Windows OS clients can't connect to the Internet



  • I currently have pfSense setup to route all network traffic through a client VPN configured in the pfSense box, it works great.

    I also have an OpenVPN server configured on my pfSense box, with Server clients successfully able to connect and access the LAN.

    I need for my clients connecting to my pfSense OpenVPN server to be able to access the internet (not just the LAN)  -

    What is strange is that clients who have connect on through a Linux OS able to access the internetand and clients who connect through Windows OS can't connect to the Internet.

    OpenVPN settings Screenshot attached:
    https://ibb.co/bZxZBJ

    Help please :)



  • @bugnet:

    I need for my clients connecting to my pfSense OpenVPN server to be able to access the internet (not just the LAN)  -

    And you want to route the upstream traffic to internet resources over the vpn?

    @bugnet:

    What is strange is that clients who have connect on through a Linux OS able to access the internetand and clients who connect through Windows OS can't connect to the Internet.

    I guess, the Windows clients set the route over the vpn and Linux clients don't.



  • No, Idont want to route the traffic to internet over the vpn server.
    only the clients go out to internet in the regular way….



  • So go to the server settings and remove the check from "Redirect gateway" and enter the local networks you want to access from the clients in the "Local network/s" box.



  • @viragomann:

    So go to the server settings and remove the check from "Redirect gateway" and enter the local networks you want to access from the clients in the "Local network/s" box.

    The "Redirect gateway" is allready uncheck. "Local Network" works OK.
    the only problem is with Windows OS that cant access external internet (MAC OS an Linux works fine).
    I've also tried to push them to DNS settings -  also does not work…

    very strange ....



  • To ensure that it's not a DNS issue, try to access a host in the internet by its IP address.

    Please tell, what your vpn tunnel network is and post the routing table of the Windows client.

    Does it affect only Windows 10 or also elder versions?



  • @viragomann:

    To ensure that it's not a DNS issue, try to access a host in the internet by its IP address.

    Please tell, what your vpn tunnel network is and post the routing table of the Windows client.

    Does it affect only Windows 10 or also elder versions?

    1. ping to 8.8.8.8 works fine.
    2. my VPN network is 192.168.60.0/24
    3. Until now I see the problem only with Windows 10.
    4. route:

    ===========================================================================
    Interface List
      5…00 ff 27 f9 cd f3 ......TAP-Windows Adapter V9
      8...fc 3f db 48 98 cd ......Intel(R) Ethernet Connection (3) I218-LM
      4...0a 00 27 00 00 04 ......VirtualBox Host-Only Ethernet Adapter
    19...64 80 99 96 54 d4 ......Microsoft Wi-Fi Direct Virtual Adapter
    18...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
    12...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
    14...64 80 99 96 54 d3 ......Intel(R) Dual Band Wireless-AC 7265
    11...64 80 99 96 54 d7 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
    13...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
      7...90 83 86 5a 50 51 ......HP hs3110 HSPA+ Mobile Broadband Device

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.7.254    192.168.4.254    45
        10.111.111.0    255.255.255.0    192.168.60.1    192.168.60.2      3
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
          192.168.1.0    255.255.255.0    192.168.60.1    192.168.60.2      3
          192.168.2.0    255.255.255.0        On-link      192.168.2.1    291
          192.168.2.1  255.255.255.255        On-link      192.168.2.1    291
        192.168.2.255  255.255.255.255        On-link      192.168.2.1    291
          192.168.4.0    255.255.252.0        On-link    192.168.4.254    301
        192.168.4.254  255.255.255.255        On-link    192.168.4.254    301
        192.168.7.255  255.255.255.255        On-link    192.168.4.254    301
        192.168.41.0    255.255.255.0        On-link      192.168.41.1    291
        192.168.41.1  255.255.255.255        On-link      192.168.41.1    291
      192.168.41.255  255.255.255.255        On-link      192.168.41.1    291
        192.168.56.0    255.255.255.0        On-link      192.168.56.1    281
        192.168.56.1  255.255.255.255        On-link      192.168.56.1    281
      192.168.56.255  255.255.255.255        On-link      192.168.56.1    281
        192.168.60.0    255.255.255.0        On-link      192.168.60.2    259
        192.168.60.2  255.255.255.255        On-link      192.168.60.2    259
      192.168.60.255  255.255.255.255        On-link      192.168.60.2    259
        192.168.235.0    255.255.255.0    192.168.60.1    192.168.60.2      3
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
            224.0.0.0        240.0.0.0        On-link      192.168.56.1    281
            224.0.0.0        240.0.0.0        On-link    192.168.4.254    301
            224.0.0.0        240.0.0.0        On-link      192.168.41.1    291
            224.0.0.0        240.0.0.0        On-link      192.168.2.1    291
            224.0.0.0        240.0.0.0        On-link      192.168.60.2    259
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
      255.255.255.255  255.255.255.255        On-link      192.168.56.1    281
      255.255.255.255  255.255.255.255        On-link    192.168.4.254    301
      255.255.255.255  255.255.255.255        On-link      192.168.41.1    291
      255.255.255.255  255.255.255.255        On-link      192.168.2.1    291
      255.255.255.255  255.255.255.255        On-link      192.168.60.2    259

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    331 ::1/128                  On-link
      4    281 fe80::/64                On-link
    14    301 fe80::/64                On-link
    12    291 fe80::/64                On-link
    18    291 fe80::/64                On-link
      5    259 fe80::/64                On-link
      4    281 fe80::1946:4586:734e:9150/128
                                        On-link
    18    291 fe80::21ab:537f:9d4d:434/128
                                        On-link
    12    291 fe80::5d52:1a45:739b:94fb/128
                                        On-link
      5    259 fe80::b832:e27a:5fc8:b788/128
                                        On-link
    14    301 fe80::e1cb:44b6:33a4:37d7/128
                                        On-link
      1    331 ff00::/8                On-link
      4    281 ff00::/8                On-link
    14    301 ff00::/8                On-link
    12    291 ff00::/8                On-link
    18    291 ff00::/8                On-link
      5    259 ff00::/8                On-link

    Persistent Routes:
      None

    5. ipconfig /all :

    Host Name . . . . . . . . . . . . : DESKTOP-1432
      Primary Dns Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : testshope

    Ethernet adapter Ethernet 2:

    Connection-specific DNS Suffix  . : testshope
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-27-F9-CD-F3
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::b832:e27a:5fc8:b788%5(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.60.2(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : יום רביעי 16 מאי 2018 18:33:35
      Lease Expires . . . . . . . . . . : יום חמישי 16 מאי 2019 18:33:35
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 192.168.60.254
      DHCPv6 IAID . . . . . . . . . . . : 50396967
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-F3-FE-8F-FC-3F-DB-48-98-CD
      DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    6. I've also tried to push them to DNS settings - 8.8.8.8  also does not work...

    10x



  • @bugnet:

    1. ping to 8.8.8.8 works fine.

    So it's obviously a DNS issue.

    The routes are fine.

    Can the DNS server you've provide over vpn resolve public addresses? Try a nslookup with an established vpn connection and check if the host name can be resolved and which DNS server is requested.



  • @viragomann:

    @bugnet:

    1. ping to 8.8.8.8 works fine.

    So it's obviously a DNS issue.

    The routes are fine.

    Can the DNS server you've provide over vpn resolve public addresses? Try a nslookup with an established vpn connection and check if the host name can be resolved and which DNS server is requested.

    as you can see the the public address cant resolved.

    C:\Users\sup1>nslookup
    DNS request timed out.
        timeout was 2 seconds.
    Default Server:  UnKnown
    Address:  8.8.8.8

    What could be the reason the DNS server 8.8.8.8 fails to resolve DNS?



  • So the client can't reach 8.8.8.8.  :o

    According to your routing table, it should be routed to your default gateway 192.168.7.254.
    Try a "tracert 8.8.8.8" to see where it stucks.

    Maybe it helps to route the DNS server over the vpn. To do so, add "8.8.8.8/32" to you "IPv4 Local networks" in the vpn server settings (comma separated from other networks).

    Also an outbound NAT rule for the vpn tunnel network on WAN is needed in this case. Maybe it was added automatically by pfSense.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy