• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need help to setup an OpenVPN tunnel

Scheduled Pinned Locked Moved OpenVPN
8 Posts 3 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    ppolymorphe
    last edited by Dec 1, 2009, 11:39 AM

    Hello,

    Newbie with OpenVPN, I am unable to make an OpenVPN tunnel to work, one detail should be wrong but I can't find what it is. Where should I look ?
     I have done researches that didn't help.
     Thanks for helping.

    I want to have a tunnel between 2 offices in a site-to-site config, ideally in bridging mode (will see later).

    my conf

    PC_A: PCs at office A are 192.168.0.0/24
     Alix_A: routeur at office A is 192.168.0.1, Alix box with PFsense 1.2.3 RC2, OpenVPN server

    PC_B: PCs at office B are 192.168.1.0/24
     Alix_B: routeur at office B is 192.168.1.1, Alix box with PFsense 1.2.3 RC3, OpenVPN client

    Authentication method is PKI, key are generated, actual conf is good enough to have the tunnel up and running between the 2 routers

    PC_A can ping Alix_A, Alix_B, no PC_B
     Alix_A can ping PC_A, Alix_B, no PC_B
     Alix_B can ping Alix_A, PC_A, PC_B
     PC_B can ping Alix_B, no Alix_a, no PC_A

    at office A, my OpenVPN server conf is:
     Protocol UDP
     Dynamic IP checked
     Local port 1194
     Address pool 192.168.251.0/24
     Use static IPs checked
     Local network 192.168.0.0/24
     Remote network 192.168.1.0/24
     Client-to-client VPN checked
     LZO compression checked
     Custom options: route 192.168.1.0 255.255.255.0

    Firewall rules on Lan: "allow all" is OK

    at office B, my OpenVPN client conf is:
     Protocol UDP
     Server address is my ofice A static IP
     Server port 1194
     Interface IP empty
     Remote network is greyed
     Proxy Host empty
     Proxy port 3128
     LZO compression checked
     Custom options: route 192.168.0.0 255.255.255.0

    Firewall rules on Lan: "allow all" is OK

    Patrice

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Dec 1, 2009, 2:14 PM

      For a simple site-to-site connection you shouldn't use PKI.

      Try to follow the site-to-site howto in this sticky: http://forum.pfsense.org/index.php/topic,2228.0.html

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • J
        joebarnhart
        last edited by Dec 1, 2009, 4:23 PM

        I am a newbie to OpenVPN as well, having recently failed completely to get my own configuration going.

        What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

        Maybe there's something wrong with 123RC3.  I was also using the Alix platform, but I used the LiveCD version on a microdrive instead of the nanoBSD kernel.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Dec 1, 2009, 5:10 PM

          @joebarnhart:

          What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

          PKI = Public Key Infrastructure
          PSK = Private Shared Key
          Both are based on SSL. Just the way you use it is different.

          Yes how he describes it, the connection between the endpoints works.
          However that's not enough. You also need to add routes correlating with the subnet(s) on the other side of the tunnel.
          On both sides.

          A PKI is designed for roadwarriors. –> Many users connect
          and not for a simple site-to-site.

          In a normal PSK setup you have the option to add routes via the "route" command.
          In a PKI this doesnt work.
          In a PKI you push from the server side routes to the clients.
          Now if you want to have a site-to-site connection with a PKI you also need to add client specific configurations to add routes in the other direction (to the client).
          Since the client can have everytime he connects a different IP within the VPN this can be tricky.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • J
            joebarnhart
            last edited by Dec 7, 2009, 9:41 AM

            If you're still watching ppolymorphe I recommend the following:

            Update your RC2 router to RC3.

            I had RC1 and RC3 and could NOT get those to work properly at all.  My symptoms were very similar to yours – I could ping one site from another but computers on the network could not ping each other.

            Updating both routers to RC3 has resulted in a working OpenVPN solution.

            1 Reply Last reply Reply Quote 0
            • P
              ppolymorphe
              last edited by Dec 14, 2009, 8:38 PM

              upgraded to 1.2.3 release, but no change

              1 Reply Last reply Reply Quote 0
              • G
                GruensFroeschli
                last edited by Dec 14, 2009, 10:23 PM

                So did you add the routes like i wrote above?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • P
                  ppolymorphe
                  last edited by Dec 22, 2009, 2:12 PM

                  IT WORKS !!!

                  I don't know the WHY details, but it works.
                  what I did ?
                      First, I upgraded to 1.2.3 release nanobsd on both sides.
                      Since there was messages in the log saying there was an error trying to add the routes in my custom options, I tryed first to remove all routes in custom options to see what append !  The result is that it works without any custom option anywhere!

                  From both sides, I can take control of PC on other side (ultravnc) by using their respective IP addresses (192.168.0.* or 192.168.1.*)

                  And now I have to do the bridging stuff, just waiting for the tutorial to be updated.

                  PS:    By the way, I discovered that the firewall in windows XP SP3 prevents the PC to respond to pings if activated. silly thing :)

                  Patrice

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received