OVPN Troubleshooting, please help

StefanSander

greetings community,

after trying a few days i finally got ovpn running somehow, but i still encounter
some serious problems, which i hope to solve with your help.

Situation:
pfsense firewall with 2 Interfaces (LAN: 192.168.0.100, WAN: 192.168.0.106)
both connected to the same switch (for testing). Our Router (which is the
WAN gateway for pfsense on 192.168.0.253) routes all VPN Traffic to the pfsense
box (port forwarding 1194 TCP/UDP). So the pfsense box is internal only at the
moment, both interfaces on the same subnet (that ok for testing?), later the WAN IP
will be changed to 192.1680.200.106 instead of 192.168.0.106.

Problem description:
UDP never worked, i never was able to connect to the server so i decided to use
TCP. I activated the tun0 interface as described in the howto, installed all certificates
and created a "any, any, any,…" rule (every field a "*") for every interface (LAN, WAN,
OVPNTUN0). Deactivated LZO compression (testing). Rebooted the box.

Config file for my client:

float
port 1194
dev tun
dev-node ovpn
proto tcp-client
remote myremoteserver.biz 1194
ping 30

persist-tun
persist-key

tls-client
ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server
#comp-lzo
pull
verb 4

Now i am trying to connect from outside to the pfsense box, this is the logfile:

Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCP connection established with 84.56.xx.xx:1827
Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCPv4_SERVER link local: [undef]
Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCPv4_SERVER link remote: 84.56.xx.xx:1827
Sep 26 14:33:52 <daemon.notice>firewall openvpn[422]: 84.56.xx.xx:1827
[client1] Peer Connection Initiated with 84.56.xx.xx:1827</daemon.notice></daemon.notice></daemon.notice></daemon.notice> 

I think everything works well, on the client side i got:

Tue Sep 26 15:39:54 2006 us=83689 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Tue Sep 26 15:39:54 2006 us=84021 WARNING: --ping should normally be used with - -ping-restart or --ping-exit
Tue Sep 26 15:39:54 2006 us=85097 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Sep 26 15:39:54 2006 us=90639 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Sep 26 15:39:54 2006 us=90804 Local Options String: 'V4,dev-type tun,link-mt u 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Sep 26 15:39:54 2006 us=90874 Expected Remote Options String: 'V4,dev-type 
tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Sep 26 15:39:54 2006 us=90954 Local Options hash (VER=V4): 'db02a8f8'
Tue Sep 26 15:39:54 2006 us=91004 Expected Remote Options hash (VER=V4): '7e068940'
Tue Sep 26 15:39:54 2006 us=91073 Attempting to establish TCP connection with 82.135.xxx.xxx:1194
Tue Sep 26 15:39:54 2006 us=124775 TCP connection established with 82.135.xxx.xxx:1194
Tue Sep 26 15:39:54 2006 us=124932 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Sep 26 15:39:54 2006 us=124993 TCPv4_CLIENT link local: [undef]
Tue Sep 26 15:39:54 2006 us=125037 TCPv4_CLIENT link remote: 82.135.xxx.xxx:1194
WRTue Sep 26 15:39:54 2006 us=156930 TLS: Initial packet from 82.135.xxx.xxx:1194, sid=d1291ed1 706087a4
WRWWWRRRRRRWWRWRRRWWRWRWRRWWRWRWRRWWRWRWRRTue Sep 26 15:39:54 2006 us=886647 VER
IFY OK: depth=1, /C=DE/ST=BAVARIA/L=MUNICH/O=myofficaldomain/OU=MUC/CN=gate/emailAddr
ess=administrator@myofficaldomain.de
Tue Sep 26 15:39:54 2006 us=887124 VERIFY OK: nsCertType=SERVER
Tue Sep 26 15:39:54 2006 us=887171 VERIFY OK: depth=0, /C=DE/ST=BAVARIA/O=myofficaldomain/OU=MUC/CN=gate/emailAddress=administrator@myofficaldomain.de
WWRWRWRRWWRWWWWRWRRRWWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRRRWWWWRRRRRRTue Sep 26 15:3
9:56 2006 us=262 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Sep 26 15:39:56 2006 us=389 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 26 15:39:56 2006 us=489 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Sep 26 15:39:56 2006 us=544 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWTue Sep 26 15:39:56 2006 us=745 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Sep 26 15:39:56 2006 us=815 [gate] Peer Connection Initiated with 82.135.xxx.xxx:1194
Tue Sep 26 15:39:57 2006 us=198083 SENT CONTROL [gate]: 'PUSH_REQUEST' (status=1)
WRRRR
Tue Sep 26 15:39:57 2006 us=421011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.0.0 255.255.255.0,route 192.168.0.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.0.6 192.168.0.5'
Tue Sep 26 15:39:57 2006 us=421170 OPTIONS IMPORT: timers and/or timeouts modified
Tue Sep 26 15:39:57 2006 us=421224 OPTIONS IMPORT: --ifconfig/up options modified
Tue Sep 26 15:39:57 2006 us=421277 OPTIONS IMPORT: route options modified
Tue Sep 26 15:39:57 2006 us=424986 TAP-WIN32 device [ovpn] opened: \\.\Global\{1DEB316D-F714-4F09-A654-3CDDC6909146}.tap
Tue Sep 26 15:39:57 2006 us=425149 TAP-Win32 Driver Version 8.1
Tue Sep 26 15:39:57 2006 us=425199 TAP-Win32 MTU=1500
Tue Sep 26 15:39:57 2006 us=425251 Notified TAP-Win32 driver to set a DHCP IP/netmask 
of 192.168.0.6/255.255.255.252 on interface {1DEB316D-F714-4F09-A654-3CDDC6909146} 
[DHCP-serv: 192.168.0.5, lease-time: 31536000]
Tue Sep 26 15:39:57 2006 us=426646 Successful ARP Flush on interface [3] {1DEB316D-F714-4F09-A654-3CDDC6909146}
WTue Sep 26 15:39:57 2006 us=439870 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Tue Sep 26 15:39:57 2006 us=440041 Route: Waiting for TUN/TAP interface to come up...
WTue Sep 26 15:39:58 2006 us=636228 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Tue Sep 26 15:39:58 2006 us=636392 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
Tue Sep 26 15:39:58 2006 us=637248 Route addition via IPAPI succeeded
Tue Sep 26 15:39:58 2006 us=637331 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
Tue Sep 26 15:39:58 2006 us=638122 Route addition via IPAPI succeeded
Tue Sep 26 15:39:58 2006 us=638196 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
Tue Sep 26 15:39:58 2006 us=639005 Route addition via IPAPI succeeded
Tue Sep 26 15:39:58 2006 us=639082 Initialization Sequence Completed
RWWR

