Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]
-
I'm little confused by this tutorial and other references on the wiki because 1.2.3 adds new filtering capabilities on VPN with the addition of a new virtual interface.
Before going into that (enabling the virtual inteface and disabling automatic rules) I followed the tutorial. I'm able to connect and get an IP address but unfortunately I cannot reach anything in the remote network. When looking at ipconfig on the windows client I noticed that there is no gateway mentioned, only an IP address : 192.168.100.6 and a netmask: 255.255.255.252.
I guess that without a gateway I won't be able to route correctly. How can enable this?
In my OpenVPN I have 192.168.100.0/24 for the address pool and 192.168.0.0/24 for the local network. I also have a WAN rules:
UDP * * * 1194 (OpenVPN) * OpenVPNThanks
alphazo -
If i remember correctly, you don't have a gateway for the OpenVPN interface with ipconfig.
But when you do a "route print" on a console you should see all the gateways for their corresponding route.The route to the remote subnet should show up there.
If it doesn't: can you show the OpenVPN log from the client when you connect? -
Thank you for helping me out. This is what the "route print" returns:
=========================================================================== Liste d'Interfaces 0x1 ........................... MS TCP Loopback interface 0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen de paquets 0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI =========================================================================== =========================================================================== Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 20 10.0.2.0 255.255.255.0 10.0.2.15 10.0.2.15 20 10.0.2.15 255.255.255.255 127.0.0.1 127.0.0.1 20 10.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.100.5 192.168.100.6 1 192.168.100.1 255.255.255.255 192.168.100.5 192.168.100.6 1 192.168.100.4 255.255.255.252 192.168.100.6 192.168.100.6 30 192.168.100.6 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.100.255 255.255.255.255 192.168.100.6 192.168.100.6 30 224.0.0.0 240.0.0.0 10.0.2.15 10.0.2.15 20 224.0.0.0 240.0.0.0 192.168.100.6 192.168.100.6 30 255.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 1 255.255.255.255 255.255.255.255 192.168.100.6 192.168.100.6 1 Passerelle par défaut : 10.0.2.2 =========================================================================== Itinéraires persistants : Aucun
and here is the openvpn client's log:
Tue Dec 22 13:21:33 2009 OpenVPN 2.1_rc22 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 20 2009 Tue Dec 22 13:21:33 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Dec 22 13:21:34 2009 LZO compression initialized Tue Dec 22 13:21:34 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Dec 22 13:21:34 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Dec 22 13:21:34 2009 Local Options hash (VER=V4): '41690919' Tue Dec 22 13:21:34 2009 Expected Remote Options hash (VER=V4): '530fdded' Tue Dec 22 13:21:34 2009 Socket Buffers: R=[8192->8192] S=[8192->8192] Tue Dec 22 13:21:34 2009 UDPv4 link local: [undef] Tue Dec 22 13:21:34 2009 UDPv4 link remote: 86.76.21.144:1194 Tue Dec 22 13:21:34 2009 TLS: Initial packet from 86.76.21.144:1194, sid=0caaf0df a2be79c5 Tue Dec 22 13:21:35 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost Tue Dec 22 13:21:35 2009 VERIFY OK: nsCertType=SERVER Tue Dec 22 13:21:35 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost Tue Dec 22 13:21:36 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558' Tue Dec 22 13:21:36 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC' Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:21:36 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Dec 22 13:21:36 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194 Tue Dec 22 13:21:38 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1) Tue Dec 22 13:21:38 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5' Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: timers and/or timeouts modified Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: --ifconfig/up options modified Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: route options modified Tue Dec 22 13:21:38 2009 ROUTE default_gateway=10.0.2.2 Tue Dec 22 13:21:38 2009 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{1870D386-0490-4692-AA56-6C738635ADCC}.tap Tue Dec 22 13:21:38 2009 TAP-Win32 Driver Version 9.6 Tue Dec 22 13:21:38 2009 TAP-Win32 MTU=1500 Tue Dec 22 13:21:38 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.6/255.255.255.252 on interface {1870D386-0490-4692-AA56-6C738635ADCC} [DHCP-serv: 192.168.100.5, lease-time: 31536000] Tue Dec 22 13:21:38 2009 Successful ARP Flush on interface [2] {1870D386-0490-4692-AA56-6C738635ADCC} Tue Dec 22 13:21:44 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.100.5 Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive] Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.100.1 MASK 255.255.255.255 192.168.100.5 Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive] Tue Dec 22 13:21:44 2009 Initialization Sequence Completed Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:21:58 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:22:08 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:22:18 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:22:29 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:22:38 2009 [ares] Inactivity timeout (--ping-restart), restarting Tue Dec 22 13:22:38 2009 TCP/UDP: Closing socket Tue Dec 22 13:22:38 2009 SIGUSR1[soft,ping-restart] received, process