Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Need help to setup an OpenVPN tunnel

    OpenVPN
    3
    8
    3423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      ppolymorphe last edited by

      Hello,

      Newbie with OpenVPN, I am unable to make an OpenVPN tunnel to work, one detail should be wrong but I can't find what it is. Where should I look ?
       I have done researches that didn't help.
       Thanks for helping.

      I want to have a tunnel between 2 offices in a site-to-site config, ideally in bridging mode (will see later).

      my conf

      PC_A: PCs at office A are 192.168.0.0/24
       Alix_A: routeur at office A is 192.168.0.1, Alix box with PFsense 1.2.3 RC2, OpenVPN server

      PC_B: PCs at office B are 192.168.1.0/24
       Alix_B: routeur at office B is 192.168.1.1, Alix box with PFsense 1.2.3 RC3, OpenVPN client

      Authentication method is PKI, key are generated, actual conf is good enough to have the tunnel up and running between the 2 routers

      PC_A can ping Alix_A, Alix_B, no PC_B
       Alix_A can ping PC_A, Alix_B, no PC_B
       Alix_B can ping Alix_A, PC_A, PC_B
       PC_B can ping Alix_B, no Alix_a, no PC_A

      at office A, my OpenVPN server conf is:
       Protocol UDP
       Dynamic IP checked
       Local port 1194
       Address pool 192.168.251.0/24
       Use static IPs checked
       Local network 192.168.0.0/24
       Remote network 192.168.1.0/24
       Client-to-client VPN checked
       LZO compression checked
       Custom options: route 192.168.1.0 255.255.255.0

      Firewall rules on Lan: "allow all" is OK

      at office B, my OpenVPN client conf is:
       Protocol UDP
       Server address is my ofice A static IP
       Server port 1194
       Interface IP empty
       Remote network is greyed
       Proxy Host empty
       Proxy port 3128
       LZO compression checked
       Custom options: route 192.168.0.0 255.255.255.0

      Firewall rules on Lan: "allow all" is OK

      Patrice

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        For a simple site-to-site connection you shouldn't use PKI.

        Try to follow the site-to-site howto in this sticky: http://forum.pfsense.org/index.php/topic,2228.0.html

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • J
          joebarnhart last edited by

          I am a newbie to OpenVPN as well, having recently failed completely to get my own configuration going.

          What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

          Maybe there's something wrong with 123RC3.  I was also using the Alix platform, but I used the LiveCD version on a microdrive instead of the nanoBSD kernel.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschli
            GruensFroeschli last edited by

            @joebarnhart:

            What interests me about this issue is that there IS a routed connection between to two pfSense boxes – doesn't that mean by definition that the encryption is working?  So it shouldn't matter if the OP is using PKI or SSL.  I had a similar issue with site-to-site, my routers could ping but the computers couldn't (I tried both PKI and SSL.)

            PKI = Public Key Infrastructure
            PSK = Private Shared Key
            Both are based on SSL. Just the way you use it is different.

            Yes how he describes it, the connection between the endpoints works.
            However that's not enough. You also need to add routes correlating with the subnet(s) on the other side of the tunnel.
            On both sides.

            A PKI is designed for roadwarriors. –> Many users connect
            and not for a simple site-to-site.

            In a normal PSK setup you have the option to add routes via the "route" command.
            In a PKI this doesnt work.
            In a PKI you push from the server side routes to the clients.
            Now if you want to have a site-to-site connection with a PKI you also need to add client specific configurations to add routes in the other direction (to the client).
            Since the client can have everytime he connects a different IP within the VPN this can be tricky.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • J
              joebarnhart last edited by

              If you're still watching ppolymorphe I recommend the following:

              Update your RC2 router to RC3.

              I had RC1 and RC3 and could NOT get those to work properly at all.  My symptoms were very similar to yours – I could ping one site from another but computers on the network could not ping each other.

              Updating both routers to RC3 has resulted in a working OpenVPN solution.

              1 Reply Last reply Reply Quote 0
              • P
                ppolymorphe last edited by

                upgraded to 1.2.3 release, but no change

                1 Reply Last reply Reply Quote 0
                • GruensFroeschli
                  GruensFroeschli last edited by

                  So did you add the routes like i wrote above?

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • P
                    ppolymorphe last edited by

                    IT WORKS !!!

                    I don't know the WHY details, but it works.
                    what I did ?
                        First, I upgraded to 1.2.3 release nanobsd on both sides.
                        Since there was messages in the log saying there was an error trying to add the routes in my custom options, I tryed first to remove all routes in custom options to see what append !  The result is that it works without any custom option anywhere!

                    From both sides, I can take control of PC on other side (ultravnc) by using their respective IP addresses (192.168.0.* or 192.168.1.*)

                    And now I have to do the bridging stuff, just waiting for the tutorial to be updated.

                    PS:    By the way, I discovered that the firewall in windows XP SP3 prevents the PC to respond to pings if activated. silly thing :)

                    Patrice

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post