Got connected to OpenVPN server, but can't talk to anything



  • I've followed the how to at http://forum.pfsense.org/index.php?topic=7840.msg44065, and have been googling this problem for a few hours.

    I'm connected to my OpenVPN sever, but I can't ping/ssh/browse to anything.  I'm running XP as my client.

    My workplace has a 10.0.0.0 network.  My OpenVPN is setup to hand out 192.168.10.0 numbers.  I get assigned 192.168.10.6 when I connect.  When I look at the routing table on my XP box, it looks correct to me:

    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.100       20
            10.0.0.0    255.255.255.0     192.168.10.5    192.168.10.6       
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          169.254.0.0      255.255.0.0    192.168.1.100   192.168.1.100       30
          192.168.1.0    255.255.255.0    192.168.1.100   192.168.1.100       20
        192.168.1.100  255.255.255.255        127.0.0.1       127.0.0.1       20
        192.168.1.255  255.255.255.255    192.168.1.100   192.168.1.100       20
         192.168.10.1  255.255.255.255     192.168.10.5    192.168.10.6       1
         192.168.10.4  255.255.255.252     192.168.10.6    192.168.10.6       30
         192.168.10.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       192.168.10.255  255.255.255.255     192.168.10.6    192.168.10.6       30
            224.0.0.0        240.0.0.0    192.168.1.100   192.168.1.100       20
            224.0.0.0        240.0.0.0     192.168.10.6    192.168.10.6       30
      255.255.255.255  255.255.255.255    192.168.1.100   192.168.1.100       1
      255.255.255.255  255.255.255.255     192.168.10.6               4       1
      255.255.255.255  255.255.255.255     192.168.10.6    192.168.10.6       1
    Default Gateway:       192.168.1.1
    

    I've added a rule on the pfSense box for 1194 of course (or I wouldn't even be connected), and then I added one to allow the 192.168.10.x traffic.  Thats probably where my problem is, but it looks right to me.  I added a route on the LAN interface to allow 192.168.10.0/26, any protocol, to any destination.

    Is there something else I need to do?



  • Is this a PKI or a PSK setup?

    You forgot to add a route for your client to the 10.0.0.0/? subnet.



  • @GruensFroeschli:

    Is this a PKI or a PSK setup?

    You forgot to add a route for your client to the 10.0.0.0/? subnet.

    Its PKI.

    The second line of my routing output above shows a route to the 10.0.0.0 network.  Is that what you are referring to?



  • Anyone?  Help!



  • Ah yes i see the route.
    I missed it when i looked at it.

    How exactly are you testing that it's "not working"?
    I have this setup working here right now….

    Could you elaborate on your setup and what you're trying to do?



  • @GruensFroeschli:

    Ah yes i see the route.
    I missed it when i looked at it.

    How exactly are you testing that it's "not working"?
    I have this setup working here right now….

    Could you elaborate on your setup and what you're trying to do?

    Thanks for the reply.  By "not working", as I laid out in my initial post, I can get connected, and I do get assigned an IP address. But I can't ping, SSH, or browse to anything.  No errors, but it just does not appear to be working.

    As far as my network, I have a 10.0.0.0 network at work, behind a pfSense 1.2 firewall.  I'd like to VPN in so I can access the hosts behind the firewall.  No dual WAN or anything fancy like that.

    Thanks for any help.  You know I've looked around for paid support options, but it seems the only way I can talk to someone over the phone about my problem is to pay $600 for a year of support???  Are there any other options?



  • Could you post the log of the client and the server when you connect?

    Can you disable the windows-firewall on the connecting client alltogether as a test?



  • Windows firewall is disabled.

    Here is the log from the server:

    
    Sep 2 08:49:52	openvpn[95305]: 72.196.n.n:1481 Re-using SSL/TLS context
    Sep 2 08:49:53	openvpn[95305]: 72.196.n.n:1481 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    Sep 2 08:49:53	openvpn[95305]: 72.196.n.n:1481 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Sep 2 08:49:53	openvpn[95305]: 72.196.n.n:1481 [Test_User] Peer Connection Initiated with 72.196.n.n:1481
    Sep 2 08:50:56	openvpn[95305]: 72.196.n.n:1495 Re-using SSL/TLS context
    Sep 2 08:50:57	openvpn[95305]: 72.196.n.n:1495 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    Sep 2 08:50:57	openvpn[95305]: 72.196.n.n:1495 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Sep 2 08:50:57	openvpn[95305]: 72.196.n.n:1495 [Test_User] Peer Connection Initiated with 72.196.n.n:1495
    Sep 2 08:52:00	openvpn[95305]: 72.196.n.n:1498 Re-using SSL/TLS context
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 [Test_User] Peer Connection Initiated with 72.196.n.n:1498
    
    

    And from the client:

    Tue Sep 02 08:49:52 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Tue Sep 02 08:49:52 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Sep 02 08:49:52 2008 LZO compression initialized
    Tue Sep 02 08:49:52 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Sep 02 08:49:52 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Sep 02 08:49:52 2008 Local Options hash (VER=V4): '41690919'
    Tue Sep 02 08:49:52 2008 Expected Remote Options hash (VER=V4): '530fdded'
    Tue Sep 02 08:49:52 2008 UDPv4 link local: [undef]
    Tue Sep 02 08:49:52 2008 UDPv4 link remote: 209.34.x.x:1194
    Tue Sep 02 08:49:52 2008 TLS: Initial packet from 209.34.x.x:1194, sid=34e36bb5 24bd620a
    Tue Sep 02 08:49:53 2008 VERIFY OK: depth=1, /C=US/ST=NE/L=City/O=Company/CN=fw.hostname.here/emailAddress=webmaster@hostname.com
    Tue Sep 02 08:49:53 2008 VERIFY OK: nsCertType=SERVER
    Tue Sep 02 08:49:53 2008 VERIFY OK: depth=0, /C=US/ST=NE/O=Company/OU=server/CN=server/emailAddress=webmaster@hostname.com
    Tue Sep 02 08:49:53 2008 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
    Tue Sep 02 08:49:53 2008 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Tue Sep 02 08:49:53 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Sep 02 08:49:53 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Sep 02 08:49:53 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Sep 02 08:49:53 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Sep 02 08:49:53 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Sep 02 08:49:53 2008 [server] Peer Connection Initiated with 209.34.x.x:1194
    Tue Sep 02 08:49:54 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Tue Sep 02 08:49:54 2008 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,dhcp-option DNS 10.0.0.195,route 192.168.10.1,ping 10,ping-restart 60,ifconfig 192.168.10.6 192.168.10.5'
    Tue Sep 02 08:49:54 2008 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Sep 02 08:49:54 2008 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Sep 02 08:49:54 2008 OPTIONS IMPORT: route options modified
    Tue Sep 02 08:49:54 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue Sep 02 08:49:54 2008 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{6B82DCA7-A953-4025-A79A-FC5F56610339}.tap
    Tue Sep 02 08:49:54 2008 TAP-Win32 Driver Version 8.4 
    Tue Sep 02 08:49:54 2008 TAP-Win32 MTU=1500
    Tue Sep 02 08:49:54 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.10.6/255.255.255.252 on interface {6B82DCA7-A953-4025-A79A-FC5F56610339} [DHCP-serv: 192.168.10.5, lease-time: 31536000]
    Tue Sep 02 08:49:54 2008 Successful ARP Flush on interface [196611] {6B82DCA7-A953-4025-A79A-FC5F56610339}
    Tue Sep 02 08:49:54 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue Sep 02 08:49:54 2008 Route: Waiting for TUN/TAP interface to come up...
    Tue Sep 02 08:49:55 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue Sep 02 08:49:55 2008 Route: Waiting for TUN/TAP interface to come up...
    Tue Sep 02 08:49:57 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue Sep 02 08:49:57 2008 Route: Waiting for TUN/TAP interface to come up...
    Tue Sep 02 08:49:58 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue Sep 02 08:49:58 2008 Route: Waiting for TUN/TAP interface to come up...
    Tue Sep 02 08:49:59 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Tue Sep 02 08:49:59 2008 route ADD 10.0.0.0 MASK 255.255.255.0 192.168.10.5
    Tue Sep 02 08:49:59 2008 Route addition via IPAPI succeeded
    Tue Sep 02 08:49:59 2008 route ADD 192.168.10.1 MASK 255.255.255.255 192.168.10.5
    Tue Sep 02 08:49:59 2008 Route addition via IPAPI succeeded
    Tue Sep 02 08:49:59 2008 Initialization Sequence Completed
    Tue Sep 02 08:50:04 2008 Bad LZO decompression header byte: 42
    
    

    Then it looks like every minute or so I get some entries like these:

    
    Sep 2 08:52:00	openvpn[95305]: 72.196.n.n:1498 Re-using SSL/TLS context
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Sep 2 08:52:01	openvpn[95305]: 72.196.n.n:1498 [Test_User] Peer Connection Initiated with 72.196.n.n:1498
    

    thanks for any help.



  • Looks like comp-lzo option is missing from your server configuration. Also check if you have link-mtu options in the configs and try to do without them, openvpn should be smart enough to detect correct mtu.



  • Wow, that compression option was the problem. I checked the box on the pfSense interface and now its working.  I had kinda seen that in the logs, but since it was a WARNING I really didn't give it much attention.  I'm used to seeing all kinds of warnings in my open source product logs that should usually just be ignored.

    Thanks for the help!


Log in to reply