OpenVPN just won't work
-
Dear pfSense Community,
sorry to be so direct, but the openVPN is driving me mad. I have read tons of tutorials and tried all settings many many times but I just can't get it to work. I believe there must be something missing. most likely a tiny setting wich I have missed and I just can't find it. In Theory it should workin my opinion, but it just doesn't. I don't even know how to describe it. My best guess is a wrong Firewall setting.What I am trying to achive is: When I am not in my pfsense network, but let's say in an open wifi, I want to route all my traffic through my pfsense network and therby to appear with the pfsense's public IP Address to the internet (like I would sit behind my pfsense router)
I can connect to the VPN but then nothing is rcheable. Not a Website nor can i ping any public internet ip-adresse or ip-adresses inside the network.
I will attach some screenshots and logs and hope that you can help me:If I connect with Open VPN from Win10 I get the following response (looks good):
Mon Nov 16 12:24:15 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Mon Nov 16 12:24:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Mon Nov 16 12:24:26 2015 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file Mon Nov 16 12:24:26 2015 UDPv4 link local (bound): [undef] Mon Nov 16 12:24:26 2015 UDPv4 link remote: [AF_INET]###WAN-IP-Address###:1194 Mon Nov 16 12:24:26 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mon Nov 16 12:24:28 2015 [#####-VPN Cert] Peer Connection Initiated with [AF_INET]###WAN-IP-Address###:1194 Mon Nov 16 12:24:30 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Nov 16 12:24:30 2015 open_tun, tt->ipv6=0 Mon Nov 16 12:24:30 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{B618BE77-DA46-442C-A8E1-AE324AE37E9E}.tap Mon Nov 16 12:24:30 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.2/255.255.255.0 on interface {B618BE77-DA46-442C-A8E1-AE324AE37E9E} [DHCP-serv: 10.0.8.0, lease-time: 31536000] Mon Nov 16 12:24:30 2015 Successful ARP Flush on interface [17] {B618BE77-DA46-442C-A8E1-AE324AE37E9E} Mon Nov 16 12:24:35 2015 Initialization Sequence Completed
likewise the log from the pfsense side (everything fine):
Nov 16 12:24:25 openvpn: user 'testvpnuser' authenticated Nov 16 12:24:25 openvpn[81958]: 77.12.38.248:60125 [testvpnuser] Peer Connection Initiated with [AF_INET]77.12.38.248:60125 Nov 16 12:24:25 openvpn[81958]: testvpnuser/77.12.38.248:60125 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled) Nov 16 12:24:27 openvpn[81958]: testvpnuser/77.12.38.248:60125 send_push_reply(): safe_cap=940 Nov 16 12:38:18 openvpn[81958]: testvpnuser/77.12.38.248:60125 [testvpnuser] Inactivity timeout (--ping-restart), restarting
After connecting to the VPN nothing works. I can not open any website in the browser or ping any IP. Please see the log:
C:\Users>ipconfig /all Windows-IP-Konfiguration Hostname . . . . . . . . . . . . : ##### Primäres DNS-Suffix . . . . . . . : Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert . . . . . . : Nein WINS-Proxy aktiviert . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : fritz.box [...] Ethernet-Adapter Ethernet 3: Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9 Physische Adresse . . . . . . . . : 00-FF-B6-18-BE-77 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::e1c5:4dcc:a307:dbb3%17(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 10.0.8.2(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.0 Lease erhalten. . . . . . . . . . : Montag, 16\. November 2015 12:24:30 Lease läuft ab. . . . . . . . . . : Dienstag, 15\. November 2016 12:24:30 Standardgateway . . . . . . . . . : DHCP-Server . . . . . . . . . . . : 10.0.8.0 DHCPv6-IAID . . . . . . . . . . . : 553713590 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15 DNS-Server . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS über TCP/IP . . . . . . . : Aktiviert Drahtlos-LAN-Adapter WiFi: Verbindungsspezifisches DNS-Suffix: fritz.box Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN Physische Adresse . . . . . . . . : 00-24-D7-E4-40-B4 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::4c7b:9216:479d:2015%6(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 192.168.178.23(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.0 Lease erhalten. . . . . . . . . . : Montag, 16\. November 2015 08:32:09 Lease läuft ab. . . . . . . . . . : Donnerstag, 26\. November 2015 08:32:09 Standardgateway . . . . . . . . . : 192.168.178.1 DHCP-Server . . . . . . . . . . . : 192.168.178.1 DHCPv6-IAID . . . . . . . . . . . : 50341079 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15 DNS-Server . . . . . . . . . . . : 192.168.178.1 NetBIOS über TCP/IP . . . . . . . : Aktiviert [...] Tunneladapter isatap.fritz.box: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: fritz.box Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja Tunneladapter Teredo Tunneling Pseudo-Interface: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja Tunneladapter LAN-Verbindung* 13: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja C:\Users>ping 192.168.64.1 //(pfsenserouter from inside the LAN-interface) Ping wird ausgeführt für 192.168.64.1 mit 32 Bytes Daten: Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Ping-Statistik für 192.168.64.1: Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust), C:\Users>ping 8.8.8.8 Ping wird ausgeführt für 8.8.8.8 mit 32 Bytes Daten: Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Ping-Statistik für 8.8.8.8: Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
my vpn serversettings:
Please find more screenshots (including Firewall configuration) here:
http://imgur.com/a/k0Zf8 <– Link to imgur album
I would be super glad if you point out to me what I am missing. I want to learn new stuff, but now I am absolutely stuck.
Thank you very much in advance!
Kind Regards, Markus
-
Hi
Dont know if this will help but run the OpenVPN client using run as administrator. I found yesterday i could connect but not ping.
I then saw routing access denied. Run as administrator and boom can ping.
Mat
-
Why tap device???
Use tun and everything will be okay. -
Dont know if this will help but run the OpenVPN client using run as administrator.
Yeah that definitely has always been required (unless someone managed to get the "management interface" working - for me any messing with that screwed the OpenVPN GUI completely).
-
Dont know if this will help but run the OpenVPN client using run as administrator.
Yeah that definitely has always been required (unless someone managed to get the "management interface" working - for me any messing with that screwed the OpenVPN GUI completely).
yeah didnt see that bit
-
Hi
Dont know if this will help but run the OpenVPN client using run as administrator. I found yesterday i could connect but not ping.
I then saw routing access denied. Run as administrator and boom can ping.
Mat
Dear Mat,
I already learned that the hard way. Cost me about 4 hours of frustration -.-
However in my case it is already running as admin (before there was a error message in the client log which is now fine as you can see above)Why tap device???
Use tun and everything will be okay.Dear viragomann, I think I have also tried that, but I will retry now again.
Thank you so much for your help so far! Keep it comming please :)
-
So how would this ever work?? IF your using tap you don't normally hand out a tunnel network..
How do you expect to ever get to fec0 for dns??
Start over, use TUN like the wizard defaults too.. Put in your local network you want to get to.. That has to be different than local network on your client… Going to have to hand out dns if you want your vpn client to look up something via the vpn connection, ie if you set force all clients through tunnel like you have set..
This really is clickity clickity with the wizard up and running..
-
Thank you very much johnpoz!
sorry for the mess. I guess i set it up using the wizard, and changed everything because I was frustrated that it doesn't work.
Well, I took your advise, deleted everything and started all over.
wizzard:
############################
resulting settingspage:
as before i can connect to the vpn sucessfully:
Tue Nov 17 14:09:27 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Tue Nov 17 14:09:27 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Enter Management Password: Tue Nov 17 14:09:38 2015 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file Tue Nov 17 14:09:38 2015 UDPv4 link local (bound): [undef] Tue Nov 17 14:09:38 2015 UDPv4 link remote: [AF_INET]#####WAN-IP#####:1194 Tue Nov 17 14:09:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Nov 17 14:09:39 2015 [SiSu-VPN Cert] Peer Connection Initiated with [AF_INET]#####WAN-IP#####:1194 Tue Nov 17 14:09:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Nov 17 14:09:41 2015 open_tun, tt->ipv6=0 Tue Nov 17 14:09:41 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{110E3111-18B9-4926-88B7-04C88CED934B}.tap Tue Nov 17 14:09:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {110E3111-18B9-4926-88B7-04C88CED934B} [DHCP-serv: 10.0.8.5, lease-time: 31536000] Tue Nov 17 14:09:41 2015 Successful ARP Flush on interface [19] {110E3111-18B9-4926-88B7-04C88CED934B} Tue Nov 17 14:09:46 2015 Initialization Sequence Completed
but i can not reach any computer;
C:\Users>ipconfig -all [...] Ethernet-Adapter Ethernet 3: Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9 Physische Adresse . . . . . . . . : 00-FF-11-0E-31-11 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::7448:115f:4200:9928%19(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 10.0.8.6(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.252 Lease erhalten. . . . . . . . . . : Dienstag, 17\. November 2015 14:09:41 Lease läuft ab. . . . . . . . . . : Mittwoch, 16\. November 2016 14:09:41 Standardgateway . . . . . . . . . : DHCP-Server . . . . . . . . . . . : 10.0.8.5 DHCPv6-IAID . . . . . . . . . . . : 318832401 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15 DNS-Server . . . . . . . . . . . : 192.168.64.1 212.121.128.10 8.8.8.8 212.121.128.11 NetBIOS über TCP/IP . . . . . . . : Aktiviert [...] C:\Users>ping 10.0.8.5 Ping wird ausgeführt für 10.0.8.5 mit 32 Bytes Daten: Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Ping-Statistik für 10.0.8.5: Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust), C:\Users>ping 8.8.8.8 Ping wird ausgeführt für 8.8.8.8 mit 32 Bytes Daten: Zeitüberschreitung der Anforderung. Ping-Statistik für 8.8.8.8: Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1 (100% Verlust),
Any more Ideas?
-
I don't see any routes being handed to your client.. Why should anything go through the tunnel?
