Forwarding for openvpn on port 80 since the hostpital block everything but std web traffic.
-
BTW - Why did you put WAN and the LAN are on the same subnet?
Since I'd never do that, I feel this must be the issue - I'm not sure what the WAN in DMZ and the LAN are on the same subnet will do to a network as far as openvpn is concerned. So far, it seems like nothing good. -
Well… I felt really useful for a few minutes... Then not so much ;D
It was worth a try!! I've enjoyed the help.
I'm tyring to avoid driving to the clients location to change IP's and rewire things. I can do this with a default linux install and I just had this PF server sitting there waiting for the DSL contract to expire so they can switch to cable and do things the right way. Modem > Wan Pfsense | Lan > switch …...WAPS and clients....
-
I like the plan you mentioned earlier of simplifying thing. I think as far as the openvpn setup goes, you are doing it right.
-
What about this
Put the VPNserver on the LAN interface….block all but ports 1194 and 22
REmove the DMZ and just port forward the 1194 from the modem to the IP of the Lan IP?
I can put bogus IP on wan since it doesn't need to so any thing
-
I say try it…
-
I just ended up blocking my self…..it didn't work.
I just moved the LAN to subnet 192.168.253.0/24 and I will go there on tomorrow and rewire the switches and add default openvpn for the wireless clients and have OpenVPN just run at startup for them to give them access to the LAN
From what should have taken 1 hour to complete I have been messing with this for 3 days to save a 10min drive and a couple of onsite hours.
-
Sounds painful. Sorry you got locked out.
-
I've got pfsense running with openvpn and various devices like ubuntu laptops & android phones vpn'ing in no problem at all with all subsequent client traffic routed through pfsense which is what I want.
I used this guide.
http://www.apollon-domain.co.uk/?p=433In ubuntu (12.04) I've added the client info as per the pfsense zip file, but in ubuntu there is an option to add a private key password which I found did nothing but you do have to enter something otherwise you cant save the settings in the network vpn gui.
Maybe you'll get some mileage with the link?
-
I wouldn't use gopenvpn. Issuing the command works best when you want to be able to start and stop on demand.
If you wanted an auto-start service, just putting the config in the /etc/openvpn folder and issuing command to start service handles things fine.
His problem isn't starting openvpn - Thats fine. His issue is the way the network is configured.
-
Yes I was using a system designed to be a firewall for something that its not supposed to be doing. I'm fully up on how to use, launch openvpn. I have many other systems from Site to Site and Road Warrior setups that works just fine.
I just moved the LAN to subnet 192.168.253.0/24 and I will go there on tomorrow and rewire the switches and add default openvpn for the wireless clients and have OpenVPN just run at startup for them to give them access to the LAN
Boom working like supposed to be.
Topic can be closed
-
Boom - Glad to hear it 8)