Need help to setup an OpenVPN tunnel

ppolymorphe · Dec 1, 2009, 11:39 AM

Hello,

Newbie with OpenVPN, I am unable to make an OpenVPN tunnel to work, one detail should be wrong but I can't find what it is. Where should I look ?
I have done researches that didn't help.
Thanks for helping.

I want to have a tunnel between 2 offices in a site-to-site config, ideally in bridging mode (will see later).

my conf

PC_A: PCs at office A are 192.168.0.0/24
Alix_A: routeur at office A is 192.168.0.1, Alix box with PFsense 1.2.3 RC2, OpenVPN server

PC_B: PCs at office B are 192.168.1.0/24
Alix_B: routeur at office B is 192.168.1.1, Alix box with PFsense 1.2.3 RC3, OpenVPN client

Authentication method is PKI, key are generated, actual conf is good enough to have the tunnel up and running between the 2 routers

PC_A can ping Alix_A, Alix_B, no PC_B
Alix_A can ping PC_A, Alix_B, no PC_B
Alix_B can ping Alix_A, PC_A, PC_B
PC_B can ping Alix_B, no Alix_a, no PC_A

at office A, my OpenVPN server conf is:
Protocol UDP
Dynamic IP checked
Local port 1194
Address pool 192.168.251.0/24
Use static IPs checked
Local network 192.168.0.0/24
Remote network 192.168.1.0/24
Client-to-client VPN checked
LZO compression checked
Custom options: route 192.168.1.0 255.255.255.0

Firewall rules on Lan: "allow all" is OK

at office B, my OpenVPN client conf is:
Protocol UDP
Server address is my ofice A static IP
Server port 1194
Interface IP empty
Remote network is greyed
Proxy Host empty
Proxy port 3128
LZO compression checked
Custom options: route 192.168.0.0 255.255.255.0

Firewall rules on Lan: "allow all" is OK

Patrice

GruensFroeschli · Dec 1, 2009, 2:14 PM

For a simple site-to-site connection you shouldn't use PKI.

Try to follow the site-to-site howto in this sticky: http://forum.pfsense.org/index.php/topic,2228.0.html

joebarnhart · Dec 1, 2009, 4:23 PM

I am a newbie to OpenVPN as well, having recently failed completely to get my own configuration going.

What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working? So it shouldn't matter if the OP is using PKI or SSL. I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

Maybe there's something wrong with 123RC3. I was also using the Alix platform, but I used the LiveCD version on a microdrive instead of the nanoBSD kernel.

GruensFroeschli · Dec 1, 2009, 5:10 PM

@joebarnhart:

What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working? So it shouldn't matter if the OP is using PKI or SSL. I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

PKI = Public Key Infrastructure
PSK = Private Shared Key
Both are based on SSL. Just the way you use it is different.

Yes how he describes it, the connection between the endpoints works.
However that's not enough. You also need to add routes correlating with the subnet(s) on the other side of the tunnel.
On both sides.

A PKI is designed for roadwarriors. –> Many users connect
and not for a simple site-to-site.

In a normal PSK setup you have the option to add routes via the "route" command.
In a PKI this doesnt work.
In a PKI you push from the server side routes to the clients.
Now if you want to have a site-to-site connection with a PKI you also need to add client specific configurations to add routes in the other direction (to the client).
Since the client can have everytime he connects a different IP within the VPN this can be tricky.

joebarnhart · Dec 7, 2009, 9:41 AM

If you're still watching ppolymorphe I recommend the following:

Update your RC2 router to RC3.

I had RC1 and RC3 and could NOT get those to work properly at all. My symptoms were very similar to yours – I could ping one site from another but computers on the network could not ping each other.

Updating both routers to RC3 has resulted in a working OpenVPN solution.

ppolymorphe · Dec 14, 2009, 8:38 PM

upgraded to 1.2.3 release, but no change

GruensFroeschli · Dec 14, 2009, 10:23 PM

So did you add the routes like i wrote above?

ppolymorphe · Dec 22, 2009, 2:12 PM

IT WORKS !!!

I don't know the WHY details, but it works.
what I did ?
First, I upgraded to 1.2.3 release nanobsd on both sides.
Since there was messages in the log saying there was an error trying to add the routes in my custom options, I tryed first to remove all routes in custom options to see what append ! The result is that it works without any custom option anywhere!

From both sides, I can take control of PC on other side (ultravnc) by using their respective IP addresses (192.168.0.* or 192.168.1.*)

And now I have to do the bridging stuff, just waiting for the tutorial to be updated.

PS: By the way, I discovered that the firewall in windows XP SP3 prevents the PC to respond to pings if activated. silly thing :)

Patrice