No traffice across the VPN tunnel

loub

Hello,

I'm new to pfSense and learning as fast as I can but I'm stuck with openVPN.  I'm familiar with openVPN since I have it current working within another site but pfSense is not being used.

I used the instructions here: http://www.apollon-domain.co.uk/?p=433,  to configure openVPN.  I've installed the client on a Win7 laptop and I am able to successful connect.  I see the VPN route added to my laptop but I can not connect to any system across the VPN connection.  I've read through a number of replies to this forum, specifically the reply about changing dev_mode to device_mode, but I still can not connect across the VPN.

Any ideas would be greatly appreciated.

Thanks,

Lou.

Version:
2.0.1-RELEASE (i386)
FreeBSD 8.1-RELEASE-p6

openvpn.log:
Dec 17 11:05:39    openvpn[38203]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 17 11:05:39    openvpn[38203]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.11.1 192.168.11.2 init

netstat -r:
netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default                10.1.10.1          UGS        0  8074680    dc2
10.1.10.0            link#3            U          0  252606    dc2
10.1.10.2            link#3            UHS        0        0    lo0
localhost            link#6            UH          0      472    lo0
192.168.1.0        link#4            U          0  7887464    vr0
192.168.1.1        link#4            UHS        0      521    lo0
192.168.3.0        192.168.1.20      UGS        0    39513    vr0
192.168.10.0      link#1            U          0    40010    dc0
192.168.10.1      link#1            UHS        0        0    lo0
192.168.11.1      link#11            UHS        0        0    lo0 =>
192.168.11.1/32    link#11            U          0        0 ovpns1

server1.conf:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.10.2
tls-server
server 192.168.11.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 6
push "route 192.168.0.0 255.255.254.0"
push "dhcp-option DNS 192.168.1.14"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float

clients.ovpn:
ev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 10.1.10.2 1194 udp
lport 0
verify-x509-name "OpenVPN-Server-Cert" name
auth-user-pass
pkcs12 xul-udp-1194-XXX.p12
tls-auth xul-udp-1194-XXX-tls.key 1
comp-lzo

phil.davis

Why are you still using 2.0.1? It will be more difficult for people to help with this, because who on the forum can remember what bugs/tricks their might have been in 2.0.1. Use the latest 2.1-RELEASE.
I guess you are testing entirely internally, as the client connects to 10.1.10.2, not to some external DNS name or public IP, In that case, make sure your client is on the WAN side of the test pfSense, not coming from in the test LAN 192.168.0.0/23
The config files look reasonable to me, and that "route add comand failed" message is always there, a "normal ERROR message".

loub

I was given the environment (2.0.1) to support and I am trying to learn more about pfSense before I look into replacing it.

10.1.10.2 is my WAN connection that is NAT to my ISP.  My client is on the WAN.  Since this LAN is NAT to the ISP is it possible that my firewall conf needs more adjustment?

Firewall Rules:

I have the WAN interface conf with TCP / SSH enabled to a IP address withing my LAN.
I have the WAN interface conf with UDP / 1194 as enabled.

I have the LAN interface  conf with ports 43260,80,433 enabled to a IP address withing my LAN,
I have a second line on LAN interface that PASS  protocol (any), source (any) and dest (any)

I have the OpenVPN interface conf with PASS  protocol (any), source (any) and dest (any)

Why are you still using 2.0.1? It will be more difficult for people to help with this, because who on the forum can remember what bugs/tricks their might have been in 2.0.1. Use the latest 2.1-RELEASE.
I guess you are testing entirely internally, as the client connects to 10.1.10.2, not to some external DNS name or public IP, In that case, make sure your client is on the WAN side of the test pfSense, not coming from in the test LAN 192.168.0.0/23
The config files look reasonable to me, and that "route add comand failed" message is always there, a "normal ERROR message".

loub

Well I'm lost for word today.  I opened up the laptop, fired up openvpn and I able to ping to the LAN on the other end of the tunnel.  No changes but the system was rebooted.  Is rebooting a requirement for VPN to work?

phil.davis

Normally a reboot is not required for any pfSense config changes, including setting up VPNs… But it is so long since I used 2.0.1 I can't be sure if there were some things that did not always work on-the-fly.
Certainly in 2.1-RELEASE I setup and reconfigure OpenVPN servers and clients without needing to reboot - the system changes all the routes... on the fly.