Windows 7 OpenVPN client can't reach the LAN

georgeman

All you posted looks fine for me.

Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface

Rob Pomeroy

@georgeman:

All you posted looks fine for me.

Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface

Automatic outbound NAT is switched on. No other mappings.

Rob Pomeroy

Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

And is this firewall rule on the OpenVPN interface sufficient?

Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule	Description	
IPv4   *       *     *            *     *        *      none      OpenVPN My company VPN wizard

Rob Pomeroy

@Rob:

Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

Switched the VPN tunnel net to 192.168.20.0/24.  Still nothing travels into the LAN.  :-\  I've temporarily disabled the firewall on the client.  Doesn't help though.

Rob Pomeroy

Does this entry in the log shed any light on the problem?

Nov 20 10:30:08	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #95045 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

marvosa

Post your server1.conf.

Rob Pomeroy

Okay:

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local a.b.c.d
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
client-cert-not-required
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 50
push "route 10.12.0.0 255.255.0.0"
push "route 192.168.3.0 255.255.255.0"
push "dhcp-option DOMAIN mycompany.local"
push "dhcp-option DNS 10.12.20.6"
push "dhcp-option DNS 10.12.20.7"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option NTP 10.12.20.6"
push "dhcp-option NTP 10.12.20.7"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet

Nachtfalke

Do the clients on the LAN allow pings from the OpenVPN network? Try to turn off firewall on the clients temporarily.

marvosa

Export a new config and install it on the client-side.

Post new exported client config.

Post Pfsense routing table.

Post client routing table once connected with new config.

Rob Pomeroy

Thanks for your input.

The quantity of issues I'm having with pfSense is rising,  Now I'm getting failures on attempting to log in:

Warning: session_start(): open(/var/tmp//sess_1e36ef0d17d9b13cdeb3d59c25e8e0ab, O_RDWR) failed: No space left on device (28) in /etc/inc/auth.inc on line 1357

There's plenty of space, so I'm going to guess there's some filesystem-level corruption of some kind, in which case all bets are off.  sigh  Time to reinstall.

Rob Pomeroy

Completely reinstalled pfSense and what do you know?  It's working.

Hypotheses:

• Corruption of original installation and/or

• Using older version of OpenVPN Client Export pacakge and/or

• Some other installed package caused a problem (have installed this fairly lean on this occasion).

Thanks to all for your help.  I'm going to snapshot this virtual machine while it's working!!!