Bump up your verb in your client and post your log… I will be at work in a bit and will connect in and post my log and you will see ROUTES get sent.. You not going to do anything down the tunnel with out routes through it. Post up your route print from your client once your connected..
Also what does your openvpn interface rules look like?
-
Dear Johnpoz,
can you please explain what does: "Bump up your verb in your client" mean?
about the routes: I ticked "Force all client generated traffic through the tunnel. " Isn't it sufficient? What else I can do?
the screenshot is here:
-
just because you check it doesn't mean its getting handed to your clients.. What does output of route print look like after you connect to vpn?
The verb setting is the logging level, edit your client config to have higher level - say 4..
my config for example
–----
dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 24.13.snipped 443 tcp-client
lport 0
verify-x509-name "pfsenseopenvpn" name
pkcs12 pfSense-TCP-443-johnpoz.p12
tls-auth pfSense-TCP-443-johnpoz-tls.key 1
ns-cert-type server
comp-lzo adaptive
verb 4edit:
You have multiple WANS? That could be an issue as well.. Which wan is the vpn connection coming in? Looks like you have 3?? Internet wan_fiber and wan2?? do you have any rules in floating? -
Hello,
I understand now what you mean. thank you for the explination!Here is the log with verb 4:
Tue Nov 17 15:15:07 2015 us=553272 Current Parameter Settings: Tue Nov 17 15:15:07 2015 us=554271 config = 'pfSense-udp-1194-testvpnuser-config.ovpn' Tue Nov 17 15:15:07 2015 us=554271 mode = 0 Tue Nov 17 15:15:07 2015 us=554271 show_ciphers = DISABLED Tue Nov 17 15:15:07 2015 us=554271 show_digests = DISABLED Tue Nov 17 15:15:07 2015 us=554271 show_engines = DISABLED Tue Nov 17 15:15:07 2015 us=554271 genkey = DISABLED Tue Nov 17 15:15:07 2015 us=554271 key_pass_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 show_tls_ciphers = DISABLED Tue Nov 17 15:15:07 2015 us=554271 Connection profiles [default]: Tue Nov 17 15:15:07 2015 us=554271 proto = udp Tue Nov 17 15:15:07 2015 us=554271 local = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 local_port = 0 Tue Nov 17 15:15:07 2015 us=554271 remote = '###WAN-IP###' Tue Nov 17 15:15:07 2015 us=554271 remote_port = 1194 Tue Nov 17 15:15:07 2015 us=554271 remote_float = DISABLED Tue Nov 17 15:15:07 2015 us=554271 bind_defined = DISABLED Tue Nov 17 15:15:07 2015 us=554271 bind_local = ENABLED Tue Nov 17 15:15:07 2015 us=554271 connect_retry_seconds = 5 Tue Nov 17 15:15:07 2015 us=554271 connect_timeout = 10 Tue Nov 17 15:15:07 2015 us=554271 connect_retry_max = 0 Tue Nov 17 15:15:07 2015 us=554271 socks_proxy_server = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 socks_proxy_port = 0 Tue Nov 17 15:15:07 2015 us=554271 socks_proxy_retry = DISABLED Tue Nov 17 15:15:07 2015 us=554271 tun_mtu = 1500 Tue Nov 17 15:15:07 2015 us=554271 tun_mtu_defined = ENABLED Tue Nov 17 15:15:07 2015 us=554271 link_mtu = 1500 Tue Nov 17 15:15:07 2015 us=554271 link_mtu_defined = DISABLED Tue Nov 17 15:15:07 2015 us=554271 tun_mtu_extra = 0 Tue Nov 17 15:15:07 2015 us=554271 tun_mtu_extra_defined = DISABLED Tue Nov 17 15:15:07 2015 us=554271 mtu_discover_type = -1 Tue Nov 17 15:15:07 2015 us=554271 fragment = 0 Tue Nov 17 15:15:07 2015 us=554271 mssfix = 1450 Tue Nov 17 15:15:07 2015 us=554271 explicit_exit_notification = 0 Tue Nov 17 15:15:07 2015 us=554271 Connection profiles END Tue Nov 17 15:15:07 2015 us=554271 remote_random = DISABLED Tue Nov 17 15:15:07 2015 us=554271 ipchange = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 dev = 'tun' Tue Nov 17 15:15:07 2015 us=554271 dev_type = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 dev_node = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 lladdr = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 topology = 1 Tue Nov 17 15:15:07 2015 us=554271 tun_ipv6 = DISABLED Tue Nov 17 15:15:07 2015 us=554271 ifconfig_local = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 ifconfig_remote_netmask = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 ifconfig_noexec = DISABLED Tue Nov 17 15:15:07 2015 us=554271 ifconfig_nowarn = DISABLED Tue Nov 17 15:15:07 2015 us=554271 ifconfig_ipv6_local = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 ifconfig_ipv6_netbits = 0 Tue Nov 17 15:15:07 2015 us=554271 ifconfig_ipv6_remote = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 shaper = 0 Tue Nov 17 