I install openvpn on pfsense but vpnclient can't access to LAN ?????



  • I install Openvpn on pfsense 1.2.2 with configuiration :
    server ( pfsense )
    protocol TCP
    Dynamic IP check
    Local port 1194
    address pool 192.168.100.0/24
    local network 192.168.1.0
    client-to-client check
    crytography BF-CBC(128bit)
    authen PKI
    DNS-server
    redirect gateway check
    client  (windows)

    ##############################################

    Sample client-side OpenVPN 2.0 config file

    for connecting to multi-client server.

    #                                            #

    This configuration can be used by multiple

    clients, however each client should have

    its own cert and key files.

    #                                            #

    On Windows, you might want to rename this

    file so it has a .ovpn extension

    ##############################################

    Specify that we are a client and that we

    will be pulling certain config file directives

    from the server.

    client

    Use the same setting as you are using on

    the server.

    On most systems, the VPN will not function

    unless you partially or fully disable

    the firewall for the TUN/TAP interface.

    ;dev tap
    dev tun

    Windows needs the TAP-Win32 adapter name

    from the Network Connections panel

    if you have more than one.  On XP SP2,

    you may need to disable the firewall

    for the TAP adapter.

    ;dev-node MyTap

    Are we connecting to a TCP or

    UDP server?  Use the same setting as

    on the server.

    ;proto tcp
    proto tcp

    The hostname/IP and port of the server.

    You can have multiple remote entries

    to load balance between the servers.

    remote 192.168.2.10 1194

    Choose a random host from the remote

    list for load-balancing.  Otherwise

    try hosts in the order specified.

    ;remote-random

    Keep trying indefinitely to resolve the

    host name of the OpenVPN server.  Very useful

    on machines which are not permanently connected

    to the internet such as laptops.

    resolv-retry infinite

    Most clients don't need to bind to

    a specific local port number.

    nobind

    Downgrade privileges after initialization (non-Windows only)

    ;user nobody
    ;group nobody

    Try to preserve some state across restarts.

    persist-key
    persist-tun

    If you are connecting through an

    HTTP proxy to reach the actual OpenVPN

    server, put the proxy server/IP and

    port number here.  See the man page

    if your proxy server requires

    authentication.

    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    Wireless networks often produce a lot

    of duplicate packets.  Set this flag

    to silence duplicate packet warnings.

    ;mute-replay-warnings

    SSL/TLS parms.

    See the server config file for more

    description.  It's best to use

    a separate .crt/.key file pair

    for each client.  A single ca

    file can be used for all clients.

    ca ca.crt
    cert client3.crt
    key client3.key

    Verify server certificate by checking

    that the certicate has the nsCertType

    field set to "server".  This is an

    important precaution to protect against

    a potential attack discussed here:

    http://openvpn.net/howto.html#mitm

    To use this feature, you will need to generate

    your server certificates with the nsCertType

    field set to "server".  The build-key-server

    script in the easy-rsa folder will do this.

    ;ns-cert-type server

    If a tls-auth key is used on the server

    then every client must also have the key.

    ;tls-auth ta.key 1

    Select a cryptographic cipher.

    If the cipher option is used on the server

    then you must also specify it here.

    ;cipher x

    Enable compression on the VPN link.

    Don't enable this unless it is also

    enabled in the server config file.

    comp-lzo

    Set log file verbosity.

    verb 3

    Silence repeating messages

    ;mute 20

    rule on pfsense :
    LAN : pass any any
    WAN : protocol TCP  any any  on port 1194
    I connected from vpnclient (windows) to openvpn server and access to card LAN of pfsense server but i can't access to clients on LAN netword..

    This is log on vpn client

    Sat Jun 13 16:51:24 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Sat Jun 13 16:51:24 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sat Jun 13 16:51:24 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Sat Jun 13 16:51:24 2009 LZO compression initialized
    Sat Jun 13 16:51:24 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Sat Jun 13 16:51:24 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Sat Jun 13 16:51:24 2009 Local Options hash (VER=V4): '69109d17'
    Sat Jun 13 16:51:24 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
    Sat Jun 13 16:51:24 2009 Attempting to establish TCP connection with 192.168.2.10:1194
    Sat Jun 13 16:51:24 2009 TCP connection established with 192.168.2.10:1194
    Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link local: [undef]
    Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link remote: 192.168.2.10:1194
    Sat Jun 13 16:51:24 2009 TLS: Initial packet from 192.168.2.10:1194, sid=7c2aac3c b4addd76
    Sat Jun 13 16:51:25 2009 VERIFY OK: depth=1, /C=VN/ST=CA/L=HaNoi/O=BKIS/CN=pfsenseCA/emailAddress=vietnd@bkav.com.vn
    Sat Jun 13 16:51:25 2009 VERIFY OK: depth=0, /C=VN/ST=CA/O=BKIS/CN=server/emailAddress=vietnd@bkav.com.vn
    Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Jun 13 16:51:25 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sat Jun 13 16:51:25 2009 [server] Peer Connection Initiated with 192.168.2.10:1194
    Sat Jun 13 16:51:26 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Sat Jun 13 16:51:27 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 172.16.105.151,route 192.168.100.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.100.10 192.168.100.9'
    Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: –ifconfig/up options modified
    Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: route options modified
    Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Jun 13 16:51:27 2009 TAP-WIN32 device [Local Area Connection 11] opened: \.\Global{CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}.tap
    Sat Jun 13 16:51:27 2009 TAP-Win32 Driver Version 8.4
    Sat Jun 13 16:51:27 2009 TAP-Win32 MTU=1500
    Sat Jun 13 16:51:27 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.10/255.255.255.252 on interface {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE} [DHCP-serv: 192.168.100.9, lease-time: 31536000]
    Sat Jun 13 16:51:27 2009 Successful ARP Flush on interface [6] {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}
    Sat Jun 13 16:51:27 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Sat Jun 13 16:51:27 2009 Route: Waiting for TUN/TAP interface to come up…
    Sat Jun 13 16:51:28 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Sat Jun 13 16:51:28 2009 Route: Waiting for TUN/TAP interface to come up...
    Sat Jun 13 16:51:29 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Sat Jun 13 16:51:29 2009 route ADD 192.168.1.0 MASK 255.255.255.0 192.168.100.9
    Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
    Sat Jun 13 16:51:29 2009 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.9

    Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
    Sat Jun 13 16:51:29 2009 Initialization Sequence Completed

    Can you help me this problem ??????
    thanks very much



  • #1 problem: are both networks (user and pfsense) using the same network address scheme? (192.168.0.1/24 or similar) they will connect but no access to anything else other than a vpn connection. if so thats the problem set pfsense to be a 10.x.x.x or 172.16.x.x.



  • Any reason you're using TCP?

    OpenVPN over UDP gives much better performance and you don't have to faff around with MTU sizes.



  • Have you added a route to the VPN on your local LAN's router? You will need that to enable packet routing between your local and remote computers. Simple home routers enable configuration of a few static routes (some are even capable of running RIP). You will need to add a static route to your VPN subnet in your router's configuration. If, for instance, the address of the VPN's virtual interface on your server is 10.8.0.1, your VPN's subnet will most likely be 10.8.0.0/24. I'll use these addresses in my example below. In my Linksys home router to add a route I go to Setup tab, then choose Advanced Routing (it can vary depending on router's manufacturer), and there I type in the following:

    Enter Route Name: VPN (or any other name you want)
    Destination lan IP: 10.8.0.0
    Subnet mask: 255.255.255.0
    Default gateway: 192.168.1.254 (<=== this is the VPN server's IP on the LAN)

    Obviously adjust IP addressing to your particular setup. That should do the trick.

    Good luck

    http://szymi.bogsite.org


Log in to reply