Client DHCP Address trouble



  • I have a problem with openVPN on pfSense 1.2.3 and mac clients (all i've tried so far). The client says the openVPN connection is established successfully, but I cant see any traffic going though the VPN tunnel. Either the traffic goes as normal (not though the tun/tap interface), or it does not work.

    I'm running openVPN with PKI, all keys/certs are created and I don't think the problem is there. The problem seems to be in client IP addresses and default gateway settings. I've specified a 10.0.1.0/24 network for clients and checked the "dynamic IP" checkbox. Accoring to the instruction I read this seems to enable DHCP for clients, although the explination for this checkbox seems to have changed in more recent version of pfsense. I've also entered 'push "redirect-gateway def1"' into the options field.

    This is the log from the client:

    Wed Oct 28 13:59:33 2009: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Wed Oct 28 13:59:33 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Wed Oct 28 13:59:33 2009: LZO compression initialized
    Wed Oct 28 13:59:33 2009: TUN/TAP device /dev/tun0 opened
    Wed Oct 28 13:59:33 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tun0 1500 1544   init
    Wed Oct 28 13:59:33 2009: Attempting to establish TCP connection with <ip>:1194 [nonblock]
    Wed Oct 28 13:59:34 2009: TCP connection established with <ip>:1194
    Wed Oct 28 13:59:34 2009: TCPv4_CLIENT link local: [undef]
    Wed Oct 28 13:59:34 2009: TCPv4_CLIENT link remote: <ip>:1194
    Wed Oct 28 13:59:34 2009: [server] Peer Connection Initiated with <ip>:1194
    Wed Oct 28 13:59:36 2009: Initialization Sequence Completed</ip></ip></ip></ip>
    

    The VPN appears to be up, but no traffic is going though the tunnel. The tap0 interface has no IP:

    macbook#ifconfig
    tun0: flags=8850 <pointopoint,running,simplex,multicast>mtu 1500
    	open (pid 7475)</pointopoint,running,simplex,multicast>
    

    Shouldn't here be a DHCP address here?

    In the openVPN client (Viscosity) I can check "Send all traffic though VPN connection", and an IP address can be filled in. I've tried various settings here, nothing seems to work.

    The server log looks like this:

    Oct 28 12:14:28 	openvpn[2145]: Re-using SSL/TLS context
    Oct 28 12:14:28 	openvpn[2145]: LZO compression initialized
    Oct 28 12:14:28 	openvpn[2145]: TCP connection established with 193.10.30.13:61080
    Oct 28 12:14:28 	openvpn[2145]: TCPv4_SERVER link local: [undef]
    Oct 28 12:14:28 	openvpn[2145]: TCPv4_SERVER link remote: 193.10.30.13:61080
    Oct 28 12:14:30 	openvpn[2145]: 193.10.30.13:61080 [client1] Peer Connection Initiated with 193.10.30.13:61080
    

    Routing table on client after VPN Connection establishment:

    MacBook:~ ecce$ netstat -nr
    Routing tables
    
    Internet:
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default            193.10.30.1        UGSc           19        0     en1
    127                127.0.0.1          UCS             0        0     lo0
    127.0.0.1          127.0.0.1          UH              2    22527     lo0
    169.254            link#5             UCS             0        0     en1
    193.10.30          link#5             UCS             1        0     en1
    193.10.30.1        0:0:c:7:ac:af      UHLWI           9        0     en1    651
    193.10.30.13       127.0.0.1          UHS             0        0     lo0
    

    Any idea on what's wrong here?



  • I've made some progress. The problem above still exists, but when I tried on a Windows machine I got a IP address via DHCP. However I can only connect to machines in the VPN Server network, on their public IP addresses. The client gets IP address 10.0.1.6/30 and default gateway is set to 10.0.1.5. Seems fine. The openVPN client is all green, and no error messages in the log file either on the server or client.

    I cannot:

    • Ping my gateway, 10.0.1.5
    • Connect to any machine on internet except the ones in the VPN server network (public IPs)

    I can:

    • connect to pfsense machine via HTTPS
    • connect to another webserver in the same public network as the pfsense server
    • make DNS req to the DNS server, also in the same network as the pfsense server

    I have Outbound NAT (AON) for 10.0.1.0/28 to WAN interface address.


Log in to reply