15:15:07 2015 us=554271 mtu_test = 0 Tue Nov 17 15:15:07 2015 us=554271 mlock = DISABLED Tue Nov 17 15:15:07 2015 us=554271 keepalive_ping = 0 Tue Nov 17 15:15:07 2015 us=554271 keepalive_timeout = 0 Tue Nov 17 15:15:07 2015 us=554271 inactivity_timeout = 0 Tue Nov 17 15:15:07 2015 us=554271 ping_send_timeout = 0 Tue Nov 17 15:15:07 2015 us=554271 ping_rec_timeout = 0 Tue Nov 17 15:15:07 2015 us=554271 ping_rec_timeout_action = 0 Tue Nov 17 15:15:07 2015 us=554271 ping_timer_remote = DISABLED Tue Nov 17 15:15:07 2015 us=554271 remap_sigusr1 = 0 Tue Nov 17 15:15:07 2015 us=554271 persist_tun = ENABLED Tue Nov 17 15:15:07 2015 us=554271 persist_local_ip = DISABLED Tue Nov 17 15:15:07 2015 us=554271 persist_remote_ip = DISABLED Tue Nov 17 15:15:07 2015 us=554271 persist_key = ENABLED Tue Nov 17 15:15:07 2015 us=554271 passtos = DISABLED Tue Nov 17 15:15:07 2015 us=554271 resolve_retry_seconds = 1000000000 Tue Nov 17 15:15:07 2015 us=554271 username = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 groupname = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 chroot_dir = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 cd_dir = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 writepid = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=554271 up_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555274 down_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555274 down_pre = DISABLED Tue Nov 17 15:15:07 2015 us=555274 up_restart = DISABLED Tue Nov 17 15:15:07 2015 us=555274 up_delay = DISABLED Tue Nov 17 15:15:07 2015 us=555274 daemon = DISABLED Tue Nov 17 15:15:07 2015 us=555274 inetd = 0 Tue Nov 17 15:15:07 2015 us=555274 log = ENABLED Tue Nov 17 15:15:07 2015 us=555274 suppress_timestamps = DISABLED Tue Nov 17 15:15:07 2015 us=555274 nice = 0 Tue Nov 17 15:15:07 2015 us=555274 verbosity = 4 Tue Nov 17 15:15:07 2015 us=555274 mute = 0 Tue Nov 17 15:15:07 2015 us=555274 status_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555274 status_file_version = 1 Tue Nov 17 15:15:07 2015 us=555274 status_file_update_freq = 60 Tue Nov 17 15:15:07 2015 us=555274 occ = ENABLED Tue Nov 17 15:15:07 2015 us=555274 rcvbuf = 0 Tue Nov 17 15:15:07 2015 us=555274 sndbuf = 0 Tue Nov 17 15:15:07 2015 us=555274 sockflags = 0 Tue Nov 17 15:15:07 2015 us=555274 fast_io = DISABLED Tue Nov 17 15:15:07 2015 us=555274 lzo = 1 Tue Nov 17 15:15:07 2015 us=555274 route_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555274 route_default_gateway = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555274 route_default_metric = 0 Tue Nov 17 15:15:07 2015 us=555274 route_noexec = DISABLED Tue Nov 17 15:15:07 2015 us=555274 route_delay = 5 Tue Nov 17 15:15:07 2015 us=555274 route_delay_window = 30 Tue Nov 17 15:15:07 2015 us=555274 route_delay_defined = ENABLED Tue Nov 17 15:15:07 2015 us=555274 route_nopull = DISABLED Tue Nov 17 15:15:07 2015 us=555274 route_gateway_via_dhcp = DISABLED Tue Nov 17 15:15:07 2015 us=555274 max_routes = 100 Tue Nov 17 15:15:07 2015 us=555786 allow_pull_fqdn = DISABLED Tue Nov 17 15:15:07 2015 us=555786 management_addr = '127.0.0.1' Tue Nov 17 15:15:07 2015 us=555786 management_port = 25340 Tue Nov 17 15:15:07 2015 us=555786 management_user_pass = 'stdin' Tue Nov 17 15:15:07 2015 us=555786 management_log_history_cache = 250 Tue Nov 17 15:15:07 2015 us=555786 management_echo_buffer_size = 100 Tue Nov 17 15:15:07 2015 us=555786 management_write_peer_info_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 management_client_user = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 management_client_group = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 management_flags = 6 Tue Nov 17 15:15:07 2015 us=555786 shared_secret_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 key_direction = 2 Tue Nov 17 15:15:07 2015 us=555786 ciphername_defined = ENABLED Tue Nov 17 15:15:07 2015 us=555786 ciphername = 'AES-256-CBC' Tue Nov 17 15:15:07 2015 us=555786 authname_defined = ENABLED Tue Nov 17 15:15:07 2015 us=555786 authname = 'SHA256' Tue Nov 17 15:15:07 2015 us=555786 prng_hash = 'SHA1' Tue Nov 17 15:15:07 2015 us=555786 prng_nonce_secret_len = 16 Tue Nov 17 15:15:07 2015 us=555786 keysize = 0 Tue Nov 17 15:15:07 2015 us=555786 engine = DISABLED Tue Nov 17 15:15:07 2015 us=555786 replay = ENABLED Tue Nov 17 15:15:07 2015 us=555786 mute_replay_warnings = DISABLED Tue Nov 17 15:15:07 2015 us=555786 replay_window = 64 Tue Nov 17 15:15:07 2015 us=555786 replay_time = 15 Tue Nov 17 15:15:07 2015 us=555786 packet_id_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 use_iv = ENABLED Tue Nov 17 15:15:07 2015 us=555786 test_crypto = DISABLED Tue Nov 17 15:15:07 2015 us=555786 tls_server = DISABLED Tue Nov 17 15:15:07 2015 us=555786 tls_client = ENABLED Tue Nov 17 15:15:07 2015 us=555786 key_method = 2 Tue Nov 17 15:15:07 2015 us=555786 ca_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 ca_path = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 dh_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 cert_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 priv_key_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 pkcs12_file = 'pfSense-udp-1194-testvpnuser.p12' Tue Nov 17 15:15:07 2015 us=555786 cryptoapi_cert = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 cipher_list = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 tls_verify = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 tls_export_cert = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=555786 verify_x509_type = 2 Tue Nov 17 15:15:07 2015 us=555786 verify_x509_name = 'XXXXXXXX-VPN Cert' Tue Nov 17 15:15:07 2015 us=555786 crl_file = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=556284 ns_cert_type = 1 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_ku[i] = 0 Tue Nov 17 15:15:07 2015 us=556284 remote_cert_eku = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=556284 ssl_flags = 0 Tue Nov 17 15:15:07 2015 us=556284 tls_timeout = 2 Tue Nov 17 15:15:07 2015 us=556284 renegotiate_bytes = 0 Tue Nov 17 15:15:07 2015 us=556284 renegotiate_packets = 0 Tue Nov 17 15:15:07 2015 us=556284 renegotiate_seconds = 3600 Tue Nov 17 15:15:07 2015 us=556284 handshake_window = 60 Tue Nov 17 15:15:07 2015 us=556284 transition_window = 3600 Tue Nov 17 15:15:07 2015 us=556284 single_session = DISABLED Tue Nov 17 15:15:07 2015 us=556284 push_peer_info = DISABLED Tue Nov 17 15:15:07 2015 us=556284 tls_exit = DISABLED Tue Nov 17 15:15:07 2015 us=556284 tls_auth_file = 'pfSense-udp-1194-testvpnuser-tls.key' Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_protected_authentication = DISABLED Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556284 pkcs11_private_mode = 00000000 Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_cert_private = DISABLED Tue Nov 17 15:15:07 2015 us=556784 pkcs11_pin_cache_period = -1 Tue Nov 17 15:15:07 2015 us=556784 pkcs11_id = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=556784 pkcs11_id_management = DISABLED Tue Nov 17 15:15:07 2015 us=556784 server_network = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=556784 server_netmask = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 server_network_ipv6 = :: Tue Nov 17 15:15:07 2015 us=559284 server_netbits_ipv6 = 0 Tue Nov 17 15:15:07 2015 us=559284 server_bridge_ip = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 server_bridge_netmask = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 server_bridge_pool_start = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 server_bridge_pool_end = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_defined = DISABLED Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_start = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_end = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_netmask = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_persist_filename = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559284 ifconfig_pool_persist_refresh_freq = 600 Tue Nov 17 15:15:07 2015 us=559284 ifconfig_ipv6_pool_defined = DISABLED Tue Nov 17 15:15:07 2015 us=559284 ifconfig_ipv6_pool_base = :: Tue Nov 17 15:15:07 2015 us=559284 ifconfig_ipv6_pool_netbits = 0 Tue Nov 17 15:15:07 2015 us=559284 n_bcast_buf = 256 Tue Nov 17 15:15:07 2015 us=559284 tcp_queue_limit = 64 Tue Nov 17 15:15:07 2015 us=559284 real_hash_size = 256 Tue Nov 17 15:15:07 2015 us=559284 virtual_hash_size = 256 Tue Nov 17 15:15:07 2015 us=559284 client_connect_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559284 learn_address_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559284 client_disconnect_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559284 client_config_dir = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559284 ccd_exclusive = DISABLED Tue Nov 17 15:15:07 2015 us=559284 tmp_dir = 'C:\Users\Markus\AppData\Local\Temp\' Tue Nov 17 15:15:07 2015 us=559284 push_ifconfig_defined = DISABLED Tue Nov 17 15:15:07 2015 us=559284 push_ifconfig_local = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559284 push_ifconfig_remote_netmask = 0.0.0.0 Tue Nov 17 15:15:07 2015 us=559782 push_ifconfig_ipv6_defined = DISABLED Tue Nov 17 15:15:07 2015 us=559782 push_ifconfig_ipv6_local = ::/0 Tue Nov 17 15:15:07 2015 us=559782 push_ifconfig_ipv6_remote = :: Tue Nov 17 15:15:07 2015 us=559782 enable_c2c = DISABLED Tue Nov 17 15:15:07 2015 us=559782 duplicate_cn = DISABLED Tue Nov 17 15:15:07 2015 us=559782 cf_max = 0 Tue Nov 17 15:15:07 2015 us=559782 cf_per = 0 Tue Nov 17 15:15:07 2015 us=559782 max_clients = 1024 Tue Nov 17 15:15:07 2015 us=559782 max_routes_per_client = 256 Tue Nov 17 15:15:07 2015 us=559782 auth_user_pass_verify_script = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559782 auth_user_pass_verify_script_via_file = DISABLED Tue Nov 17 15:15:07 2015 us=559782 client = ENABLED Tue Nov 17 15:15:07 2015 us=559782 pull = ENABLED Tue Nov 17 15:15:07 2015 us=559782 auth_user_pass_file = 'stdin' Tue Nov 17 15:15:07 2015 us=559782 show_net_up = DISABLED Tue Nov 17 15:15:07 2015 us=559782 route_method = 0 Tue Nov 17 15:15:07 2015 us=559782 ip_win32_defined = DISABLED Tue Nov 17 15:15:07 2015 us=559782 ip_win32_type = 3 Tue Nov 17 15:15:07 2015 us=559782 dhcp_masq_offset = 0 Tue Nov 17 15:15:07 2015 us=559782 dhcp_lease_time = 31536000 Tue Nov 17 15:15:07 2015 us=559782 tap_sleep = 0 Tue Nov 17 15:15:07 2015 us=559782 dhcp_options = DISABLED Tue Nov 17 15:15:07 2015 us=559782 dhcp_renew = DISABLED Tue Nov 17 15:15:07 2015 us=559782 dhcp_pre_release = DISABLED Tue Nov 17 15:15:07 2015 us=559782 dhcp_release = DISABLED Tue Nov 17 15:15:07 2015 us=559782 domain = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559782 netbios_scope = '[UNDEF]' Tue Nov 17 15:15:07 2015 us=559782 netbios_node_type = 0 Tue Nov 17 15:15:07 2015 us=559782 disable_nbt = DISABLED Tue Nov 17 15:15:07 2015 us=559782 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Tue Nov 17 15:15:07 2015 us=559782 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Enter Management Password: Tue Nov 17 15:15:07 2015 us=560283 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Tue Nov 17 15:15:07 2015 us=560283 Need hold release from management interface, waiting... Tue Nov 17 15:15:07 2015 us=991578 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Tue Nov 17 15:15:08 2015 us=93291 MANAGEMENT: CMD 'state on' Tue Nov 17 15:15:08 2015 us=93291 MANAGEMENT: CMD 'log all on' Tue Nov 17 15:15:08 2015 us=279826 MANAGEMENT: CMD 'hold off' Tue Nov 17 15:15:08 2015 us=281828 MANAGEMENT: CMD 'hold release' Tue Nov 17 15:15:19 2015 us=141452 MANAGEMENT: CMD 'username "Auth" "testvpnuser"' Tue Nov 17 15:15:19 2015 us=157451 MANAGEMENT: CMD 'password [...]' Tue Nov 17 15:15:19 2015 us=386506 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file Tue Nov 17 15:15:19 2015 us=386506 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Tue Nov 17 15:15:19 2015 us=386506 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Tue Nov 17 15:15:19 2015 us=386506 LZO compression initialized Tue Nov 17 15:15:19 2015 us=386506 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ] Tue Nov 17 15:15:19 2015 us=386506 Socket Buffers: R=[65536->65536] S=[65536->65536] Tue Nov 17 15:15:19 2015 us=387507 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] Tue Nov 17 15:15:19 2015 us=387507 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client' Tue Nov 17 15:15:19 2015 us=387507 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server' Tue Nov 17 15:15:19 2015 us=387507 Local Options hash (VER=V4): '73e43c96' Tue Nov 17 15:15:19 2015 us=387507 Expected Remote Options hash (VER=V4): '8a3b3cca' Tue Nov 17 15:15:19 2015 us=387507 UDPv4 link local (bound): [undef] Tue Nov 17 15:15:19 2015 us=387507 UDPv4 link remote: [AF_INET]###WAN-IP###:1194 Tue Nov 17 15:15:19 2015 us=387507 MANAGEMENT: >STATE:1447769719,WAIT,,, Tue Nov 17 15:15:19 2015 us=420505 MANAGEMENT: >STATE:1447769719,AUTH,,, Tue Nov 17 15:15:19 2015 us=420505 TLS: Initial packet from [AF_INET]###WAN-IP###:1194, sid=79ee18ce 6a7be43b Tue Nov 17 15:15:19 2015 us=421507 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Nov 17 15:15:20 2015 us=112619 VERIFY OK: depth=1, C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXXVPN Cert Tue Nov 17 15:15:20 2015 us=113617 VERIFY OK: nsCertType=SERVER Tue Nov 17 15:15:20 2015 us=113617 VERIFY X509NAME OK: C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXX-VPN Cert Tue Nov 17 15:15:20 2015 us=113617 VERIFY OK: depth=0, C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXX-VPN Cert Tue Nov 17 15:15:20 2015 us=899766 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Nov 17 15:15:20 2015 us=899766 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Tue Nov 17 15:15:20 2015 us=899766 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Nov 17 15:15:20 2015 us=899766 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Tue Nov 17 15:15:20 2015 us=900765 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Tue Nov 17 15:15:20 2015 us=900765 [XXXXXXXX-VPN Cert] Peer Connection Initiated with [AF_INET]###WAN-IP###:1194 Tue Nov 17 15:15:21 2015 us=903960 MANAGEMENT: >STATE:1447769721,GET_CONFIG,,, Tue Nov 17 15:15:22 2015 us=907057 SENT CONTROL [XXXXXXXX-VPN Cert]: 'PUSH_REQUEST' (status=1) Tue Nov 17 15:15:22 2015 us=930054 PUSH: Received control message: 'PUSH_REPLY,route 192.168.64.0 255.255.255.0,route 192.168.150.8 255.255.255.255,dhcp-option DNS 192.168.64.1,dhcp-option DNS 212.121.128.10,dhcp-option DNS 8.8.8.8,dhcp-option DNS 212.121.128.11,redirect-gateway def1,route 10.0.8.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.8.6 10.0.8.5' Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: timers and/or timeouts modified Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: --ifconfig/up options modified Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: route options modified Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Nov 17 15:15:22 2015 us=946054 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Nov 17 15:15:22 2015 us=946054 MANAGEMENT: >STATE:1447769722,ASSIGN_IP,,10.0.8.6, Tue Nov 17 15:15:22 2015 us=946054 open_tun, tt->ipv6=0 Tue Nov 17 15:15:22 2015 us=947056 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{110E3111-18B9-4926-88B7-04C88CED934B}.tap Tue Nov 17 15:15:22 2015 us=948056 TAP-Windows Driver Version 9.21 Tue Nov 17 15:15:22 2015 us=948056 TAP-Windows MTU=1500 Tue Nov 17 15:15:22 2015 us=950054 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {110E3111-18B9-4926-88B7-04C88CED934B} [DHCP-serv: 10.0.8.5, lease-time: 31536000] Tue Nov 17 15:15:22 2015 us=950054 DHCP option string: 0610c0a8 4001d479 800a0808 0808d479 800b Tue Nov 17 15:15:22 2015 us=950054 Successful ARP Flush on interface [19] {110E3111-18B9-4926-88B7-04C88CED934B} Tue Nov 17 15:15:27 2015 us=97573 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up Tue Nov 17 15:15:27 2015 us=97573 C:\WINDOWS\system32\route.exe ADD ###WAN-IP### MASK 255.255.255.255 192.168.178.1 Tue Nov 17 15:15:27 2015 us=100573 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=100573 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=100573 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.8.5 Tue Nov 17 15:15:27 2015 us=104572 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=104572 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=104572 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.8.5 Tue Nov 17 15:15:27 2015 us=107570 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=107570 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=107570 MANAGEMENT: >STATE:1447769727,ADD_ROUTES,,, Tue Nov 17 15:15:27 2015 us=107570 C:\WINDOWS\system32\route.exe ADD 192.168.64.0 MASK 255.255.255.0 10.0.8.5 Tue Nov 17 15:15:27 2015 us=135589 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=135589 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=135589 C:\WINDOWS\system32\route.exe ADD 192.168.150.8 MASK 255.255.255.255 10.0.8.5 Tue Nov 17 15:15:27 2015 us=139588 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=139588 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=139588 C:\WINDOWS\system32\route.exe ADD 10.0.8.1 MASK 255.255.255.255 10.0.8.5 Tue Nov 17 15:15:27 2015 us=142589 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Tue Nov 17 15:15:27 2015 us=142589 Route addition via IPAPI succeeded [adaptive] Tue Nov 17 15:15:27 2015 us=142589 Initialization Sequence Completed Tue Nov 17 15:15:27 2015 us=142589 MANAGEMENT: >STATE:1447769727,CONNECTED,SUCCESS,10.0.8.6,###WAN-IP### the multiple WANs are old. only one is active nowadays. floating rules is also empty. Please klick here for screenshots of the other firewall rules: >>>>> [url]http://imgur.com/a/k0Zf8[/url] <<<<< [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
-
sorry have gotten tied up with real work today..
But looks like your routes got added so if you look at your route print
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.56.41.1 10.56.41.174 10
10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 20
10.0.8.4 255.255.255.252 On-link 10.0.8.6 276
10.0.8.6 255.255.255.255 On-link 10.0.8.6 276
10.0.8.7 255.255.255.255 On-link 10.0.8.6 276
192.168.2.0 255.255.255.0 10.0.8.5 10.0.8.6 20
192.168.3.0 255.255.255.0 10.0.8.5 10.0.8.6 20
192.168.9.0 255.255.255.0 10.0.8.5 10.0.8.6 20you should see the route to the first IP in the range you were given.. so for example see that route to 10.0.8.1 in my above route table
C:>ping 10.0.8.1
Pinging 10.0.8.1 with 32 bytes of data:
Reply from 10.0.8.1: bytes=32 time=175ms TTL=64
Reply from 10.0.8.1: bytes=32 time=173ms TTL=64
Reply from 10.0.8.1: bytes=32 time=180ms TTL=64
Reply from 10.0.8.1: bytes=32 time=171ms TTL=64Ping statistics for 10.0.8.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 171ms, Maximum = 180ms, Average = 174msC:\
You should be able to ping your pfsense interface on your lan interface for example
C:>ping 192.168.9.253
Pinging 192.168.9.253 with 32 bytes of data:
Reply from 192.168.9.253: bytes=32 time=175ms TTL=64
Reply from 192.168.9.253: bytes=32 time=167ms TTL=64
Reply from 192.168.9.253: bytes=32 time=168ms TTL=64
Reply from 192.168.9.253: bytes=32 time=166ms TTL=64Ping statistics for 192.168.9.253:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 166ms, Maximum = 175ms, Average = 169msC:>
As to pinging stuff on your lan - they could be running firewall that block that ping..
My ping times are HIGH because I have to bounce off a proxy here at work to get out, proxy is in TX while I am in chicago area and so is my home connection I am vpn into.
Take a look at your vpn interface.. Do you have any firewalls attached to it, and security stuff? I couldn't get ipv6 to work over the tunnel until I remove the firewall binding..
-
Thank you for your advice! I'm learning a ton of new stuff here =)
Here is my routingtable after connectiong to the vpn:
IPv4-Routentabelle =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik 0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.23 20 0.0.0.0 128.0.0.0 10.0.8.5 10.0.8.6 20 10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 20 10.0.8.4 255.255.255.252 Auf Verbindung 10.0.8.6 276 10.0.8.6 255.255.255.255 Auf Verbindung 10.0.8.6 276 10.0.8.7 255.255.255.255 Auf Verbindung 10.0.8.6 276 127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306 127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306 127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 128.0.0.0 128.0.0.0 10.0.8.5 10.0.8.6 20 192.168.64.0 255.255.255.0 10.0.8.5 10.0.8.6 20 192.168.150.8 255.255.255.255 10.0.8.5 10.0.8.6 20 192.168.178.0 255.255.255.0 Auf Verbindung 192.168.178.23 276 192.168.178.23 255.255.255.255 Auf Verbindung 192.168.178.23 276 192.168.178.255 255.255.255.255 Auf Verbindung 192.168.178.23 276 (openVPN Server IP) 255.255.255.255 192.168.178.1 192.168.178.23 20 224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306 224.0.0.0 240.0.0.0 Auf Verbindung 192.168.178.23 276 224.0.0.0 240.0.0.0 Auf Verbindung 10.0.8.6 276 255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 255.255.255.255 255.255.255.255 Auf Verbindung 192.168.178.23 276 255.255.255.255 255.255.255.255 Auf Verbindung 10.0.8.6 276 ===========================================================================
note: I still can not ping 10.0.8.1 or any other ip adresse :(
I also checked the settingspage you shown, but I dont have this entry. Also I disabled the windows firewall, but it didn't change anything.
I am now comparing our routing tables, maybe there is some hint to it :o
-
My security software that was bound to my vpn interface was just an example.. Do you have any bindings?
Would you be up to sending me vpn info via PM and I can try and connect to rule out issues with your client.
-
So I did a quick teamviewer with the OP, and he had his nats set to manual and was missing the openvpn tunnel network nats and also had a NAT for ALL ports to be static..
I suggested he get rid of that ALL static nat, that is a bad idea. If you have some application or device that has issues with pfsense changing the source port on the outside when it does the napt. Then this should be limited to the specific port and or port and IP of the device having the problems. Doing ALL and ALL going to have issues the more and more users you have behind the nat. When you run into a issue where more than 1 IP behind is wanting to use the same source port when talking to something.
Once he switches to auto on his nats, and the tunnel network gets added it should be working just fine.
-
it is amazing! Literally all I had to do was to switch to "Automatic outbound NAT rule generation (IPsec passthrough included)"
However I would never found it alone - so huge, huge thanks to johnpoz!!! :) :) :) :) :Dbesides I had pretty stupid 1:1 NAT rules in place which were, in fact, obsolete as I checked. Thanks for pointing that out to me additionally.
The important automatic rules were this:
Interface Source Source Port Dest Dest Port NAT Address NAT Port Static Port Description WAN_FIBER 10.0.8.0/24 * * 500 WAN_FIBER address * YES Auto created rule for ISAKMP WAN_FIBER 10.0.8.0/24 * * * WAN_FIBER address * NO Auto created rule
Now everything works just fine! ;D
-
See clickity clickity ;) Glad you got it sorted and you got rid of that static nat for ANY ANY I hope..
-
yes, I did that. After I switched to automatic, all other rules got disabled. After that I checked that all network applications are still running as intended and it turned out they were obsolete anyway :-D