I install openvpn on pfsense but vpnclient can't access to LAN ?????

dinhvietbk

I install Openvpn on pfsense 1.2.2 with configuiration :
server ( pfsense )
protocol TCP
Dynamic IP check
Local port 1194
address pool 192.168.100.0/24
local network 192.168.1.0
client-to-client check
crytography BF-CBC(128bit)
authen PKI
DNS-server
redirect gateway check
client  (windows)

##############################################

Sample client-side OpenVPN 2.0 config file

for connecting to multi-client server.

#                                            #

This configuration can be used by multiple

clients, however each client should have

its own cert and key files.

#                                            #

On Windows, you might want to rename this

file so it has a .ovpn extension

##############################################

Specify that we are a client and that we

will be pulling certain config file directives

from the server.

client

Use the same setting as you are using on

the server.

On most systems, the VPN will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

;dev tap
dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel

if you have more than one.  On XP SP2,

you may need to disable the firewall

for the TAP adapter.

;dev-node MyTap

Are we connecting to a TCP or

UDP server?  Use the same setting as

on the server.

;proto tcp
proto tcp

The hostname/IP and port of the server.

You can have multiple remote entries

to load balance between the servers.

remote 192.168.2.10 1194

Choose a random host from the remote

list for load-balancing.  Otherwise

try hosts in the order specified.

;remote-random

Keep trying indefinitely to resolve the

host name of the OpenVPN server.  Very useful

on machines which are not permanently connected

to the internet such as laptops.

resolv-retry infinite

Most clients don't need to bind to

a specific local port number.

nobind

Downgrade privileges after initialization (non-Windows only)

;user nobody
;group nobody

Try to preserve some state across restarts.

persist-key
persist-tun

If you are connecting through an

HTTP proxy to reach the actual OpenVPN

server, put the proxy server/IP and

port number here.  See the man page

if your proxy server requires

authentication.

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

Wireless networks often produce a lot

of duplicate packets.  Set this flag

to silence duplicate packet warnings.

;mute-replay-warnings

SSL/TLS parms.

See the server config file for more

description.  It's best to use

a separate .crt/.key file pair

for each client.  A single ca

file can be used for all clients.

ca ca.crt
cert client3.crt
key client3.key

Verify server certificate by checking

that the certicate has the nsCertType

field set to "server".  This is an

important precaution to protect against

a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

To use this feature, you will need to generate

your server certificates with the nsCertType

field set to "server".  The build-key-server

script in the easy-rsa folder will do this.

;ns-cert-type server

If a tls-auth key is used on the server

then every client must also have the key.

;tls-auth ta.key 1

Select a cryptographic cipher.

If the cipher option is used on the server

then you must also specify it here.

;cipher x

Enable compression on the VPN link.

Don't enable this unless it is also

enabled in the server config file.

comp-lzo

Set log file verbosity.

verb 3

Silence repeating messages

;mute 20

rule on pfsense :
LAN : pass any any
WAN : protocol TCP  any any  on port 1194
I connected from vpnclient (windows) to openvpn server and access to card LAN of pfsense server but i can't access to clients on LAN netword..

This is log on vpn client

Sat Jun 13 16:51:24 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Jun 13 16:51:24 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 13 16:51:24 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jun 13 16:51:24 2009 LZO compression initialized
Sat Jun 13 16:51:24 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jun 13 16:51:24 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 13 16:51:24 2009 Local Options hash (VER=V4): '69109d17'
Sat Jun 13 16:51:24 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat Jun 13 16:51:24 2009 Attempting to establish TCP connection with 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TCP connection established with 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link local: [undef]
Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link remote: 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TLS: Initial packet from 192.168.2.10:1194, sid=7c2aac3c b4addd76
Sat Jun 13 16:51:25 2009 VERIFY OK: depth=1, /C=VN/ST=CA/L=HaNoi/O=BKIS/CN=pfsenseCA/emailAddress=vietnd@bkav.com.vn
Sat Jun 13 16:51:25 2009 VERIFY OK: depth=0, /C=VN/ST=CA/O=BKIS/CN=server/emailAddress=vietnd@bkav.com.vn
Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 13 16:51:25 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jun 13 16:51:25 2009 [server] Peer Connection Initiated with 192.168.2.10:1194
Sat Jun 13 16:51:26 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jun 13 16:51:27 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 172.16.105.151,route 192.168.100.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.100.10 192.168.100.9'
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: –ifconfig/up options modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: route options modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jun 13 16:51:27 2009 TAP-WIN32 device [Local Area Connection 11] opened: \.\Global{CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}.tap
Sat Jun 13 16:51:27 2009 TAP-Win32 Driver Version 8.4
Sat Jun 13 16:51:27 2009 TAP-Win32 MTU=1500
Sat Jun 13 16:51:27 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.10/255.255.255.252 on interface {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE} [DHCP-serv: 192.168.100.9, lease-time: 31536000]
Sat Jun 13 16:51:27 2009 Successful ARP Flush on interface [6] {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}
Sat Jun 13 16:51:27 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Jun 13 16:51:27 2009 Route: Waiting for TUN/TAP interface to come up…
Sat Jun 13 16:51:28 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Jun 13 16:51:28 2009 Route: Waiting for TUN/TAP interface to come up...
Sat Jun 13 16:51:29 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Jun 13 16:51:29 2009 route ADD 192.168.1.0 MASK 255.255.255.0 192.168.100.9
Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
Sat Jun 13 16:51:29 2009 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.9
Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
Sat Jun 13 16:51:29 2009 Initialization Sequence Completed

Can you help me this problem ??????
thanks very much

XIII

#1 problem: are both networks (user and pfsense) using the same network address scheme? (192.168.0.1/24 or similar) they will connect but no access to anything else other than a vpn connection. if so thats the problem set pfsense to be a 10.x.x.x or 172.16.x.x.

Bern

Any reason you're using TCP?

OpenVPN over UDP gives much better performance and you don't have to faff around with MTU sizes.

szymi

Have you added a route to the VPN on your local LAN's router? You will need that to enable packet routing between your local and remote computers. Simple home routers enable configuration of a few static routes (some are even capable of running RIP). You will need to add a static route to your VPN subnet in your router's configuration. If, for instance, the address of the VPN's virtual interface on your server is 10.8.0.1, your VPN's subnet will most likely be 10.8.0.0/24. I'll use these addresses in my example below. In my Linksys home router to add a route I go to Setup tab, then choose Advanced Routing (it can vary depending on router's manufacturer), and there I type in the following:

Enter Route Name: VPN (or any other name you want)
Destination lan IP: 10.8.0.0
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.254 (<=== this is the VPN server's IP on the LAN)

Obviously adjust IP addressing to your particular setup. That should do the trick.

Good luck

http://szymi.bogsite.org