Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]



  • I'm little confused by this tutorial and other references on the wiki because 1.2.3 adds new filtering capabilities on VPN with the addition of a new virtual interface.

    Before going into that (enabling the virtual inteface and disabling automatic rules) I followed the tutorial. I'm able to connect and get an IP address but unfortunately I cannot reach anything in the remote network. When looking at ipconfig on the windows client I noticed that there is no gateway mentioned, only an IP address : 192.168.100.6 and a netmask: 255.255.255.252.

    I guess that without a gateway I won't be able to route correctly. How can enable this?

    In my OpenVPN I have 192.168.100.0/24 for the address pool and 192.168.0.0/24 for the local network. I also have a WAN rules:
    UDP   *   *   *   1194 (OpenVPN)   *       OpenVPN

    Thanks
    alphazo



  • If i remember correctly, you don't have a gateway for the OpenVPN interface with ipconfig.
    But when you do a "route print" on a console you should see all the gateways for their corresponding route.

    The route to the remote subnet should show up there.
    If it doesn't: can you show the OpenVPN log from the client when you connect?



  • Thank you for helping me out. This is what the "route print" returns:

    
    ===========================================================================
    Liste d'Interfaces
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
     de paquets
    0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
    ===========================================================================
    ===========================================================================
    Itinéraires actifs :
    Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
              0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
             10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
            10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
       10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
        192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
        192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
        192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
      192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
            224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
            224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
      255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
      255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
    Passerelle par défaut :          10.0.2.2
    ===========================================================================
    Itinéraires persistants :
      Aucun
    
    

    and here is the openvpn client's log:

    
    Tue Dec 22 13:21:33 2009 OpenVPN 2.1_rc22 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 20 2009
    Tue Dec 22 13:21:33 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Dec 22 13:21:34 2009 LZO compression initialized
    Tue Dec 22 13:21:34 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Dec 22 13:21:34 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Dec 22 13:21:34 2009 Local Options hash (VER=V4): '41690919'
    Tue Dec 22 13:21:34 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Tue Dec 22 13:21:34 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Dec 22 13:21:34 2009 UDPv4 link local: [undef]
    Tue Dec 22 13:21:34 2009 UDPv4 link remote: 86.76.21.144:1194
    Tue Dec 22 13:21:34 2009 TLS: Initial packet from 86.76.21.144:1194, sid=0caaf0df a2be79c5
    Tue Dec 22 13:21:35 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
    Tue Dec 22 13:21:35 2009 VERIFY OK: nsCertType=SERVER
    Tue Dec 22 13:21:35 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
    Tue Dec 22 13:21:36 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
    Tue Dec 22 13:21:36 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
    Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:21:36 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Dec 22 13:21:36 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
    Tue Dec 22 13:21:38 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
    Tue Dec 22 13:21:38 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
    Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: route options modified
    Tue Dec 22 13:21:38 2009 ROUTE default_gateway=10.0.2.2
    Tue Dec 22 13:21:38 2009 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{1870D386-0490-4692-AA56-6C738635ADCC}.tap
    Tue Dec 22 13:21:38 2009 TAP-Win32 Driver Version 9.6 
    Tue Dec 22 13:21:38 2009 TAP-Win32 MTU=1500
    Tue Dec 22 13:21:38 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.6/255.255.255.252 on interface {1870D386-0490-4692-AA56-6C738635ADCC} [DHCP-serv: 192.168.100.5, lease-time: 31536000]
    Tue Dec 22 13:21:38 2009 Successful ARP Flush on interface [2] {1870D386-0490-4692-AA56-6C738635ADCC}
    Tue Dec 22 13:21:44 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.100.5
    Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive]
    Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.100.1 MASK 255.255.255.255 192.168.100.5
    Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive]
    Tue Dec 22 13:21:44 2009 Initialization Sequence Completed
    Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:21:58 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:22:08 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:22:18 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:22:29 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:22:38 2009 [ares] Inactivity timeout (--ping-restart), restarting
    Tue Dec 22 13:22:38 2009 TCP/UDP: Closing socket
    Tue Dec 22 13:22:38 2009 SIGUSR1[soft,ping-restart] received, process restarting
    Tue Dec 22 13:22:38 2009 Restart pause, 2 second(s)
    Tue Dec 22 13:22:40 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Dec 22 13:22:40 2009 Re-using SSL/TLS context
    Tue Dec 22 13:22:40 2009 LZO compression initialized
    Tue Dec 22 13:22:40 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Dec 22 13:22:40 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Dec 22 13:22:40 2009 Local Options hash (VER=V4): '41690919'
    Tue Dec 22 13:22:40 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Tue Dec 22 13:22:40 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Dec 22 13:22:40 2009 UDPv4 link local: [undef]
    Tue Dec 22 13:22:40 2009 UDPv4 link remote: 86.76.21.144:1194
    Tue Dec 22 13:22:40 2009 TLS: Initial packet from 86.76.21.144:1194, sid=06dbe67e 87fb9eda
    Tue Dec 22 13:22:41 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
    Tue Dec 22 13:22:41 2009 VERIFY OK: nsCertType=SERVER
    Tue Dec 22 13:22:41 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
    Tue Dec 22 13:22:42 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
    Tue Dec 22 13:22:42 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
    Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:22:42 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Dec 22 13:22:42 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
    Tue Dec 22 13:22:44 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
    Tue Dec 22 13:22:44 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
    Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: route options modified
    Tue Dec 22 13:22:44 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3
    Tue Dec 22 13:22:44 2009 Initialization Sequence Completed
    Tue Dec 22 13:22:54 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:04 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:14 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:24 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:34 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:44 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:23:44 2009 [ares] Inactivity timeout (--ping-restart), restarting
    Tue Dec 22 13:23:44 2009 TCP/UDP: Closing socket
    Tue Dec 22 13:23:44 2009 SIGUSR1[soft,ping-restart] received, process restarting
    Tue Dec 22 13:23:44 2009 Restart pause, 2 second(s)
    Tue Dec 22 13:23:46 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Dec 22 13:23:46 2009 Re-using SSL/TLS context
    Tue Dec 22 13:23:46 2009 LZO compression initialized
    Tue Dec 22 13:23:46 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Dec 22 13:23:46 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Dec 22 13:23:46 2009 Local Options hash (VER=V4): '41690919'
    Tue Dec 22 13:23:46 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Tue Dec 22 13:23:46 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Dec 22 13:23:46 2009 UDPv4 link local: [undef]
    Tue Dec 22 13:23:46 2009 UDPv4 link remote: 86.76.21.144:1194
    Tue Dec 22 13:23:47 2009 TLS: Initial packet from 86.76.21.144:1194, sid=c5a3b246 f145a49c
    Tue Dec 22 13:23:47 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
    Tue Dec 22 13:23:47 2009 VERIFY OK: nsCertType=SERVER
    Tue Dec 22 13:23:47 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
    Tue Dec 22 13:23:48 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
    Tue Dec 22 13:23:48 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
    Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Dec 22 13:23:48 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Dec 22 13:23:48 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
    Tue Dec 22 13:23:50 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
    Tue Dec 22 13:23:50 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
    Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: route options modified
    Tue Dec 22 13:23:50 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3
    Tue Dec 22 13:23:50 2009 Initialization Sequence Completed
    Tue Dec 22 13:24:00 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:24:10 2009 Authenticate/Decrypt packet error: cipher final failed
    Tue Dec 22 13:24:20 2009 Authenticate/Decrypt packet error: cipher final failed
    
    


  • The routes are added correctly:

    192.168.0.0    255.255.255.0    192.168.100.5  192.168.100.6      1
        192.168.100.1  255.255.255.255    192.168.100.5  192.168.100.6      1
        192.168.100.4  255.255.255.252    192.168.100.6  192.168.100.6      30
        192.168.100.6  255.255.255.255        127.0.0.1      127.0.0.1      30
      192.168.100.255  255.255.255.255    192.168.100.6  192.168.100.6      30

    But you seem to have a problem with your encryption:

    Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed

    Can you double check that you have the same settings on your server and the client?



  • Good catch…It works now!  When posting it I saw the encryption mismatch but though that since I had an IP address I was fine.

    Adding ```
    cipher AES-128-CBC

    
    I can now experiment with the new openVPN filtering functions (and associated virtual interface) in 1.2.3.
    
    Thanks again.
    Alphazo


  • One last question (in fact three) regarding DNS.

    1. Can I resolve machine names on the client side? For example http://myserver that is remotely located on 192.168.0.10. Or do I have to add entries to my host file.
    2. Can I remotely browse samba shares without knowing their IP address?
    3. Can I force all internet traffic on the client to go through the tunnel?

