Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I install openvpn on pfsense but vpnclient can't access to LAN ?????

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dinhvietbk
      last edited by

      I install Openvpn on pfsense 1.2.2 with configuiration :
      server ( pfsense )
      protocol TCP
      Dynamic IP check
      Local port 1194
      address pool 192.168.100.0/24
      local network 192.168.1.0
      client-to-client check
      crytography BF-CBC(128bit)
      authen PKI
      DNS-server
      redirect gateway check
      client  (windows)

      ##############################################

      Sample client-side OpenVPN 2.0 config file

      for connecting to multi-client server.

      #                                            #

      This configuration can be used by multiple

      clients, however each client should have

      its own cert and key files.

      #                                            #

      On Windows, you might want to rename this

      file so it has a .ovpn extension

      ##############################################

      Specify that we are a client and that we

      will be pulling certain config file directives

      from the server.

      client

      Use the same setting as you are using on

      the server.

      On most systems, the VPN will not function

      unless you partially or fully disable

      the firewall for the TUN/TAP interface.

      ;dev tap
      dev tun

      Windows needs the TAP-Win32 adapter name

      from the Network Connections panel

      if you have more than one.  On XP SP2,

      you may need to disable the firewall

      for the TAP adapter.

      ;dev-node MyTap

      Are we connecting to a TCP or

      UDP server?  Use the same setting as

      on the server.

      ;proto tcp
      proto tcp

      The hostname/IP and port of the server.

      You can have multiple remote entries

      to load balance between the servers.

      remote 192.168.2.10 1194

      Choose a random host from the remote

      list for load-balancing.  Otherwise

      try hosts in the order specified.

      ;remote-random

      Keep trying indefinitely to resolve the

      host name of the OpenVPN server.  Very useful

      on machines which are not permanently connected

      to the internet such as laptops.

      resolv-retry infinite

      Most clients don't need to bind to

      a specific local port number.

      nobind

      Downgrade privileges after initialization (non-Windows only)

      ;user nobody
      ;group nobody

      Try to preserve some state across restarts.

      persist-key
      persist-tun

      If you are connecting through an

      HTTP proxy to reach the actual OpenVPN

      server, put the proxy server/IP and

      port number here.  See the man page

      if your proxy server requires

      authentication.

      ;http-proxy-retry # retry on connection failures
      ;http-proxy [proxy server] [proxy port #]

      Wireless networks often produce a lot

      of duplicate packets.  Set this flag

      to silence duplicate packet warnings.

      ;mute-replay-warnings

      SSL/TLS parms.

      See the server config file for more

      description.  It's best to use

      a separate .crt/.key file pair

      for each client.  A single ca

      file can be used for all clients.

      ca ca.crt
      cert client3.crt
      key client3.key

      Verify server certificate by checking

      that the certicate has the nsCertType

      field set to "server".  This is an

      important precaution to protect against

      a potential attack discussed here:

      #  http://openvpn.net/howto.html#mitm

      To use this feature, you will need to generate

      your server certificates with the nsCertType

      field set to "server".  The build-key-server

      script in the easy-rsa folder will do this.

      ;ns-cert-type server

      If a tls-auth key is used on the server

      then every client must also have the key.

      ;tls-auth ta.key 1

      Select a cryptographic cipher.

      If the cipher option is used on the server

      then you must also specify it here.

      ;cipher x

      Enable compression on the VPN link.

      Don't enable this unless it is also

      enabled in the server config file.

      comp-lzo

      Set log file verbosity.

      verb 3

      Silence repeating messages

      ;mute 20

      rule on pfsense :
      LAN : pass any any
      WAN : protocol TCP  any any  on port 1194
      I connected from vpnclient (windows) to openvpn server and access to card LAN of pfsense server but i can't access to clients on LAN netword..

