Need help to setup an OpenVPN tunnel



  • Hello,

    Newbie with OpenVPN, I am unable to make an OpenVPN tunnel to work, one detail should be wrong but I can't find what it is. Where should I look ?
     I have done researches that didn't help.
     Thanks for helping.

    I want to have a tunnel between 2 offices in a site-to-site config, ideally in bridging mode (will see later).

    my conf

    PC_A: PCs at office A are 192.168.0.0/24
     Alix_A: routeur at office A is 192.168.0.1, Alix box with PFsense 1.2.3 RC2, OpenVPN server

    PC_B: PCs at office B are 192.168.1.0/24
     Alix_B: routeur at office B is 192.168.1.1, Alix box with PFsense 1.2.3 RC3, OpenVPN client

    Authentication method is PKI, key are generated, actual conf is good enough to have the tunnel up and running between the 2 routers

    PC_A can ping Alix_A, Alix_B, no PC_B
     Alix_A can ping PC_A, Alix_B, no PC_B
     Alix_B can ping Alix_A, PC_A, PC_B
     PC_B can ping Alix_B, no Alix_a, no PC_A

    at office A, my OpenVPN server conf is:
     Protocol UDP
     Dynamic IP checked
     Local port 1194
     Address pool 192.168.251.0/24
     Use static IPs checked
     Local network 192.168.0.0/24
     Remote network 192.168.1.0/24
     Client-to-client VPN checked
     LZO compression checked
     Custom options: route 192.168.1.0 255.255.255.0

    Firewall rules on Lan: "allow all" is OK

    at office B, my OpenVPN client conf is:
     Protocol UDP
     Server address is my ofice A static IP
     Server port 1194
     Interface IP empty
     Remote network is greyed
     Proxy Host empty
     Proxy port 3128
     LZO compression checked
     Custom options: route 192.168.0.0 255.255.255.0

    Firewall rules on Lan: "allow all" is OK

    Patrice



  • For a simple site-to-site connection you shouldn't use PKI.

    Try to follow the site-to-site howto in this sticky: http://forum.pfsense.org/index.php/topic,2228.0.html



  • I am a newbie to OpenVPN as well, having recently failed completely to get my own configuration going.

    What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

    Maybe there's something wrong with 123RC3.  I was also using the Alix platform, but I used the LiveCD version on a microdrive instead of the nanoBSD kernel.



  • @joebarnhart:

    What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

    PKI = Public Key Infrastructure
    PSK = Private Shared Key
    Both are based on SSL. Just the way you use it is different.

    Yes how he describes it, the connection between the endpoints works.
    However that's not enough. You also need to add routes correlating with the subnet(s) on the other side of the tunnel.
    On both sides.

    A PKI is designed for roadwarriors. –> Many users connect
    and not for a simple site-to-site.

    In a normal PSK setup you have the option to add routes via the "route" command.
    In a PKI this doesnt work.
    In a PKI you push from the server side routes to the clients.
    Now if you want to have a site-to-site connection with a PKI you also need to add client specific configurations to add routes in the other direction (to the client).
    Since the client can have everytime he connects a different IP within the VPN this can be tricky.



  • If you're still watching ppolymorphe I recommend the following:

    Update your RC2 router to RC3.

    I had RC1 and RC3 and could NOT get those to work properly at all.  My symptoms were very similar to yours – I could ping one site from another but computers on the network could not ping each other.

    Updating both routers to RC3 has resulted in a working OpenVPN solution.



  • upgraded to 1.2.3 release, but no change



  • So did you add the routes like i wrote above?



  • IT WORKS !!!

    I don't know the WHY details, but it works.
    what I did ?
        First, I upgraded to 1.2.3 release nanobsd on both sides.
        Since there was messages in the log saying there was an error trying to add the routes in my custom options, I tryed first to remove all routes in custom options to see what append !  The result is that it works without any custom option anywhere!

    From both sides, I can take control of PC on other side (ultravnc) by using their respective IP addresses (192.168.0.* or 192.168.1.*)

    And now I have to do the bridging stuff, just waiting for the tutorial to be updated.

    PS:    By the way, I discovered that the firewall in windows XP SP3 prevents the PC to respond to pings if activated. silly thing :)

    Patrice


Log in to reply