If i do check "ipconfig" on my windows box after the above connection
i got:

thernetadapter ovpn:

        Verbindungsspezifisches DNS-Suffix:
        IP-Adresse. . . . . . . . . . . . : 192.168.0.6
        Subnetzmaske. . . . . . . . . . . : 255.255.255.252
        Standardgateway . . . . . . . . . :

I wonder why there is no default gateway (= "Standardgateway"). That normal!?

Now i am trying to ping some hosts in our office or connect via http but
nothing happens (always time out). Since i enabled logging on my
firewall rules i can see logs like the following:

Sep 26 14:23:22 <local0.info>firewall pf: 15\. 102830 rule 44/0(match):
pass in on tun0: 192.168.0.6.1780 > 192.168.0.177.80: S 
1224028711:1224028711(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:23:48 <local0.info>firewall pf: 26\. 004302 rule 44/0(match):
pass in on tun0: 192.168.0.6.1781 > 192.168.0.177.80: S
3733786838:3733786838(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:24:08 <local0.info>firewall pf: 20\. 924645 rule 44/0(match):
pass in on tun0: 192.168.0.6.1782 > 192.168.0.177.80: S
2224132284:2224132284(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:24:34 <local0.info>firewall pf: 26\. 003072 rule 44/0(match):
pass in on tun0: 192.168.0.6.1783 > 192.168.0.177.80: S
1392872411:1392872411(0) win 16384</local0.info></mss></local0.info></mss></local0.info></mss></local0.info> 

So my guess is, the certificate thing works, but routing or ruleset is broken somehow…
Can someone please push me in the right direction, i really got no
clue at the moment what i did wrong. Is it because WAN and LAN
are on the same subnet? Wrong rules? IP-Adresses for the ovpn-pool
are 192.168.0.0/28 (the first 16 adresses are not used internally), that
ok?

Many thanks for reading this posting.
Stefan

Sharaz

yes, you cannot have lan and wan on the same subnet.  i would chane the lan to something else, so that your wan side will stillwork.  change the lan to something like 172.16.0.0 (and the other computer that may be participating in the lan side as well).

JeGr

I'd say the box becomes confused ;) At first try to setup different IP and subnets to WAN and LAN to sort that problem out. Just use some other subnet on LAN if you want to test it internally first.

Then try again and let's look further. Certificates should be fine as far as I've read and the propagation of a default route is perhaps supressed 'cause of the IP adresses residing in the same network.

StefanSander

ok thanks for the hint guys, i will try that tomorrow. You mean i should just configure
the pfsense LAN for example to: 192.168.50.1/24 and one box on the
switch to 192.168.50.2/24, so that i can test the connection? Did i get that right?

BTW: what i just found out, i CAN connect to the external interface of pfsense
on 192.168.0.106 with ssh and i can login as usual. But no internal hosts
can be reached. So the tunnel works to pfsense, but not to our LAN.

Thanks for reading, i will try to reassign the interfaces tomorrow and
post what happens.

StefanSander

hello folks,

back again at the office and i tried your suggestions.
I configured the LAN interface from 192.168.0.100 to
192.168.5.100/24 and connected the LAN interface with
a new hub on which only pfsense an one testbox with
192.168.5.30/24 is running.

ovpn options:
Protocol: tcp
DynamicIP: yes
adress pool: 192.168.5.0/28
local network: 192.168.5.0/24
Remote network:

The tun0 interface has 192.168.5.1/24, on every interface i
installed an "any, any, any,…" rule. No static routes, no bridging
anywhere.

Still the same problem, connection is established, i can ping the
pfsense LAN interface from my roadwarrior but no way to reach
the testbox on 192.168.5.30/24....

Can someone please help me again with the setup? What could be wrong?

StefanSander

SOLVED!

stupid me, i assigned the same subnet to the ovpn adress pool as my
LAN network, after correcting that everything works as expected!

Thanks again for your help, we'll keep supporting this fine product ;)

Numbski

Yeah, that only works when bridging, and well, you can see the novella being created by my efforts to get that working. :P