OpenVPN mit mehreren road warrior klappt nicht



  • Hallo Zusammen,
    ich habe die Tage ein road warrior Client eingerichtet, der unter Linux, problemlos läuft.
    Also die Zertifikate, User usw eingerichtet und den Rest dann per Client Export.

    Soweit klappt alles von dem Linux Notebook aus, ich kann  ein Ping auf dem Server hinter der pfSense abgeben.

    Leider geht das nicht von dem Windows 10 Rechner aus. Der baute die VPN Verbindung auf aber es geht kein Ping auf den Server durch.
    Da gibt es eine Fehlermeldung was das Routen angeht.
    Müsste da nicht auch das Routen über die pfSense erfolgen, klappt bei dem Linuxnotebook ja auch?

    Log Linux Notebook

    
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532776.5331] audit: op="connection-activate" uuid="06f332c6-5e86-4642-8d6f-37ed3632565d" name="pfSense-UDP4-1196-config" pid=1869 uid=1000 result="success"
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532776.5397] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",0]: Started the VPN service, PID 4142
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532776.5556] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",0]: Saw the service appear; activating connection
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: nm-openvpn-Message: openvpn[4150] started
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532776.7098] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",0]: VPN plugin: state changed: starting (3)
    Apr 12 13:32:56 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532776.7099] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",0]: VPN connection: (ConnectInteractive) reply received
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: WARNING: file '/home/xx/Downloads/pfSense-UDP4-1196/pfSense-UDP4-1196-tls.key' is group or others accessible
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: Control Channel Authentication: using '/home/xx/Downloads/pfSense-UDP4-1196/pfSense-UDP4-1196-tls.key' as a OpenVPN static key file
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: UDPv4 link local: [undef]
    Apr 12 13:32:56 xx-ThinkPad-T530 nm-openvpn[4150]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1196
    Apr 12 13:33:11 xx-ThinkPad-T530 nm-openvpn[4150]: [openvpn-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1196
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: TUN/TAP device tun0 opened
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --bus-name org.freedesktop.NetworkManager.openvpn.Connection_3 --tun -- tun0 1500 1560 10.0.8.2 255.255.255.0 init
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.8727] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.8881] devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.8882] device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.8956] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",0]: VPN connection: (IP Config Get) reply received.
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.8981] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: VPN connection: (IP4 Config Get) reply received
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: GID set to nm-openvpn
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: UID set to nm-openvpn
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-openvpn[4150]: Initialization Sequence Completed
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9034] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data: VPN Gateway: xx.xx.xx.xx
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9039] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data: Tunnel Device: "tun0"
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9044] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data: IPv4 configuration:
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9049] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal Gateway: 10.0.8.1
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9054] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal Address: 10.0.8.2
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9060] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal Prefix: 24
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9065] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal Point-to-Point Address: 10.0.8.2
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9070] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Maximum Segment Size (MSS): 0
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9074] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Forbid Default Route: no
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9075] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal DNS: 8.8.8.8
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9075] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   Internal DNS: 8.8.4.4
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9075] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data:   DNS Domain: '(none)'
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9076] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: Data: No IPv6 configuration
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9077] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: VPN plugin: state changed: started (4)
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9100] vpn-connection[0xe023c0,06f332c6-5e86-4642-8d6f-37ed3632565d,"pfSense-UDP4-1196-config",5:(tun0)]: VPN connection: (IP Config Get) complete
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9105] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9188] dns-mgr: Writing DNS information to /sbin/resolvconf
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: vorgelagerte Server von DBus gesetzt
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 8.8.8.8#53(via tun0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 8.8.4.4#53(via tun0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 2a03:2260:300a:1000::16#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 2a03:2260:300a:1000::32#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 2a03:2260:300a:1000::8#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 2a03:2260:300a:1000::24#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 8.8.8.8#53 für Domain 8.0.10.in-addr.arpa
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 8.8.4.4#53 für Domain 8.0.10.in-addr.arpa
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 2a03:2260:300a:1000::ffd0#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dnsmasq[3048]: Benutze Namensserver 10.233.8.1#53(via wlp3s0)
    Apr 12 13:33:13 xx-ThinkPad-T530 dbus[1016]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9352] keyfile: add connection in-memory (9c69171a-b19c-4043-9a8c-92863caddd2c,"tun0")
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9363] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9423] device (tun0): Activation: starting connection 'tun0' (9c69171a-b19c-4043-9a8c-92863caddd2c)
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9502] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9531] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9540] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9552] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9561] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9570] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
    Apr 12 13:33:13 xx-ThinkPad-T530 systemd[1]: Starting Network Manager Script Dispatcher Service...
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9682] policy: set 'tun0' (tun0) as default for IPv4 routing and DNS
    Apr 12 13:33:13 xx-ThinkPad-T530 NetworkManager[1087]: <info>[1523532793.9695] device (tun0): Activation: successful, device activated.
    Apr 12 13:33:13 xx-ThinkPad-T530 dbus[1016]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    Apr 12 13:33:13 xx-ThinkPad-T530 systemd[1]: Started Network Manager Script Dispatcher Service.
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-dispatcher: req:1 'vpn-up' [tun0]: new request (1 scripts)
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-dispatcher: req:1 'vpn-up' [tun0]: start running ordered scripts...
    Apr 12 13:33:13 xx-ThinkPad-T530 nm-dispatcher: req:2 'up' [tun0]: new request (1 scripts)
    Apr 12 13:33:14 xx-ThinkPad-T530 systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 12 13:33:14 xx-ThinkPad-T530 systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 12 13:33:14 xx-ThinkPad-T530 nm-dispatcher: req:2 'up' [tun0]: start running ordered scripts...
    Apr 12 13:33:14 xx-ThinkPad-T530 systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 12 13:33:14 xx-ThinkPad-T530 systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 12 13:33:14 xx-ThinkPad-T530 ntpdate[4262]: the NTP socket is in use, exiting
    Apr 12 13:33:15 xx-ThinkPad-T530 ntpd[1468]: Listen normally on 9 tun0 10.0.8.2:123
    Apr 12 13:33:15 xx-ThinkPad-T530 ntpd[1468]: new interface(s) found: waking up resolver</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    