    Thank you
    alphazo



  • 1: You can push a DHCP-option (in your case you need DNS) you control locally to the client. Since the client now resolves its names over this DHCP, you control to what it resolves.
    2: Not without setting up a WINS server.
    3: Yes.



  • For 1. do you mean DNS?

    I don't know if there is any quick answer but how do you do 1. and especially 3. ?

    Thanks
    Alphazo



  • Yes ^^"
    Wrote only half of what i thought :D



  • I found this post that should solve my problem.

    http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978

    For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

    1. Add the following lines of configuration to the OpenVPN "Custom Options":
      push "dhcp-option DNS 192.168.110.1";
      push "redirect-gateway local def1";

    2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).

    My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I  have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.

    What do I have to use for the DNS line?

    Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?

    
    - Interface: WAN/LAN/OPT1
    - Source: 
       - Type: any/network
       - Address:
       -  Source port:   	
    - Destination 	
       - Type: any/network
       - Address:
       - Destination  port:   	
    - Translation 	
      - Address: Interface address/any
      - Port: 
      - Static port:
    
    

    Thank you
    Alphazo



  • AoN rules define how traffic is NATed.

    Generally you only want traffic NATed to the WAN.
    I use in my private homesetup a single rule with:
    WAN    any  *  *  *  *  *  NO
    Meaning i NAT everything to the WAN.

    Of course you could create a AoN rule for each subnet you have.
    The rules would look like:
    WAN    subnet_A  *  *  *  *  *  NO
    WAN    subnet_B  *  *  *  *  *  NO
    WAN    subnet_C  *  *  *  *  *  NO
    etc.



  • Hello,

    I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…

    Meanwhile, i have two problems/requests :

    1. When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...

    With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...

    I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?

    Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?

    1. When issuing certificates, i have, at the end, the following message :

    "unable to write random state"

    I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...

    By the way, i change HOME variable in vars.bat in order to issue certificates...

    Certificates are well issued and work perfectly but this error message remains...

    I wanted to know :

    What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?

    Thank you very much,

    XZed



  • Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.

    I've added the following to my custom options in openVPN server settings

    
    push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
    
    

    192.168.0.254 is the address of my pfSense box on the LAN.

    Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:

    
    Interface    Source          Source Port      Destination      Destination Port      NAT Address      NAT Port      Static Port         
    WAN       192.168.0.0/24               *     *     *     *     *      NO
    WAN       192.168.100.0/24            *     *     *     *     *     NO
    
    

    Under a Windows client, ipconfig returns (note that I now get a default gateway):

    
    Configuration IP de Windows
    Carte Ethernet Connexion au réseau local 3:
    
            Suffixe DNS propre à la connexion :
            Adresse IP. . . . . . . . . . . . : 192.168.100.6
            Masque de sous-réseau . . . . . . : 255.255.255.252
            Passerelle par défaut . . . . . . : 192.168.100.5
    
    Carte Ethernet Connexion au réseau local:
    
            Suffixe DNS propre à la connexion : home.internal
            Adresse IP. . . . . . . . . . . . : 10.0.2.15
            Masque de sous-réseau . . . . . . : 255.255.255.0
            Passerelle par défaut . . . . . . : 10.0.2.2
    
    

    route print

    
    ===========================================================================
    Liste d'Interfaces
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
     de paquets
    0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
    ===========================================================================
    ===========================================================================
    Itinéraires actifs :
    Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
              0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
              0.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
             10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
            10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
       10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
            128.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
          192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
        192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
        192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
        192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
      192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
            224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
            224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
      255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
      255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
    Passerelle par défaut :     192.168.100.5
    ===========================================================================
    Itinéraires persistants :
      Aucun
    
    

    Can someone help me to solve my problem?
    Thank you
    Alphazo



  • Please elaborate what you mean with "the tunnel is broken".
    (How do you test?)



  • By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).

    Please forgive my ignorance, in my earlier post I said I put :

    
    push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
    
    

    Don't you think it should be:

    
    push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7;
    
    ```  ?
    
    192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7.
    
    I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).
    

    route-method exe
    route-delay 2

    
    Alphazo
    
    [EDIT]
    
    Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option)
    
    My config is now:
    

    dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";

    
    Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.
    
    Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.
    
    Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection?
    
    Thank you for your help
    Alphazo


  • Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.

    Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

    Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

    I'm not sure i understand.
    Are you able to resolve names, or are you not?



  • I'm not able to resolve names on a Linux client. Works fine on Windows clients.





  • Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.

    Thanks again.
    alphazo


Log in to reply