restarting Tue Dec 22 13:22:38 2009 Restart pause, 2 second(s) Tue Dec 22 13:22:40 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Dec 22 13:22:40 2009 Re-using SSL/TLS context Tue Dec 22 13:22:40 2009 LZO compression initialized Tue Dec 22 13:22:40 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Dec 22 13:22:40 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Dec 22 13:22:40 2009 Local Options hash (VER=V4): '41690919' Tue Dec 22 13:22:40 2009 Expected Remote Options hash (VER=V4): '530fdded' Tue Dec 22 13:22:40 2009 Socket Buffers: R=[8192->8192] S=[8192->8192] Tue Dec 22 13:22:40 2009 UDPv4 link local: [undef] Tue Dec 22 13:22:40 2009 UDPv4 link remote: 86.76.21.144:1194 Tue Dec 22 13:22:40 2009 TLS: Initial packet from 86.76.21.144:1194, sid=06dbe67e 87fb9eda Tue Dec 22 13:22:41 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost Tue Dec 22 13:22:41 2009 VERIFY OK: nsCertType=SERVER Tue Dec 22 13:22:41 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost Tue Dec 22 13:22:42 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558' Tue Dec 22 13:22:42 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC' Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:22:42 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Dec 22 13:22:42 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194 Tue Dec 22 13:22:44 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1) Tue Dec 22 13:22:44 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5' Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: timers and/or timeouts modified Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: --ifconfig/up options modified Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: route options modified Tue Dec 22 13:22:44 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3 Tue Dec 22 13:22:44 2009 Initialization Sequence Completed Tue Dec 22 13:22:54 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:04 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:14 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:24 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:34 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:44 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:23:44 2009 [ares] Inactivity timeout (--ping-restart), restarting Tue Dec 22 13:23:44 2009 TCP/UDP: Closing socket Tue Dec 22 13:23:44 2009 SIGUSR1[soft,ping-restart] received, process restarting Tue Dec 22 13:23:44 2009 Restart pause, 2 second(s) Tue Dec 22 13:23:46 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Dec 22 13:23:46 2009 Re-using SSL/TLS context Tue Dec 22 13:23:46 2009 LZO compression initialized Tue Dec 22 13:23:46 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Dec 22 13:23:46 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Dec 22 13:23:46 2009 Local Options hash (VER=V4): '41690919' Tue Dec 22 13:23:46 2009 Expected Remote Options hash (VER=V4): '530fdded' Tue Dec 22 13:23:46 2009 Socket Buffers: R=[8192->8192] S=[8192->8192] Tue Dec 22 13:23:46 2009 UDPv4 link local: [undef] Tue Dec 22 13:23:46 2009 UDPv4 link remote: 86.76.21.144:1194 Tue Dec 22 13:23:47 2009 TLS: Initial packet from 86.76.21.144:1194, sid=c5a3b246 f145a49c Tue Dec 22 13:23:47 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost Tue Dec 22 13:23:47 2009 VERIFY OK: nsCertType=SERVER Tue Dec 22 13:23:47 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost Tue Dec 22 13:23:48 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558' Tue Dec 22 13:23:48 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC' Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 22 13:23:48 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Dec 22 13:23:48 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194 Tue Dec 22 13:23:50 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1) Tue Dec 22 13:23:50 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5' Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: timers and/or timeouts modified Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: --ifconfig/up options modified Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: route options modified Tue Dec 22 13:23:50 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3 Tue Dec 22 13:23:50 2009 Initialization Sequence Completed Tue Dec 22 13:24:00 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:24:10 2009 Authenticate/Decrypt packet error: cipher final failed Tue Dec 22 13:24:20 2009 Authenticate/Decrypt packet error: cipher final failed
-
The routes are added correctly:
192.168.0.0 255.255.255.0 192.168.100.5 192.168.100.6 1
192.168.100.1 255.255.255.255 192.168.100.5 192.168.100.6 1
192.168.100.4 255.255.255.252 192.168.100.6 192.168.100.6 30
192.168.100.6 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.100.255 255.255.255.255 192.168.100.6 192.168.100.6 30But you seem to have a problem with your encryption:
Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed
Can you double check that you have the same settings on your server and the client?
-
Good catch…It works now! When posting it I saw the encryption mismatch but though that since I had an IP address I was fine.
Adding ```
cipher AES-128-CBCI can now experiment with the new openVPN filtering functions (and associated virtual interface) in 1.2.3. Thanks again. Alphazo
-
One last question (in fact three) regarding DNS.
- Can I resolve machine names on the client side? For example http://myserver that is remotely located on 192.168.0.10. Or do I have to add entries to my host file.
- Can I remotely browse samba shares without knowing their IP address?
- Can I force all internet traffic on the client to go through the tunnel?
