OpenVPN is not passing traffic after upgrade from 2.1 to 2.1.4
-
Hello All!
I upgraded my pfsense last week and after upgrading from 2.1 to 2.1.4 the OpenVPN still authenticates and gets an IP from dhcp, but no traffic appears to be passing.
It is not possible to resolve DNS remotely and even ping IPs that I know is up on remote LAN. Nothing appears to be reaching the destination.
Any advice? I double-checked the firewall rules and all the old settings is still there. OpenVPN interface has just one rule, that the OpenVPN wizard created (PASS ALL IPV4). But nothing is working.
Thank you in advance,
-
Is pfSense the OVPN server or client?
What's about the routes on client?
Tell us your OVPN config, please. -
Hello viragomann, thanks for your message!
Pfsense is the OVPN server. The clients are Windows 7 or Windows 8 machines with OpenVPN GUI Client. They use the .exe install config generated by the "OpenVPN Client Export Utility" package for Pfsense that I installed on the firewall.
These last 2 days I've been exploring the problem, I found out that if I check the OVPNServer option "Force all client generated traffic through the tunnel" it will work normally, but of course the connected client will suffer with slow public internet browsing because it will have to use the remote connection to browse public websites. This is NOT what I want and was working before upgrading.
But if I fill the "IPv4 Local Network/s" with my correct CIDR "192.168.30.0/24" (my office LAN is 192.168.30.1-192.168.30.255 subnet 255.255.255.0) then no traffic is passing from the remote client to the office LAN.
Any ideas why 2.1.4 is not working with my CIDR 192.168.30.0/24 to pass the traffic, forcing me to pass all traffic to the tunnel?
Thank you again!
-
I think you need to tackle this from point of view client side.
When OpenVPN connection is up, ask the clients route table (in cmd; route print)There you should see a Network destination (your local lan c.30.0), a gateway (something in the tunnel network range c.31.h), and an interface (somthing in the tunnel network range c.31.h).
You should be able to ping your pfSense once the tunnel is up… is that so?
-
Everyday things are different here :(
Now my client that was working yesterday using the "force all traffic to tunnel", now does not ping any VPN IP (even the Pfsense's IP returns as not found when connected). This is the log from OpenVPN Client. Why is all that "access denied" ocurring? I tried to reboot Windows 8, but no success to restore client to vpn traffic :(
Thu Jul 31 13:16:25 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun 5 2014
Thu Jul 31 13:16:25 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Thu Jul 31 13:16:30 2014 Control Channel Authentication: using 'proxy-udp-1194-tls.key' as a OpenVPN static key file
Thu Jul 31 13:16:30 2014 UDPv4 link local (bound): [undef]
Thu Jul 31 13:16:30 2014 UDPv4 link remote: [AF_INET]179.111.X.X:1194 (replacing my IP)
Thu Jul 31 13:16:30 2014 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Thu Jul 31 13:16:31 2014 [OpenVPNServerCert] Peer Connection Initiated with [AF_INET]179.111.X.X:1194
Thu Jul 31 13:16:33 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 31 13:16:33 2014 open_tun, tt->ipv6=0
Thu Jul 31 13:16:33 2014 TAP-WIN32 device [Local Area Connection] opened: \.\Global{C784BB60-26C2-4273-AB81-37F0D18052D4}.tap
Thu Jul 31 13:16:33 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C784BB60-26C2-4273-AB81-37F0D18052D4} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=3]
Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Jul 31 13:16:38 2014 Initialization Sequence CompletedThis is the route print when connected:
===========================================================================
Interface List
32…00 ff c7 84 bb 60 ......TAP-Windows Adapter V9
3...00 01 6c 6f ec 4a ......NVIDIA nForce Networking Controller
1...........................Software Loopback Interface 1
5...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
6...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
10.0.8.4 255.255.255.252 On-link 10.0.8.6 286
10.0.8.6 255.255.255.255 On-link 10.0.8.6 286
10.0.8.7 255.255.255.255 On-link 10.0.8.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.100 266
192.168.0.100 255.255.255.255 On-link 192.168.0.100 266
192.168.0.255 255.255.255.255 On-link 192.168.0.100 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.100 266
224.0.0.0 240.0.0.0 On-link 10.0.8.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.100 266
255.255.255.255 255.255.255.255 On-link 10.0.8.6 286Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
6 306 ::/0 On-link
1 306 ::1/128 On-link
6 306 2001::/32 On-link
6 306 2001:0:5ef5:79fb:38d7:4aa4:4299:2392/128
On-link
3 266 fe80::/64 On-link
32 286 fe80::/64 On-link
6 306 fe80::/64 On-link
3 266 fe80::40:6376:4755:9b30/128
On-link
6 306 fe80::38d7:4aa4:4299:2392/128
On-link
32 286 fe80::4162:550b:a3bc:6ad9/128
On-link
1 306 ff00::/8 On-link
3 266 ff00::/8 On-link
6 306 ff00::/8 On-link
32 286 ff00::/8 On-linkPersistent Routes:
NoneReally thanks for trying to help. I desperate here with no VPN since monday. :(
-
Are you using the OpenVPN GUI client? If so, did you start the client with the option "run as administrator"? (right click on shortcut, run as administrator).
-
Hello vindenesen,
I indeed was running as standard user. Raised to admin and it managed to set route. However, on another machine with Windows 7 it was able to connect and route to VPN without admin rights. I think this is odd. It was the first time I had to set the GUI to admin in order to properly connect.
However, this intrigues me, as out of randomly I am able to pass traffic and then suddenly not. This is the transcript on my CMD. Those commands I typed on after another, without waiting, and keeping the connection ON. Notice that sometimes it is able to pass traffic and then not. And then it passes again, without me having to do anything. Using "route print" shows that the network 192.168.30.0/24 is properly set. But sometimes it does not work.
How can I debug this issue? It is driving me crazy. And I this is ocurring only after I upgraded to 2.1.4. Never had any OVPN issues with 2.1
Here is my odd test:
Microsoft Windows [Version 6.1.7601]
Copyright
2009 Microsoft Corporation. All rights reserved.C:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2msC:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),C:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),C:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),C:\Users\fdpalma>route print
Interface List
26…00 ff 0b 06 3b ea ......TAP-Windows Adapter V9
14...00 22 58 e8 f0 9f ......Bluetooth Device (Personal Area Network)
12...00 1e 65 3d 8a 64 ......Intel(R) WiFi Link 5100 AGN
11...00 1e 33 d0 e7 27 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-InterfaceIPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.10 25
10.0.0.0 255.0.0.0 On-link 10.0.0.10 281
10.0.0.10 255.255.255.255 On-link 10.0.0.10 281
10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 30
10.0.8.4 255.255.255.252 On-link 10.0.8.6 286
10.0.8.6 255.255.255.255 On-link 10.0.8.6 286
10.0.8.7 255.255.255.255 On-link 10.0.8.6 286
10.255.255.255 255.255.255.255 On-link 10.0.0.10 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.30.0 255.255.255.0 10.0.8.5 10.0.8.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.10 281
224.0.0.0 240.0.0.0 On-link 10.0.8.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.10 281
255.255.255.255 255.255.255.255 On-link 10.0.8.6 286Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 281 fe80::/64 On-link
26 286 fe80::/64 On-link
26 286 fe80::4509:afc3:6dd6:9949/128
On-link
12 281 fe80::6da3:4c32:a11d:853/128
On-link
1 306 ff00::/8 On-link
12 281 ff00::/8 On-link
26 286 ff00::/8 On-linkPersistent Routes:
NoneC:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Reply from 192.168.30.10: bytes=32 time=78ms TTL=127
Reply from 192.168.30.10: bytes=32 time=86ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=3ms TTL=127Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 86ms, Average = 42msC:\Users\fdpalma>ping bsserver
Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
Reply from 192.168.30.10: bytes=32 time=1ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
Reply from 192.168.30.10: bytes=32 time=25ms TTL=127Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 25ms, Average = 7ms -
I indeed was running as standard user. Raised to admin and it managed to set route. However, on another machine with Windows 7 it was able to connect and route to VPN without admin rights. I think this is odd. It was the first time I had to set the GUI to admin in order to properly connect.
Could be that UAC was disabled on the machine where you didn't need to run it as admin.
What I don't quite understand is this:
Your OpenVPN settings says that 192.168.31.0/24 is to be the network that the OpenVPN clients gets an IP address in, but your routing table displays that 192.168.30.0/24 is located at the gateway 10.0.8.5? In my mind the gateway should have been in the network 192.168.31.0/24.Edit: Can you post your client config file?
-
vindenesen,
Yes, sorry. I changed the tunnel network to the example on the description "eg. 10.0.8.0/24" to test if this scope would work. And I am perfoming tests with the "force all clients generated traffic to tunnel" DISABLED and the Local network set to 192.168.31.0/24.
Here is attached the most recent settings I used during all day for the posts above. and this is the client config file
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 179.111.XXX.XXX 1194 udp
lport 0
auth-user-pass
ca proxy-udp-1194-ca.crt
tls-auth proxy-udp-1194-tls.key 1
ns-cert-type serverThank you again.
-
In a quick comparison with my config, I don't have that "lport 0" setting in my clients config.
Try without (comment it out by prepending #), it should no longer be necessary to tell the client to use a random port.Restart the openvpn, establish a connection, and issue a ping -t to your bsserver.
If it again shows disconnections, check the output from the pfSense log (openvpn)