      This is log on vpn client

      Sat Jun 13 16:51:24 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
      Sat Jun 13 16:51:24 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Sat Jun 13 16:51:24 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
      Sat Jun 13 16:51:24 2009 LZO compression initialized
      Sat Jun 13 16:51:24 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
      Sat Jun 13 16:51:24 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
      Sat Jun 13 16:51:24 2009 Local Options hash (VER=V4): '69109d17'
      Sat Jun 13 16:51:24 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
      Sat Jun 13 16:51:24 2009 Attempting to establish TCP connection with 192.168.2.10:1194
      Sat Jun 13 16:51:24 2009 TCP connection established with 192.168.2.10:1194
      Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link local: [undef]
      Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link remote: 192.168.2.10:1194
      Sat Jun 13 16:51:24 2009 TLS: Initial packet from 192.168.2.10:1194, sid=7c2aac3c b4addd76
      Sat Jun 13 16:51:25 2009 VERIFY OK: depth=1, /C=VN/ST=CA/L=HaNoi/O=BKIS/CN=pfsenseCA/emailAddress=vietnd@bkav.com.vn
      Sat Jun 13 16:51:25 2009 VERIFY OK: depth=0, /C=VN/ST=CA/O=BKIS/CN=server/emailAddress=vietnd@bkav.com.vn
      Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Sat Jun 13 16:51:25 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
      Sat Jun 13 16:51:25 2009 [server] Peer Connection Initiated with 192.168.2.10:1194
      Sat Jun 13 16:51:26 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      Sat Jun 13 16:51:27 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 172.16.105.151,route 192.168.100.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.100.10 192.168.100.9'
      Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: timers and/or timeouts modified
      Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: –ifconfig/up options modified
      Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: route options modified
      Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
      Sat Jun 13 16:51:27 2009 TAP-WIN32 device [Local Area Connection 11] opened: \.\Global{CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}.tap
      Sat Jun 13 16:51:27 2009 TAP-Win32 Driver Version 8.4
      Sat Jun 13 16:51:27 2009 TAP-Win32 MTU=1500
      Sat Jun 13 16:51:27 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.10/255.255.255.252 on interface {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE} [DHCP-serv: 192.168.100.9, lease-time: 31536000]
      Sat Jun 13 16:51:27 2009 Successful ARP Flush on interface [6] {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}
      Sat Jun 13 16:51:27 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
      Sat Jun 13 16:51:27 2009 Route: Waiting for TUN/TAP interface to come up…
      Sat Jun 13 16:51:28 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
      Sat Jun 13 16:51:28 2009 Route: Waiting for TUN/TAP interface to come up...
      Sat Jun 13 16:51:29 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
      Sat Jun 13 16:51:29 2009 route ADD 192.168.1.0 MASK 255.255.255.0 192.168.100.9
      Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
      Sat Jun 13 16:51:29 2009 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.9

      Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
      Sat Jun 13 16:51:29 2009 Initialization Sequence Completed

      Can you help me this problem ??????
      thanks very much

      1 Reply Last reply Reply Quote 0
      • X
        XIII
        last edited by

        #1 problem: are both networks (user and pfsense) using the same network address scheme? (192.168.0.1/24 or similar) they will connect but no access to anything else other than a vpn connection. if so thats the problem set pfsense to be a 10.x.x.x or 172.16.x.x.

        -Chris Stutzman
        Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
        Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
        freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
        Check out the pfSense Wiki

        1 Reply Last reply Reply Quote 0
        • B
          Bern
          last edited by

          Any reason you're using TCP?

          OpenVPN over UDP gives much better performance and you don't have to faff around with MTU sizes.

          1 Reply Last reply Reply Quote 0
          • S
            szymi
            last edited by

            Have you added a route to the VPN on your local LAN's router? You will need that to enable packet routing between your local and remote computers. Simple home routers enable configuration of a few static routes (some are even capable of running RIP). You will need to add a static route to your VPN subnet in your router's configuration. If, for instance, the address of the VPN's virtual interface on your server is 10.8.0.1, your VPN's subnet will most likely be 10.8.0.0/24. I'll use these addresses in my example below. In my Linksys home router to add a route I go to Setup tab, then choose Advanced Routing (it can vary depending on router's manufacturer), and there I type in the following:

            Enter Route Name: VPN (or any other name you want)
            Destination lan IP: 10.8.0.0
            Subnet mask: 255.255.255.0
            Default gateway: 192.168.1.254 (<=== this is the VPN server's IP on the LAN)

            Obviously adjust IP addressing to your particular setup. That should do the trick.

            Good luck

            http://szymi.bogsite.org

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.