Windows 7 OpenVPN client can't reach the LAN
-
Hi,
I've been reading around this issue all day long, but finally I have to admit I'm stumped.
The VPN client is correctly configured by DHCP - e.g. client IP 10.12.43.2; gateway IP 10.12.43.1.
IPv4 Address. . . . . . . . . . . : 10.12.43.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0
The default gateway is being configured (correctly, I think) as 10.12.43.1, for 10.12.0.0/16:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.254.254 192.168.254.241 20 0.0.0.0 128.0.0.0 10.12.43.1 10.12.43.2 31 10.12.0.0 255.255.0.0 10.12.43.1 10.12.43.2 31 10.12.43.0 255.255.255.0 On-link 10.12.43.2 286 10.12.43.2 255.255.255.255 On-link 10.12.43.2 286 10.12.43.255 255.255.255.255 On-link 10.12.43.2 286
(192.x is obviously the client's normal LAN prior to the VPN connection)
pfSense and the client can ping each other on the 10.12.43.1/10.12.43.2 addresses. The firewall rules look okay on pfSense (very permissive OpenVPN and LAN networks).
I've stuffed everything I can find in the client config: ;)
dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote vpn.mycompany.co.uk 1194 udp verify-x509-name "My Gateway" name auth-user-pass ca my-gateway-udp-1194-ca.crt tls-auth my-gateway-udp-1194-tls.key 1 ns-cert-type server comp-lzo redirect-gateway pull verb 3 # dont terminate service process on wrong password, ask again auth-retry interact # open management channel management 127.0.0.1 166 # wait for management to explicitly start connection management-hold # query management channel for user/pass management-query-passwords # disconnect VPN when managment program connection is closed management-signal # forget password when management disconnects management-forget-disconnect route-method exe route-delay 2
I cannot ping anything else on the LAN from the OpenVPN client. There's a bit in the server log, but I'm not sure whether it's relevant:
Nov 19 16:51:12 openvpn[12663]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.12.43.1 255.255.255.0 init Nov 19 16:51:13 openvpn[12663]: SIGTERM[hard,] received, process exiting Nov 19 16:51:13 openvpn[34950]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013 Nov 19 16:51:13 openvpn[34950]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Nov 19 16:51:13 openvpn[34950]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 19 16:51:13 openvpn[34950]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Nov 19 16:51:13 openvpn[34950]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Nov 19 16:51:13 openvpn[34950]: TUN/TAP device ovpns1 exists previously, keep at program end Nov 19 16:51:13 openvpn[34950]: TUN/TAP device /dev/tun1 opened Nov 19 16:51:13 openvpn[34950]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Nov 19 16:51:13 openvpn[34950]: /sbin/ifconfig ovpns1 10.12.43.1 10.12.43.1 mtu 1500 netmask 255.255.255.0 up Nov 19 16:51:13 openvpn[34950]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.12.43.1 255.255.255.0 init Nov 19 16:51:14 openvpn[36283]: UDPv4 link local (bound): [AF_INET]a.b.c.d:1194 Nov 19 16:51:14 openvpn[36283]: UDPv4 link remote: [undef] Nov 19 16:51:14 openvpn[36283]: Initialization Sequence Completed Nov 19 16:52:08 openvpn: user 'rob.pomeroy' authenticated Nov 19 16:52:08 openvpn[36283]: e.f.g.h:49386 [rob.pomeroy] Peer Connection Initiated with [AF_INET]e.f.g.h:49386 Nov 19 16:52:08 openvpn[36283]: rob.pomeroy/e.f.g.h:49386 MULTI_sva: pool returned IPv4=10.12.43.2, IPv6=(Not enabled) Nov 19 16:52:11 openvpn[36283]: rob.pomeroy/e.f.g.h:49386 send_push_reply(): safe_cap=940
Clients are authenticating against Active Directory.
Sorry this is such a mammoth first post - but any ideas?
Thanks,
Rob
-
Did you run the OpenVPN client as administrator on Windows 7? (right-click, run as administrator). Otherwise the route won't get added properly (although on the screenshot it looks fine)
-
-
All you posted looks fine for me.
Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface
-
All you posted looks fine for me.
Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface
Automatic outbound NAT is switched on. No other mappings.
-
Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?
And is this firewall rule on the OpenVPN interface sufficient?
Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * * * * * * none OpenVPN My company VPN wizard
-
@Rob:
Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?
Switched the VPN tunnel net to 192.168.20.0/24. Still nothing travels into the LAN. :-\ I've temporarily disabled the firewall on the client. Doesn't help though.
-
Does this entry in the log shed any light on the problem?
Nov 20 10:30:08 openvpn[36283]: rob.pomeroy/e.f.g.h:49386 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #95045 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
-
Post your server1.conf.
-
Okay:
dev ovpns1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local a.b.c.d tls-server server 192.168.20.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc client-cert-not-required username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 50 push "route 10.12.0.0 255.255.0.0" push "route 192.168.3.0 255.255.255.0" push "dhcp-option DOMAIN mycompany.local" push "dhcp-option DNS 10.12.20.6" push "dhcp-option DNS 10.12.20.7" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option NTP 10.12.20.6" push "dhcp-option NTP 10.12.20.7" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float topology subnet
-
Do the clients on the LAN allow pings from the OpenVPN network? Try to turn off firewall on the clients temporarily.
-
Export a new config and install it on the client-side.
Post new exported client config.
Post Pfsense routing table.
Post client routing table once connected with new config.
-
Thanks for your input.
The quantity of issues I'm having with pfSense is rising, Now I'm getting failures on attempting to log in:
Warning: session_start(): open(/var/tmp//sess_1e36ef0d17d9b13cdeb3d59c25e8e0ab, O_RDWR) failed: No space left on device (28) in /etc/inc/auth.inc on line 1357
There's plenty of space, so I'm going to guess there's some filesystem-level corruption of some kind, in which case all bets are off. sigh Time to reinstall.
-
Completely reinstalled pfSense and what do you know? It's working.
Hypotheses:
-
Corruption of original installation and/or
-
Using older version of OpenVPN Client Export pacakge and/or
-
Some other installed package caused a problem (have installed this fairly lean on this occasion).
Thanks to all for your help. I'm going to snapshot this virtual machine while it's working!!!
-