PfSense OpenVPN Server and Tomato OpenVPN Client

elkosupertech

I edited the links, but just in case https://docs.google.com/viewer?a=v&pid=sites&srcid=ZWxrb3N1cGVydGVjaC5jb218d2Vic2l0ZXxneDo0OGQ0N2YxNzY5M2M1NjY3

Thanks again!

DJ

jimp

Why do you have it on Remote Access SSL/TLS and not Peer to Peer SSL/TLS?

jimp

I would move it to Peer-to-Peer SSL/TLS, kill the user auth.

Other than the user+pass auth, I don't see anything odd about it from the settings.

We'd need to see the OpenVPN logs from both sides to say much more.

elkosupertech

Well according to the instructions I used (very first post) that was the recommended way.  I am open to changing any of the settings I have.  Also I have stated that I can get it to work (one way) by turning on NAT on the Tomato side so that network then communicates though that way.

DJ

elkosupertech

Change made.  And still same issue.  Here are the logs from Tomato:

Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route 10.0.0.0 255.255.255.0,route 10.2.0.0 255.255.255.0,route 172.18.0.1,topology net30,ping 10,ping-restart 60,ifconfig 172.18.0.6 172.18.0.5'
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: –ifconfig/up options modified
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: OPTIONS IMPORT: route options modified
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP device tun11 opened
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: TUN/TAP TX queue length set to 100
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/ifconfig tun11 172.18.0.6 pointopoint 172.18.0.5 mtu 1500
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 10.2.0.0 netmask 255.255.255.0 gw 172.18.0.5
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: /sbin/route add -net 172.18.0.1 netmask 255.255.255.255 gw 172.18.0.5
Aug  2 10:40:34 unknown daemon.notice openvpn[10117]: Initialization Sequence Completed
Aug  2 10:40:38 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: Updated,Fri Aug  2 10:40:38 2013
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug  2 10:40:38 unknown daemon.notice openvpn[10117]: END
Aug  2 10:40:42 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: Updated,Fri Aug  2 10:40:42 2013
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,0
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6521
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,4852
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: Auth read bytes,0
Aug  2 10:40:42 unknown daemon.notice openvpn[10117]: END
Aug  2 10:40:59 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: Updated,Fri Aug  2 10:40:59 2013
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,3060
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,6659
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,8205
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: Auth read bytes,32
Aug  2 10:40:59 unknown daemon.notice openvpn[10117]: END
Aug  2 10:41:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…
Aug  2 10:41:50 unknown daemon.err openvpn[10117]: event_wait : Interrupted system call (code=4)
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: OpenVPN STATISTICS
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: Updated,Fri Aug  2 10:41:50 2013
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP read bytes,6883
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: TUN/TAP write bytes,0
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP read bytes,7004
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: TCP/UDP write bytes,12925
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: Auth read bytes,112
Aug  2 10:41:50 unknown daemon.notice openvpn[10117]: END
Aug  2 10:42:01 unknown user.info init[1]: VPN_LOG_NOTE: 73: VPN Client 1 already running…

and from pfSense:
Aug 2 10:38:28 openvpn[567]: event_wait : Interrupted system call (code=4)
Aug 2 10:38:29 openvpn[567]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[567]: SIGTERM[hard,] received, process exiting
Aug 2 10:38:29 openvpn[26832]: OpenVPN 2.2.2 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Aug 2 10:38:29 openvpn[26832]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 2 10:38:29 openvpn[26832]: TUN/TAP device /dev/tun1 opened
Aug 2 10:38:29 openvpn[26832]: /sbin/ifconfig ovpns1 172.18.0.1 172.18.0.2 mtu 1500 netmask 255.255.255.255 up
Aug 2 10:38:29 openvpn[26832]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 172.18.0.1 172.18.0.2 init
Aug 2 10:38:29 openvpn[28114]: UDPv4 link local (bound): 204.28.248.153:1195
Aug 2 10:38:29 openvpn[28114]: UDPv4 link remote: [undef]
Aug 2 10:38:29 openvpn[28114]: Initialization Sequence Completed
Aug 2 10:38:29 openvpn[28114]: IPv6 in tun mode is not supported in OpenVPN 2.2
Aug 2 10:39:23 openvpn[28114]: 74.34.62.30:48938 Re-using SSL/TLS context
Aug 2 10:39:26 openvpn[28114]: 74.34.62.30:48938 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:48938
Aug 2 10:40:05 openvpn[28114]: 74.34.62.30:64452 Re-using SSL/TLS context
Aug 2 10:40:07 openvpn[28114]: 74.34.62.30:64452 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:64452
Aug 2 10:40:28 openvpn[28114]: 74.34.62.30:41811 Re-using SSL/TLS context
Aug 2 10:40:31 openvpn[28114]: 74.34.62.30:41811 [VPN_Parents] Peer Connection Initiated with 74.34.62.30:41811

elkosupertech

Was that all the logs needed?  Please let me know.

elkosupertech

I've been trying to figure a solution to my problem and it seems to me that it thinks the gateway is on 172.18.0.5 but it sees the tomato client on 172.18.0.6.  Even stranger is that it's routing table shows to access the network behind tomato, to go to 172.18.0.2.  Is there a reason that pf Sense is so confused?

jimp

That is not pfSense, it's OpenVPN. And that is normal.

For example, here is one site-to-site tunnel I have using SSL/TLS setup for multiple clients (some bits snipped):

ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        inet 192.168.239.1 --> 192.168.239.2 netmask 0xffffffff 
...
192.168.a.0/24    192.168.239.2      UGS         0   685847 ovpns1
192.168.b.0/24    192.168.239.2      UGS         0        0 ovpns1
192.168.239.0/24   192.168.239.2      UGS         0        0 ovpns1
192.168.239.2      link#10            UH          0        0 ovpns1</up,pointopoint,running,multicast>

And on the client side:

ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        inet 192.168.239.6 --> 192.168.239.5 netmask 0xffffffff 
...
192.168.z.0/24   192.168.239.5      UGS         0        0 ovpnc1
192.168.y.0/24   192.168.239.5      UGS         0    14557 ovpnc1
192.168.x.0/24   192.168.239.5      UGS         0        0 ovpnc1
192.168.239.0/24   192.168.239.5      UGS         0        0 ovpnc1
192.168.239.5      link#13            UH          0        0 ovpnc1</up,pointopoint,running,multicast>

OpenVPN assigns addresses that way. Some exposed to the OS on the server side, others internal to OpenVPN on the server side. That is all completely normal for an SSL/TLS multi-site setup. The iroutes in OpenVPN client-specific overrides tell it which subnets are reachable via specific certificates.

elkosupertech

Thank you for clarifying this.  I was hoping that any bit of information, even if it was just an observation would come up with a solution.

PGalati

Did this scenario ever get resolved?  I understand that both firmware versions (pfsense and Tomato) have been updated since this post was created.

I am having a very similar problem as the OP did or does.  I can ping anything from the client side. I can ping the client's router from the server side, but I cannot ping anything on the clients network.  In my scenario, I am attempting to use a Cisco 7961 VOIP phone connected to Tomato over an openVPN tunnel to pfsense that is networked with a Cisco Call Manager pbx.  The phone on the client side does connect to the phone system, and if I call someone, they can hear me, but I cannot hear them.

I would really like to get this resolved so a proper how-to can be written for others.  I have seen lots of posts of similar scenarios with this combination of hardware, but have not found a definite answer to fix this.

Thanks.

PGalati

I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato.  This link pushed me in the right direction:

https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes

Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense:

https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side.  Our Cisco voip phones work both ways now too.

Finally!

yodaphone

@PGalati:

I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato.  This link pushed me in the right direction:

https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes

Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense:

https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side.  Our Cisco voip phones work both ways now too.

Finally!

Hi , i'm trying to do the same thing. can you please tell me what your tomato side config is?

have you enabled TLS Authentication?
did you enable Extra HMAC authorization (tls-auth)?

i'm getting TLS Error: incoming packet authentication failed from [AF_INET]