Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]
-
Yes ^^"
Wrote only half of what i thought :D -
I found this post that should solve my problem.
http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978
For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:
-
Add the following lines of configuration to the OpenVPN "Custom Options":
push "dhcp-option DNS 192.168.110.1";
push "redirect-gateway local def1"; -
Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).
My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.
What do I have to use for the DNS line?
Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?
- Interface: WAN/LAN/OPT1 - Source: - Type: any/network - Address: - Source port: - Destination - Type: any/network - Address: - Destination port: - Translation - Address: Interface address/any - Port: - Static port:
Thank you
Alphazo -
-
AoN rules define how traffic is NATed.
Generally you only want traffic NATed to the WAN.
I use in my private homesetup a single rule with:
WAN any * * * * * NO
Meaning i NAT everything to the WAN.Of course you could create a AoN rule for each subnet you have.
The rules would look like:
WAN subnet_A * * * * * NO
WAN subnet_B * * * * * NO
WAN subnet_C * * * * * NO
etc. -
Hello,
I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…
Meanwhile, i have two problems/requests :
- When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...
With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...
I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?
Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?
- When issuing certificates, i have, at the end, the following message :
"unable to write random state"
I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...
By the way, i change HOME variable in vars.bat in order to issue certificates...
Certificates are well issued and work perfectly but this error message remains...
I wanted to know :
What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?
Thank you very much,
XZed
-
Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.
I've added the following to my custom options in openVPN server settings
push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
192.168.0.254 is the address of my pfSense box on the LAN.
Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port WAN 192.168.0.0/24 * * * * * NO WAN 192.168.100.0/24 * * * * * NO
Under a Windows client, ipconfig returns (note that I now get a default gateway):
Configuration IP de Windows Carte Ethernet Connexion au réseau local 3: Suffixe DNS propre à la connexion : Adresse IP. . . . . . . . . . . . : 192.168.100.6 Masque de sous-réseau . . . . . . : 255.255.255.252 Passerelle par défaut . . . . . . : 192.168.100.5 Carte Ethernet Connexion au réseau local: Suffixe DNS propre à la connexion : home.internal Adresse IP. . . . . . . . . . . . : 10.0.2.15 Masque de sous-réseau . . . . . . : 255.255.255.0 Passerelle par défaut . . . . . . : 10.0.2.2
route print
=========================================================================== Liste d'Interfaces 0x1 ........................... MS TCP Loopback interface 0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen de paquets 0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI =========================================================================== =========================================================================== Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 20 0.0.0.0 128.0.0.0 192.168.100.5 192.168.100.6 1 10.0.2.0 255.255.255.0 10.0.2.15 10.0.2.15 20 10.0.2.15 255.255.255.255 127.0.0.1 127.0.0.1 20 10.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 128.0.0.0 128.0.0.0 192.168.100.5 192.168.100.6 1 192.168.0.0 255.255.255.0 192.168.100.5 192.168.100.6 1 192.168.100.1 255.255.255.255 192.168.100.5 192.168.100.6 1 192.168.100.4 255.255.255.252 192.168.100.6 192.168.100.6 30 192.168.100.6 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.100.255 255.255.255.255 192.168.100.6 192.168.100.6 30 224.0.0.0 240.0.0.0 10.0.2.15 10.0.2.15 20 224.0.0.0 240.0.0.0 192.168.100.6 192.168.100.6 30 255.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 1 255.255.255.255 255.255.255.255 192.168.100.6 192.168.100.6 1 Passerelle par défaut : 192.168.100.5 =========================================================================== Itinéraires persistants : Aucun
Can someone help me to solve my problem?
Thank you
Alphazo -
Please elaborate what you mean with "the tunnel is broken".
(How do you test?) -
By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).
Please forgive my ignorance, in my earlier post I said I put :
push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
Don't you think it should be:
push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7; ``` ? 192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7. I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).
route-method exe
route-delay 2Alphazo [EDIT] Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option) My config is now:
dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";
Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions. Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work. Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection? Thank you for your help Alphazo
-
Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.
Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.
Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.
I'm not sure i understand.
Are you able to resolve names, or are you not? -
I'm not able to resolve names on a Linux client. Works fine on Windows clients.
-
Hmmm.
A quick googles showed me this:
http://openvpn.net/archive/openvpn-users/2007-08/msg00124.html
with the answer:
http://openvpn.net/archive/openvpn-users/2007-08/msg00125.html -
Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.
Thanks again.
alphazo