[SOLVED] Help with very basic OpenVPN setup – can't find route to LAN (naturall
-
Yes. It looks like it's being tested from the host on 192.168.11.167 from behind the LAN interface. You need to find a way to test from the outside. You could also configure OPT1 like a WAN interface and tell OpenVPN to listen there and test from a computer on OPT1.
-
Sorry for the delay. Lots happening around here today.
I don't know how I messed that part up. I was conducting testing by tethering the client PC through a mobile phone. I have fixed the client route table above. The client IP address is 192.168.43.149 (behind a NAT of course) and its tunnel address is 10.0.8.6.
While the client does appear to have a route to the LAN (192.168.10.0/23) I'm not able to access or ping any LAN IP Addresses. What piece am I missing?
Corrected route table.
=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.149 25 10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 1 10.0.8.4 255.255.255.252 10.0.8.6 10.0.8.6 30 10.0.8.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.0.0 255.255.0.0 169.254.140.101 169.254.140.101 20 169.254.140.101 255.255.255.255 127.0.0.1 127.0.0.1 40 169.254.255.255 255.255.255.255 169.254.140.101 169.254.140.101 40 192.168.10.0 255.255.254.0 10.0.8.5 10.0.8.6 1 192.168.43.0 255.255.255.0 192.168.43.149 192.168.43.149 25 192.168.43.149 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.43.255 255.255.255.255 192.168.43.149 192.168.43.149 25 224.0.0.0 240.0.0.0 10.0.8.6 10.0.8.6 30 224.0.0.0 240.0.0.0 169.254.140.101 169.254.140.101 40 224.0.0.0 240.0.0.0 192.168.43.149 192.168.43.149 25 255.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 1 255.255.255.255 255.255.255.255 169.254.140.101 169.254.140.101 1 255.255.255.255 255.255.255.255 192.168.43.149 192.168.43.149 1 255.255.255.255 255.255.255.255 192.168.43.149 4 1 Default Gateway: 192.168.43.1 =========================================================================== Persistent Routes: None -
I should note that I cannot make a connection to LAN whether "Force all client generated traffic through the tunnel" is checked or not. And all local firewalls are disabled.
-
Am I the only one who would rather see the openvpn config page than all this text?
-
Ok, so software firewalls are turned off? Client appears to get getting the right route, but just in case… verify the client is run as administrator.
Check your firewall logs for blocks. Try to make connections to your local machines and watch your logs live. Assuming the routing is correct, you're looking at firewall rules.
make sure there's an any/any rule on your openvpn tab.
-
kejianshi, nah… I'd rather see the raw config... but that's just me.
It's easier to compare to my own working config and identify mistakes
-
This stuff is SIMPLE - I think a screen shot of the config would help me to see if something is weird anyway…
BTW - There is a pass rule on the openvpn firewall tab?
If so, it would help to see that rule also.
-
kejianshi, I am happy to oblige with screenshots. This stupidly simple configuration has been vexing me for a week now and I don't have many hairs left.
Here are the firewall config screens and the OpenVPN setup screen.
-
I'm not certain what I should (or shouldn't) be seeing in the firewall log. I cleared the log then attempted to connect from the client to two different LAN IP addresses. All I saw in the logs is the attached. It doesn't seem to shed any light.
The OpenVPN log shows:
Oct 22 20:31:32 openvpn: user 'vpnuser' authenticated
Oct 22 20:31:32 openvpn[37365]: 198.91.178.106:65342 [vpnuser] Peer Connection Initiated with [AF_INET]198.91.178.106:65342
Oct 22 20:31:32 openvpn[37365]: MULTI_sva: pool returned IPv4=10.0.8.6, IPv6=(Not enabled)
Oct 22 20:31:34 openvpn[37365]: vpnuser/198.91.178.106:65342 send_push_reply(): safe_cap=940
-
Switch to dynamic view and try to connect to your machines. See if there are blocks coming from your tunnel IP range.
Post your firewall rule from the openvpn tab.
** Sorry… just saw you already posted the pic of your rules **
-
Whats the private IP of the computer you are using to connect to openvpn?
Is it OUTSIDE the network that pfsense is in?
-
Okay, back to this with fresh eyes.
kejianshi, the client computer I'm connecting to OpenVPN with is tethered through a mobile phone.
IP addresses:
Client computer: 192.168.43.149 (behind a NAT, of course. It appears to route out through 192.168.43.149–>192.168.43.1-->172.25.83.33)
LAN: 192.168.10.10/23
WAN: 207.128.128.226/27
OPT1: not assigned
Tunnel: 10.0.8.0/24marvosa, here's a screenshot of the dynamic view while the VPN tunnel was established and ping and RDP connections attempted. Nothing was being blocked on the OpenVPN interface.
-
perhaps I'm asking another silly question.
Is the client a windows machine?
If so, when you installed, did you run the installer as admin?
After you installed, are you running the client as admin?
Why is the local network 192.168.10.0/23 instead of /24?
-
Yes, on a Windows machine (currently XP, but I have been trying Windows 7 as well). I have to admit, I don't always remember to run to run OpenVPN GUI as administrator but I did so on installation and first run and have done so again just now to confirm. No difference when running as local administrator.
-
and why /23 instead of a /24?
-
Ooops, sorry. Missed that part. When our LAN was set up many years ago, we anticipated the possibility for needing more than 255 IP addresses. Our IP range runs from 192.168.10.1 - 192.168.11.255. We use the 192.168.10.1-192.168.10.255 range for machines with static IPs and/or DHCP reservations and the 192.168.11.1-192.168.11.255 range for dynamic IPs. Workstations, laptops, BYOD, etc.
I can ping 192.168.10.10, which is the LAN IP of the pfSense box, but I cannot ping 192.168.10.6 which is the Active Directory & DNS server.
-
The "why" doesn't really matter. It's a routed tunnel. As long as he follows the "rules" and knows his LAN network range is 192.168.10.1 - 192.168.11.254 and doesn't overlap he's fine.
Have you tried a simple reboot of PFsense? Sometimes that fixes things believe it or not.
One last thing I thought of, in the case that everything looks correct in your config, etc, make sure the machines/devices on your LAN are using PFsense as the default gateway or you won't be able to communicate with them. i.e…. verify your dhcp server is configured to hand out PFsense as the gateway... of which you've stated is 192.168.10.10.
-
bbrooking, I'm guessing it was a typo, but you know that 192.168.11.255 is the broadcast and is not usable right?
-
Ah ha! You may have hit on it there, Marvosa. The machines are NOT using pfSense as their default gateway. This is me experimenting with pfSense to see if it can be a replacement for the current default gateway.
Does that mean I could set some machines on the LAN with pfSense as the default gateway for the purpose of experimentation. I'm not in a position (particularly in the middle of the day with a LAN full of users) to move all machines to a different default gateway.
I will experiment and report back. Much thanks.
(Yes, sorry. 255 would be the broadcast address. Let's call that a typo rather than a brain fart.)
-
Yes, statically set some with PFsense as the gateway and you should be able to ping them.
