Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]

GruensFroeschli

Yes ^^"
Wrote only half of what i thought :D

alphazo

I found this post that should solve my problem.

http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978

For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

1. Add the following lines of configuration to the OpenVPN "Custom Options":
   push "dhcp-option DNS 192.168.110.1";
   push "redirect-gateway local def1";

2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).

My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I  have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.

What do I have to use for the DNS line?

Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?

- Interface: WAN/LAN/OPT1
- Source: 
   - Type: any/network
   - Address:
   -  Source port:   	
- Destination 	
   - Type: any/network
   - Address:
   - Destination  port:   	
- Translation 	
  - Address: Interface address/any
  - Port: 
  - Static port:

Thank you
Alphazo

GruensFroeschli

AoN rules define how traffic is NATed.

Generally you only want traffic NATed to the WAN.
I use in my private homesetup a single rule with:
WAN    any  *  *  *  *  *  NO
Meaning i NAT everything to the WAN.

Of course you could create a AoN rule for each subnet you have.
The rules would look like:
WAN    subnet_A  *  *  *  *  *  NO
WAN    subnet_B  *  *  *  *  *  NO
WAN    subnet_C  *  *  *  *  *  NO
etc.

XZed

Hello,

I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…

Meanwhile, i have two problems/requests :

1. When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...

With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...

I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?

Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?

2. When issuing certificates, i have, at the end, the following message :

"unable to write random state"

I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...

By the way, i change HOME variable in vars.bat in order to issue certificates...

Certificates are well issued and work perfectly but this error message remains...

I wanted to know :

What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?

Thank you very much,

XZed

alphazo

Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.

I've added the following to my custom options in openVPN server settings

push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;

192.168.0.254 is the address of my pfSense box on the LAN.

Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:

Interface    Source          Source Port      Destination      Destination Port      NAT Address      NAT Port      Static Port         
WAN       192.168.0.0/24               *     *     *     *     *      NO
WAN       192.168.100.0/24            *     *     *     *     *     NO

Under a Windows client, ipconfig returns (note that I now get a default gateway):

Configuration IP de Windows
Carte Ethernet Connexion au réseau local 3:

        Suffixe DNS propre à la connexion :
        Adresse IP. . . . . . . . . . . . : 192.168.100.6
        Masque de sous-réseau . . . . . . : 255.255.255.252
        Passerelle par défaut . . . . . . : 192.168.100.5

Carte Ethernet Connexion au réseau local:

        Suffixe DNS propre à la connexion : home.internal
        Adresse IP. . . . . . . . . . . . : 10.0.2.15
        Masque de sous-réseau . . . . . . : 255.255.255.0
        Passerelle par défaut . . . . . . : 10.0.2.2

route print

===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
 de paquets
0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
          0.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
         10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
        10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        128.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
      192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
    192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
    192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
    192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
  192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
        224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
        224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
  255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
  255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
Passerelle par défaut :     192.168.100.5
===========================================================================
Itinéraires persistants :
  Aucun

Can someone help me to solve my problem?
Thank you
Alphazo

GruensFroeschli

Please elaborate what you mean with "the tunnel is broken".
(How do you test?)

alphazo

By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).

Please forgive my ignorance, in my earlier post I said I put :

push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;

Don't you think it should be:

push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7;

```  ?

192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7.

I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).

route-method exe
route-delay 2

Alphazo

[EDIT]

Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option)

My config is now:

dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";

Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection?

Thank you for your help
Alphazo

GruensFroeschli

Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.

Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

I'm not sure i understand.
Are you able to resolve names, or are you not?

alphazo

I'm not able to resolve names on a Linux client. Works fine on Windows clients.

GruensFroeschli

Hmmm.
A quick googles showed me this:
http://openvpn.net/archive/openvpn-users/2007-08/msg00124.html
with the answer:
http://openvpn.net/archive/openvpn-users/2007-08/msg00125.html

alphazo

Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.

Thanks again.
alphazo