Thank you
alphazo -
1: You can push a DHCP-option (in your case you need DNS) you control locally to the client. Since the client now resolves its names over this DHCP, you control to what it resolves.
2: Not without setting up a WINS server.
3: Yes. -
For 1. do you mean DNS?
I don't know if there is any quick answer but how do you do 1. and especially 3. ?
Thanks
Alphazo -
Yes ^^"
Wrote only half of what i thought :D -
I found this post that should solve my problem.
http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978
For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:
-
Add the following lines of configuration to the OpenVPN "Custom Options":
push "dhcp-option DNS 192.168.110.1";
push "redirect-gateway local def1"; -
Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).
My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.
What do I have to use for the DNS line?
Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?
- Interface: WAN/LAN/OPT1 - Source: - Type: any/network - Address: - Source port: - Destination - Type: any/network - Address: - Destination port: - Translation - Address: Interface address/any - Port: - Static port:
Thank you
Alphazo -
-
AoN rules define how traffic is NATed.
Generally you only want traffic NATed to the WAN.
I use in my private homesetup a single rule with:
WAN any * * * * * NO
Meaning i NAT everything to the WAN.Of course you could create a AoN rule for each subnet you have.
The rules would look like:
WAN subnet_A * * * * * NO
WAN subnet_B * * * * * NO
WAN subnet_C * * * * * NO
etc. -
Hello,
I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…
Meanwhile, i have two problems/requests :
- When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...
With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...
I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?
Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?
- When issuing certificates, i have, at the end, the following message :
"unable to write random state"
I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...
By the way, i change HOME variable in vars.bat in order to issue certificates...
Certificates are well issued and work perfectly but this error message remains...
I wanted to know :
What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?
Thank you very much,
XZed
-
Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.
I've added the following to my custom options in openVPN server settings
push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
192.168.0.254 is the address of my pfSense box on the LAN.
Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port WAN 192.168.0.0/24 * * * * * NO WAN 192.168.100.0/24 * * * * * NO
Under a Windows client, ipconfig returns (note that I now get a default gateway):
Configuration IP de Windows Carte Ethernet Connexion au réseau local 3: Suffixe DNS propre à la connexion : Adresse IP. . . . . . . . . . . . : 192.168.100.6 Masque de sous-réseau . . . . . . : 255.255.255.252 Passerelle par défaut . . . . . . : 192.168.100.5 Carte Ethernet Connexion au réseau local: Suffixe DNS propre à la connexion : home.internal Adresse IP. . . . . . . . . . . . : 10.0.2.15 Masque de sous-réseau . . . . . . : 255.255.255.0 Passerelle par défaut . . . . . . : 10.0.2.2
route print
=========================================================================== Liste d'Interfaces 0x1 ........................... MS TCP Loopback interface 0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen de paquets 0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI =========================================================================== =========================================================================== Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 20 0.0.0.0 128.0.0.0 192.168.100.5 192.168.100.6 1 10.0.2.0 255.255.255.0 10.0.2.15 10.0.2.15 20 10.0.2.15 255.255.255.255 127.0.0.1 127.0.0.1 20 10.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 128.0.0.0 128.0.0.0 192.168.100.5 192.168.100.6 1 192.168.0.0 255.255.255.0 192.168.100.5 192.168.100.6 1 192.168.100.1 255.255.255.255 192.168.100.5 192.168.100.6 1 192.168.100.4 255.255.255.252 192.168.100.6 192.168.100.6 30 192.168.100.6 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.100.255 255.255.255.255 192.168.100.6 192.168.100.6 30 224.0.0.0 240.0.0.0 10.0.2.15 10.0.2.15 20 224.0.0.0 240.0.0.0 192.168.100.6 192.168.100.6 30 255.255.255.255 255.255.255.255 10.0.2.15 10.0.2.15 1 255.255.255.255 255.255.255.255 192.168.100.6 192.168.100.6 1 Passerelle par défaut : 192.168.100.5 =========================================================================== Itinéraires persistants : Aucun
Can someone help me to solve my problem?
Thank you
Alphazo -
Please elaborate what you mean with "the tunnel is broken".
(How do you test?) -
By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).
Please forgive my ignorance, in my earlier post I said I put :
push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
Don't you think it should be:
push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7; ``` ? 192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7. I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).
route-method exe
route-delay 2Alphazo [EDIT] Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option) My config is now:
dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";
Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions. Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work. Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection? Thank you for your help Alphazo
-
Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.
Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.
Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.
I'm not sure i understand.
Are you able to resolve names, or are you not? -
I'm not able to resolve names on a Linux client. Works fine on Windows clients.
-
Hmmm.
A quick googles showed me this:
http://openvpn.net/archive/openvpn-users/2007-08/msg00124.html
with the answer:
http://openvpn.net/archive/openvpn-users/2007-08/msg00125.html -
Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.
Thanks again.
alphazo