    Log windows

    
    Thu Apr 12 12:22:13 2018 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\pfSense-UDP4-1196-xx_Mi2.log: Zugriff verweigert   (errno=5)
    Thu Apr 12 12:22:13 2018 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan  4 2016
    Thu Apr 12 12:22:13 2018 Windows version 6.2 (Windows 8 or greater)
    Thu Apr 12 12:22:13 2018 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
    Thu Apr 12 12:23:11 2018 Control Channel Authentication: using 'pfSense-UDP4-1196-xx_Mi2-tls.key' as a OpenVPN static key file
    Thu Apr 12 12:23:11 2018 UDPv4 link local (bound): [undef]
    Thu Apr 12 12:23:11 2018 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1196
    Thu Apr 12 12:23:11 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Thu Apr 12 12:23:12 2018 [openvpn-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1196
    Thu Apr 12 12:23:14 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Apr 12 12:23:14 2018 open_tun, tt->ipv6=0
    Thu Apr 12 12:23:14 2018 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{ABFB0395-413F-466B-A003-5FD8B1FF9526}.tap
    Thu Apr 12 12:23:14 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.8.0/10.0.8.3/255.255.255.0 [SUCCEEDED]
    Thu Apr 12 12:23:14 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.3/255.255.255.0 on interface {ABFB0395-413F-466B-A003-5FD8B1FF9526} [DHCP-serv: 10.0.8.254, lease-time: 31536000]
    Thu Apr 12 12:23:19 2018 ROUTE: route addition failed using CreateIpForwardEntry: Zugriff verweigert   [status=5 if_index=6]
    Thu Apr 12 12:23:19 2018 env_block: add PATH=C:\windows\System32;C:\windows;C:\windows\System32\Wbem
    Thu Apr 12 12:23:19 2018 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Apr 12 12:23:19 2018 ROUTE: route addition failed using CreateIpForwardEntry: Zugriff verweigert   [status=5 if_index=30]
    Thu Apr 12 12:23:19 2018 env_block: add PATH=C:\windows\System32;C:\windows;C:\windows\System32\Wbem
    Thu Apr 12 12:23:20 2018 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Apr 12 12:23:20 2018 ROUTE: route addition failed using CreateIpForwardEntry: Zugriff verweigert   [status=5 if_index=30]
    Thu Apr 12 12:23:20 2018 env_block: add PATH=C:\windows\System32;C:\windows;C:\windows\System32\Wbem
    Thu Apr 12 12:23:20 2018 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Apr 12 12:23:20 2018 Initialization Sequence Completed
    
    ```![route1.png](/public/_imported_attachments_/1/route1.png)
    ![route1.png_thumb](/public/_imported_attachments_/1/route1.png_thumb)
    ![openvpn.png](/public/_imported_attachments_/1/openvpn.png)
    ![openvpn.png_thumb](/public/_imported_attachments_/1/openvpn.png_thumb)
    ![lan.png](/public/_imported_attachments_/1/lan.png)
    ![lan.png_thumb](/public/_imported_attachments_/1/lan.png_thumb)
    ![wan.png](/public/_imported_attachments_/1/wan.png)
    ![wan.png_thumb](/public/_imported_attachments_/1/wan.png_thumb)


  • Ja, der Client ist nicht berechtig, die Routen zu ändern.

    Verwendest du eine aktuelle pfSense Version? Und hast du im Client Export Utility die aktuelle Installer-Version für Windows augewählt: Current Windows Installer?
    Damit sollte es eigentlich keine Probleme geben.

    Ansonsten kannst du versuchen, den Client in Windows mit Admin-Rechten zu starten. Dann darf er Routen ändern.



  • okay, das sollte es sein weil er nicht die Adminrechte hat. Werde es Montag einmal testen 8)

    Ist die aktuelle Version 2.4.3-RELEASE mit dem Current Windows Installer.

    Gruß
    Achim


  • Moderator

    Thu Apr 12 12:23:19 2018 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Apr 12 12:23:19 2018 ROUTE: route addition failed using CreateIpForwardEntry: Zugriff verweigert  [status=5 if_index=30]

    Eindeutig Rechteproblem. Für Windows 10 bitte unbedingt den aktuellsten Client von OpenVPN mit Service installieren, dann sind auch keine Adminrechte des Benutzers notwendig (einmal während der Installation des Service, ja). Das liest sich aber eher nach einer Version < 2.4 von OpenVPN, bei der es noch keinen VPN Helfer Service gab.