OpenVPN connects, can't get to lan network
-
I have:
Two PFSense firewalls in carp failover.
Which means I have a Virtual Wan, and Virtual Lan, as well as an actual wan and lan for each of them.
(I'm going to obviously change a few IPs around for posting purposes)
I've setup OpenVPN on the firewall, did the whole shabang.
OpenVPN connects on the client. But doesn't let me access the remote lan at all.
I'd LOVE to have it go through our DHCP box to auto-assign some IP addresses.My users are being Authenticated through an Ldap connection: "Nas2"
Tested this, and it's functioning.So focusing on one firewall:
Wan IP: 12.64.150.188
Lan IP: 10.1.1.15
VWan IP: 12.64.150.187
VLan IP: 10.1.1.254My desired lan is on the 10 net. That's the goal. To get the VPN users to be able to access anything that may be on 10net.
In my OpenVPN Server Settings:
Protocol UDP
Device mode Tun
My port is 1190
my tunnel Network is: 172.50.48.0/24
I currently have my Local Network assigned to: 10.0.0.0/8
Compression is enabled with adaptive compression
I have Inter-client communication checked.In my client settings:
Dynamic IP is checked
Address pool is checked
Topology checkedFirewall rules:
Wan: IPv4 UDP * * Wan Address 1190 * none
OpenVPN: IPv4 * * * * * * noneServer Config:
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 12.64.150.188
tls-server
server 172.50.48.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Nas2' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN-Server-Cert' 1 "
lport 1190
management /var/etc/openvpn/server1.sock unix
max-clients 80
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DOMAIN company.com"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnetClient Config
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 12.64.150.188 1190 udp
lport 0
verify-x509-name "VPN-Server-Cert" name
auth-user-pass
pkcs12 fw360-udp-1190-User-Cert.p12
tls-auth fw360-udp-1190-User-Cert-tls.key 1
ns-cert-type server
comp-lzo adaptiveI've tried making a bridge to bridge the tunnel and lan. Nothing.
The firewall couldn't ping the lan when using diagnostics -> ping when using the source OpenVPN. I added the OpenVPN as an interface. Configured the IPv4 to DHCP and added the IPv4 address alias: 10.10.0.2
Once I did that I was able to ping the lan when using the source OpenVPN.-Edit: this doesn't seem to be working today….Please, if you have ideas on how to make this work. Let me know. I'm literally throwing darts in the dark while drunk and blind folded.
-
Lan IP: 10.1.1.15
VLan IP: 10.1.1.254I have no idea what's VLAN IP but both of the above obviously overlap with the absolutely obnoxious 10.0.0.0/8 clusterfuck. No wonder it's broken. You really need 16M hosts on your network? Seriously?
-
Lan IP: 10.1.1.15
VLan IP: 10.1.1.254I have no idea what's VLAN IP but both of the above obviously overlap with the absolutely obnoxious 10.0.0.0/8 clusterfuck. No wonder it's broken. You really need 16M hosts on your network? Seriously?
VLan is the virtual IP for carp failover for lan.
As for the obnoxious 10.0.0.0/8, from my reading of the documentation, this was supposed to be the range of IPv4 networks that you want accessible from the remote connection.
As I have IPs all along that range, it makes sense to shoot for everything.
I mean, I could be totally wrong and have misread.These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.
I mean if I follow the "this is generally set to your LAN network", wouldn't that mean that 10.1.1.254 or 10.1.1.15 should work as well? Wouldn't that still be an overlap?
Thanks for you input.Edit:
Reading a bit in the forums, I saw a few people mentioning routing tables, and so I looked there:
Now Em0 is my Lan interface.
But I can't find ANYWHERE where 10.0.0.0/8 is set. (I'm thinking there may be something to this)
I even took it off my OpenVPN setting to be sure.
Thoughts? -
The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.
But two other wrong things I've found in your config:
-
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
-
Your VPN tunnel network has a public IP range. You should change this to a private range.
-
-
The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.
But two other wrong things I've found in your config:
-
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
-
Your VPN tunnel network has a public IP range. You should change this to a private range.
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
What do you mean, I seem to be made of bricks today. So, what I have set is a problem? Or it's okay?
Your VPN tunnel network has a public IP range. You should change this to a private range.
My tunnel is 172.50.48.0/24, isn't that private?
What would you suggest other than that? Something that won't bork other settingsThanks for your help thus far!
-
-
My tunnel is 172.50.48.0/24, isn't that private?
No, obviously…
NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1 Parent: NET172 (NET-172-0-0-0-0) NetType: Direct Allocation OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI) RegDate: 2012-09-18 Updated: 2012-09-18 Ref: http://whois.arin.net/rest/net/NET-172-32-0-0-1
-
My tunnel is 172.50.48.0/24, isn't that private?
No, obviously…
NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1 Parent: NET172 (NET-172-0-0-0-0) NetType: Direct Allocation OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI) RegDate: 2012-09-18 Updated: 2012-09-18 Ref: http://whois.arin.net/rest/net/NET-172-32-0-0-1
Ah!
Okay. Easy change.
172.24.48.0\24 it is. -
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
What do you mean, I seem to be made of bricks today. So, what I have set is a problem? Or it's okay?
For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.
Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.
-
For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.
Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.
Ah yeah, I had it to that, and then started trying some other stuff around.
I've changed it back. (Thanks for that sanity check that I was right the first time!)Now, my vpn connects, and from the test machine DNS fails to resolve.
I tried providing DNS server list to clients from the client settings in the server config (8.8.8.8, 8.8.4.4) But it still fails.
I then tried to have them route to my DHCP server at 10.10.0.2 and that also fails.Client logs had this to say:
Wed Dec 09 16:56:32 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 172.24.48.0/172.24.48.2/255.255.255.0 [SUCCEEDED] Wed Dec 09 16:56:32 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.24.48.2/255.255.255.0 on interface {8E8DE95B-B134-4001-A110-B08D646A4D45} [DHCP-serv: 172.24.48.254, lease-time: 31536000] Wed Dec 09 16:56:32 2015 Successful ARP Flush on interface [47] {8E8DE95B-B134-4001-A110-B08D646A4D45} Wed Dec 09 16:56:32 2015 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065) Wed Dec 09 16:56:37 2015 Initialization Sequence Completed
Thoughts?
-
You know, there are well known test tools for DNS. "It fails" is useless description.
-
I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.
If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.
-
You know, there are well known test tools for DNS. "It fails" is useless description.
Thanks.
@viragomann:I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.
If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.
I checked redirect gateway, and I can get to the internet on the test machine, but it still won't let me on the lan.
What would you suggest for a good route to apply?The end goal is just to get them to be able to access the lan.
-
If you can reach Internet over the VPN you should also be able to access the LAN subnet at server side, as long as firewall rules do not prohibit this.
For routing the LAN net, you only need to push 10.1.1.0/24 to the client (if /24 is your LAN mask).
The pfSense box running the vpn server is the default gateway in its network? If it isn't, you need appropriate routes for the vpn tunnel or do NAT.
Maybe the LAN host you want to access, does not permit access form different subnet, like Windows firewall do by default.
-
So I got this working finally.
Turns out, for my DNS servers, I needed to put my DHCP server there.
This allowed the DNS to get resolved.
Thanks for your help folks.