OpenVPN "Connected" but not routing..



  • Have just set up my first OpenVPN tunnel, and the following is the log i get:

    Tue Jun 12 18:58:36 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
    Tue Jun 12 18:58:36 2018 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Jun 12 18:58:36 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
    Enter Management Password:
    Tue Jun 12 18:58:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.x.xxx:1194
    Tue Jun 12 18:58:42 2018 UDP link local (bound): [AF_INET][undef]:1194
    Tue Jun 12 18:58:42 2018 UDP link remote: [AF_INET]xxx.xxx.x.xxx
    Tue Jun 12 18:58:42 2018 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.x.xxx:1194 [0]
    Tue Jun 12 18:58:42 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Jun 12 18:58:43 2018 [VPNApp] Peer Connection Initiated with [AF_INET]xxx.xxx.x.xxx:1194
    Tue Jun 12 18:58:44 2018 open_tun
    Tue Jun 12 18:58:44 2018 TAP-WIN32 device [Ethernet 2] opened: \.\Global{20F6A07A-780E-44C4-A1AE-C59DEF38DDCC}.tap
    Tue Jun 12 18:58:44 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.8.0/10.0.8.2/255.255.255.0 [SUCCEEDED]
    Tue Jun 12 18:58:44 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.2/255.255.255.0 on interface {20F6A07A-780E-44C4-A1AE-C59DEF38DDCC} [DHCP-serv: 10.0.8.254, lease-time: 31536000]
    Tue Jun 12 18:58:44 2018 Successful ARP Flush on interface [15] {20F6A07A-780E-44C4-A1AE-C59DEF38DDCC}
    Tue Jun 12 18:58:44 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Tue Jun 12 18:58:49 2018 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]
    Tue Jun 12 18:58:49 2018 Initialization Sequence Completed

    It shows up as "Connected", but it really isn't? The following line concerns me:

    Tue Jun 12 18:58:49 2018 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]

    How can i fix this? subnet issue?



  • Would need more info to advise on routing. Post your server1.conf.

    Also, it looks like you may have a cert issue.



  • If that's something from the pfSense GUI or Console, then I will get to you with that soon. Also, I'm assigning the specific user SSL certs + the group certs... It tells me connected, but I stay on my physical local network...

    Thanks for the reply, will get back to you soon with more details...



  • dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.x.xxx 1194 udp
    verify-x509-name "VPNApp" name
    auth-user-pass
    pkcs12 pfSense-UDP4-1194-ryany.p12
    tls-auth pfSense-UDP4-1194-ryany-tls.key 1
    remote-cert-tls server



  • That looks like the client config, we need the server config.

    Your server1.conf is here:

    /var/etc/openvpn
    

    You can get there via the shell or Diagnostics -> Edit File



  • dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xxx.xxx.x.xxx
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9jYWwgRGF0YWJhc2U= false server1 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNApp' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 32
    push "route 192.168.1.1 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    persist-remote-ip
    float
    topology subnet



  • Still haven't gotten OpenVPN to work properly.. Don't know whats wrong, I've tried various forms of certs, and still nothing.



  • This is what i still get on the gui, but im not really VPNd in...

    0_1529462383774_openVPNbs.png



  • Did you ever get this working? I have the same issue. My OpenVPN status shows "up", but nothing is being routed through it. I tried multiple services, configured to the letter. When I check my IP I'm still connected through my standard connection.



  • @wormuths Yes I did. Its most likely a WAN rule
    issue for you too, as that's the first barrier OpenVPN encounters.

    0_1531183629392_WAN rule.png

    Also make sure your rules include TCP/UDP and not just one or the other (unless you want it like that)

    Something so simple, but some OpenVPN "Experts" couldn't even tell me what was wrong 😆 😆

    Let me know how it goes.



  • Nope. LOL

    I created that rule, but same thing. Still shows my real IP. In all the tutorials I followed, once OpenVPN was set up, people couldn't browse until they went in and copied the NAT rules for the OpenVPN interface.

    I didn't have that problem. I can browse even without creating the NAT outbound rules, but creating them makes no difference either. This is insanely frustrating.



  • @wormuths Make sure you OpenVPN setup has this ticked off

    0_1531185299619_red.png

    Also are you bridging the connections or is it going to be on a separate subnet like 10.0.8.0?



  • Sorry. Where is that setting?

    This is a relatively new setup, but I have 4 interfaces besides WAN. I just have default pass rules set up for each right now so everything talks internally, and can get online. My goal is to set up specific pass rules after some testing period to ensure everything works first. It's a learning experience, so I'm just not locked down right now in the onset. Allowing all outbound, but nothing coming in except Plex is set up through NAT and works. No other incoming allowed.

    The only incoming rule for WAN right now is the NAT rule for Plex. I set up the OpenVPN with the hopes of getting that part functioning, and then I'll disable the default "allow all" internal rules and start specifically specifying what can connect to each other.

    Right now, all works, it just won't pass traffic through the VPN...



  • @wormuths VPN/OpenVPN/Servers (There should be only one listed)/Edit
    Also take a look at the type of Protocol, and keep it consistent on all your rules.
    Also are you using SSL/TLS?
    You may need to re-export the client file and try again after changing some settings.



  • I don't have a server setup. All the tutorials had me setup a client.



  • TLS





  • @wormuths The tutorials are bad. Go to wizard under VPN/OpenVPN and set up a server. And then recreate your clients with user certs AND then the server certs. This is SSL/TLS authentication, its how I have it set up. It may get confusing, but there is not a tutorial about this one.

    I'd try to help you remotely, if you're up for it.



  • Okay. I appreciate the help. I'll run through trying to go the wizard route tomorrow and post back how it works out.

    Long workday today, time to crash!!

    TTYL, and thanks!



  • Okay, so I don't know if some setting got "stuck" and corrected when I was clicking around, but it came up and is working now...

    Thanks for the help!!



  • @wormuths np problem! good luck with it


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy