Openvpn Lan connection from client



  • Hi,
    I've setup a pfsense firewall with a openvpn, I can connect from the client(winzoz xp) to the server(pfsense), but can't access the LAN I've configured in pfsense.
    I can't ping and see lan's pc. Already read openvpn doc… and it seems to be Ok.
    so I think the problem is in my pfsense config...
    I've read some tutorials, but I've a doubt about the firewall and Nat rules, Openvpn need some special config to work?
    I've setted a Firewall>Rule>in Lan
    PROTO             SOURCE        PORT    DESTINATION    PORT  GATEWAY
    UDP                 LAN NET       *         (X.X.X.X)          1194    *
                                                        IP of openvpn client

    Firewall>Rule>in Wan
    PROTO            SOURCE        PORT    DESTINATION    PORT  GATEWAY
    UDP                  *                *        *                    1194    *

    what's wrong?

    THANKS, kindly regards



  • Hello,

    Try this:

    PROTO            SOURCE        PORT    DESTINATION    PORT  GATEWAY
    *                  LAN NET          *        pool openvpn      *      *

    And add in your openvpn conf client:
    route ip LAN mask

    :)

    @Summer:

    Hi,
    I've setup a pfsense firewall with a openvpn, I can connect from the client(winzoz xp) to the server(pfsense), but can't access the LAN I've configured in pfsense.
    I can't ping and see lan's pc. Already read openvpn doc… and it seems to be Ok.
    so I think the problem is in my pfsense config...
    I've read some tutorials, but I've a doubt about the firewall and Nat rules, Openvpn need some special config to work?
    I've setted a Firewall>Rule>in Lan
    PROTO             SOURCE        PORT    DESTINATION    PORT  GATEWAY
    UDP                 LAN NET       *         (X.X.X.X)           1194    *
                                                        IP of openvpn client

    Firewall>Rule>in Wan
    PROTO             SOURCE        PORT    DESTINATION    PORT  GATEWAY
    UDP                  *                *         *                    1194     *

    what's wrong?

    THANKS, kindly regards



  • I have the same exact problem on TWO pfSense boxes, and I'm getting desperate.

    Client is a Mac using Tunnelbick.

    client config  –--------

    client
    dev tap
    proto tcp
    remote xx.xx.xx.xx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca test.crt
    cert client1.crt
    key client1.key
    comp-lzo
    verb 3

    end client config -----------

    server config ---------

    writepid /var/run/openvpn_server0.pid
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tap
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 172.20.30.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 10.12.0.0 255.255.255.0"
    lport 1194
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    push "route-gateway 10.12.0.1"

    end server config -----------

    LAN  10.12.0.0/16
    Client's subnet 192.168.0.1/24

    Here's Clients routes when connected to OVPN server

    $ netstat -nr
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.0.1        UGSc       36     1253    en1
    10.12/24           10.12.0.1          UGSc        1        0    en1
    127                127.0.0.1          UCS         0        0    lo0
    127.0.0.1          127.0.0.1          UH          2     3667    lo0
    169.254            link#6             UCS         0        0    en1
    172.20.30.1/32     10.12.0.1          UGSc        0        0    en1
    172.20.30.4&0xac141e05 link#8             UC          1        0   tap0
    192.168.0          link#6             UCS         2        0    en1
    192.168.0.1        0:18:39:7d:3:c7    UHLW       33      180    en1    370
    192.168.0.101      127.0.0.1          UHS         3     1512    lo0
    192.168.0.255      link#6             UHLWb       2      125    en1
    255.255.255.254    ff:ff:ff:ff:ff:ff  UHLWb       1        2   tap0

    Client's connection log.

    Wed 09/09/09 01:25 AM:  remote='dev-type tun'
    Wed 09/09/09 01:25 AM:  remote='link-mtu 1544'
    Wed 09/09/09 01:25 AM:  remote='tun-mtu 1500'
    Wed 09/09/09 01:25 AM: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed 09/09/09 01:25 AM: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed 09/09/09 01:25 AM: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed 09/09/09 01:25 AM: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed 09/09/09 01:25 AM:  1024 bit RSA
    Wed 09/09/09 01:25 AM: [server] Peer Connection Initiated with xx.xx.xx.xx:1194
    Wed 09/09/09 01:25 AM:
    Wed 09/09/09 01:25 AM: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Wed 09/09/09 01:25 AM: ifconfig 172.20.30.6 172.20.30.5'
    Wed 09/09/09 01:25 AM: OPTIONS IMPORT: timers and/or timeouts modified
    Wed 09/09/09 01:25 AM: OPTIONS IMPORT: –ifconfig/up options modified
    Wed 09/09/09 01:25 AM: OPTIONS IMPORT: route options modified
    Wed 09/09/09 01:25 AM: OPTIONS IMPORT: route-related options modified
    Wed 09/09/09 01:25 AM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed 09/09/09 01:25 AM:  for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
    Wed 09/09/09 01:25 AM: ROUTE default_gateway=192.168.0.1
    Wed 09/09/09 01:25 AM: TUN/TAP device /dev/tap0 opened
    Wed 09/09/09 01:25 AM:
    Wed 09/09/09 01:25 AM: /sbin/ifconfig tap0 delete
    Wed 09/09/09 01:25 AM: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Wed 09/09/09 01:25 AM: /sbin/ifconfig tap0 172.20.30.6 netmask 172.20.30.5 mtu 1500 up
    Wed 09/09/09 01:25 AM: /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tap0 1500 1576 172.20.30.6 172.20.30.5 init
    Wed 09/09/09 01:25 AM:
    Wed 09/09/09 01:25 AM: /sbin/route add -net 10.12.0.0 10.12.0.1 255.255.255.0
    Wed 09/09/09 01:25 AM: /sbin/route add -net 172.20.30.1 10.12.0.1 255.255.255.255
    Wed 09/09/09 01:25 AM: Initialization Sequence Completed

    If you need to see more please let me know.
    There's really not many rules set.
    I am also using IPsec whitch works fine, so IPSEC has a permisive rule set

    LAN has this rule
    Proto   Source   Port   Destination   Port   Gateway   Schedule   Description

    • LAN net *      *          *    *

    There has to be something I'm missing here.



  • Got it working by following this:
    it was the tun/tap interface!

    http://forum.pfsense.org/index.php?topic=14647.0  ;)



  • Didn't make a difference for me.



  • @kmichal:

    I have the same exact problem on TWO pfSense boxes, and I'm getting desperate.

    The information is from three different setups. Anyway, the routes are all messed up and it will never work like that.

    He had to delete the following directive to get it to work.

    push "route-gateway 10.12.0.1"
    

Log in to reply