VPN Connection works but no network resource access

divsys

Is there a problem utilising the IPs that I am using? How does 10.0.0.0.8/16 work better than 192.168.1.0/24?

As far as the RFC1918 range you use for the tunnel, there is no difference to OpenVPN.
What you've described can be made to work.
Best practices suggest NOT using the 192.168.x.x ranges as they are so often associated with various LAN networks the risk of a design conflict is increased with their use.

As far as selecting ranges for LAN usage, again 192.168.0.x and 192.168.1.x appear in WAY too many default setups.
The chances of running into a potential conflict with some outside network connecting to yours is again increased.

You can of course do what you want, it's your network.
We're just voicing issues that keep appearing over and over in the forum yet can be avoided pretty easily.

Just my $.02

darrenyorston

That's ok. Never set up my own VPN before so was not sure if there was some technical reason.

I can see my connection in Status/OpenVPN, virtual address is 192.168.2.2

When I do an IPCONFIG I can see the TAP Adapter has an address of 192.168.2.2 and a subnet of 255.255.255.0 and the default gateway is blank.

When I check my IP address via Google it shows my real IP and not the VPN IP.

Is my problem connecting with network drives on my network server side or client side?

EDIT: I am unable to ping 192.168.1.1 when my client is connected to the server.

Not sure how to read the route print output.

divsys

Couple of possibilities….

What's the LAN subnet of remote device (without VPN connected)?  If it's the same as your home LAN (192.168.1.0/24? ) you're going to have issues.

Is your laptop a Windows computer?  Win machines are famous for blocking network connections for VPN's because they're "unknown" subnets to the Windows firewall.
Try turning off the Win Firewall for testing purposes.

If you can post a screenshot of the route print after you've connected it might tell part of the story.

TD22057

I just went through this and posted how I got it to work (not for shares, but other LAN resources).  I posted my settings in this thread.  Maybe it could help you?

darrenyorston

@divsys:

Couple of possibilities….

What's the LAN subnet of remote device (without VPN connected)?  If it's the same as your home LAN (192.168.1.0/24? ) you're going to have issues.

Is your laptop a Windows computer?  Win machines are famous for blocking network connections for VPN's because they're "unknown" subnets to the Windows firewall.
Try turning off the Win Firewall for testing purposes.

If you can post a screenshot of the route print after you've connected it might tell part of the story.

Yes it is the same subnet.

Here is the route table:

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.43.1    192.168.43.39    25
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      192.168.2.0    255.255.255.0        On-link      192.168.2.2    276
      192.168.2.2  255.255.255.255        On-link      192.168.2.2    276
    192.168.2.255  255.255.255.255        On-link      192.168.2.2    276
    192.168.43.0    255.255.255.0        On-link    192.168.43.39    281
    192.168.43.39  255.255.255.255        On-link    192.168.43.39    281
  192.168.43.255  255.255.255.255        On-link    192.168.43.39    281
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link    192.168.43.39    281
        224.0.0.0        240.0.0.0        On-link      192.168.2.2    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link    192.168.43.39    281
  255.255.255.255  255.255.255.255        On-link      192.168.2.2    276

divsys

From that route print it looks like you have a VPN connection established, but no routing info is being added to the PC at all.

Your Remote (Laptop) Subnet 192.168.43.0/24 is NOT the same as your Home (pfSense) subnet - 192.168.1.0/24.  That's a good thing.

The two places to look for issues now would be:

The client install of the remote device.  Did you run the OpenVPN install as and Administrator?  Did you set the OpenVPN GUI to run as Administrator?
Up the verbosity of the client logs (edit the client config and add "verb 3" to the end) and reconnect. Check the logs of the client, you should see a "Route add…" command.
If that command shows an error, then you probably need to get your admin rights working.

If that command is not there, then something is wrong with the way you setup the OpenVPN server on pfSense.
Post a screen shot of the full OpenVPN server screen.

darrenyorston

I have started getting an error now. When I look in Status/OpenVPN I see the following:

Common Name   Real Address                       Virtual Address             Connected Since Bytes Sent Bytes Received
[error]         Unable to contact daemon       Service not running?           0                     0 B                     0 B

Stopped

I tried deleting the server, certificates..everything and resetting it up but keep getting the same message.

divsys

If you've been playing with the OpenVPN server setup, it's possible to get OpenVPN in a "confused" state where a previous instance is still running and a "restart" of the OpenVPN server process - doesn't.  You can find the OpenVPN(s) PID manually and kill it(them) or just do a full reboot of the box and see if everything comes back to life properly.

OpenVPN is an excellent tool for what it does, and it has a vast array of options to accommodate many scenarios.
One of its "quirks" under pfSense (IMHO) is the way it tries to keep itself alive come hell or high water.
When you're testing and changing settings on the fly, this can lead to the issues you're seeing.

Once you've got your production settings figured out, it tends to be very stable.
It can be a little daunting the first time you have to deal with make sure your changes are actually implemented, but well worth the effort.

Keep at, try and be methodical and let us know how it goes.

darrenyorston

A reboot didn't work, still kept getting the same problem.

I deleted all the config. The server, firewall rules, users and all certificates (CAs and Certificates), rebooted started PFSense and then started again. I get the same error message.

I am doing this all through the webGUI. Do I need to remove the USB drive with PFSense on it and delete config files or something?

Update: I have just noted that even though I delete everything after I restart PFSense everything is back. It's like my deletions are not being saved.

viragomann

@darrenyorston:

I have started getting an error now. When I look in Status/OpenVPN I see the following:

Common Name   Real Address                       Virtual Address             Connected Since Bytes Sent Bytes Received
[error]         Unable to contact daemon       Service not running?           0                     0 B                     0 B

Stopped

I tried deleting the server, certificates..everything and resetting it up but keep getting the same message.

I got the same state, but the server was running and accepted connections.

I could solve this by switching the servers listening interface to another one. However, it was set to the WAN CARP VIP at first and I switched to an internal one and forwarded OpenVPN connections. Now the daemon works and shows the correct state.

darrenyorston

Anyone have any advice on my problem? At this stage even after deleting all VPN related settings, rebooting and then re-configuring I end up with the same error. My next option is to reinstall PFSense on a new USB. Though I feel that if this is an option to address the problem there is something significantly wrong.