OVPN Troubleshooting, please help



  • greetings community,

    after trying a few days i finally got ovpn running somehow, but i still encounter
    some serious problems, which i hope to solve with your help.

    Situation:
    pfsense firewall with 2 Interfaces (LAN: 192.168.0.100, WAN: 192.168.0.106)
    both connected to the same switch (for testing). Our Router (which is the
    WAN gateway for pfsense on 192.168.0.253) routes all VPN Traffic to the pfsense
    box (port forwarding 1194 TCP/UDP). So the pfsense box is internal only at the
    moment, both interfaces on the same subnet (that ok for testing?), later the WAN IP
    will be changed to 192.1680.200.106 instead of 192.168.0.106.

    Problem description:
    UDP never worked, i never was able to connect to the server so i decided to use
    TCP. I activated the tun0 interface as described in the howto, installed all certificates
    and created a "any, any, any,…" rule (every field a "*") for every interface (LAN, WAN,
    OVPNTUN0). Deactivated LZO compression (testing). Rebooted the box.

    Config file for my client:

    
    float
    port 1194
    dev tun
    dev-node ovpn
    proto tcp-client
    remote myremoteserver.biz 1194
    ping 30
    
    persist-tun
    persist-key
    
    tls-client
    ca ca.crt
    cert client1.crt
    key client1.key
    
    ns-cert-type server
    #comp-lzo
    pull
    verb 4
    
    

    Now i am trying to connect from outside to the pfsense box, this is the logfile:

    
    Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCP connection established with 84.56.xx.xx:1827
    Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCPv4_SERVER link local: [undef]
    Sep 26 14:33:50 <daemon.notice>firewall openvpn[422]: TCPv4_SERVER link remote: 84.56.xx.xx:1827
    Sep 26 14:33:52 <daemon.notice>firewall openvpn[422]: 84.56.xx.xx:1827
    [client1] Peer Connection Initiated with 84.56.xx.xx:1827</daemon.notice></daemon.notice></daemon.notice></daemon.notice> 
    

    I think everything works well, on the client side i got:

    
    Tue Sep 26 15:39:54 2006 us=83689 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
    Tue Sep 26 15:39:54 2006 us=84021 WARNING: --ping should normally be used with - -ping-restart or --ping-exit
    Tue Sep 26 15:39:54 2006 us=85097 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Tue Sep 26 15:39:54 2006 us=90639 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
    Tue Sep 26 15:39:54 2006 us=90804 Local Options String: 'V4,dev-type tun,link-mt u 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Tue Sep 26 15:39:54 2006 us=90874 Expected Remote Options String: 'V4,dev-type 
    tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Tue Sep 26 15:39:54 2006 us=90954 Local Options hash (VER=V4): 'db02a8f8'
    Tue Sep 26 15:39:54 2006 us=91004 Expected Remote Options hash (VER=V4): '7e068940'
    Tue Sep 26 15:39:54 2006 us=91073 Attempting to establish TCP connection with 82.135.xxx.xxx:1194
    Tue Sep 26 15:39:54 2006 us=124775 TCP connection established with 82.135.xxx.xxx:1194
    Tue Sep 26 15:39:54 2006 us=124932 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Sep 26 15:39:54 2006 us=124993 TCPv4_CLIENT link local: [undef]
    Tue Sep 26 15:39:54 2006 us=125037 TCPv4_CLIENT link remote: 82.135.xxx.xxx:1194
    WRTue Sep 26 15:39:54 2006 us=156930 TLS: Initial packet from 82.135.xxx.xxx:1194, sid=d1291ed1 706087a4
    WRWWWRRRRRRWWRWRRRWWRWRWRRWWRWRWRRWWRWRWRRTue Sep 26 15:39:54 2006 us=886647 VER
    IFY OK: depth=1, /C=DE/ST=BAVARIA/L=MUNICH/O=myofficaldomain/OU=MUC/CN=gate/emailAddr
    ess=administrator@myofficaldomain.de
    Tue Sep 26 15:39:54 2006 us=887124 VERIFY OK: nsCertType=SERVER
    Tue Sep 26 15:39:54 2006 us=887171 VERIFY OK: depth=0, /C=DE/ST=BAVARIA/O=myofficaldomain/OU=MUC/CN=gate/emailAddress=administrator@myofficaldomain.de
    WWRWRWRRWWRWWWWRWRRRWWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRRRWWWWRRRRRRTue Sep 26 15:3
    9:56 2006 us=262 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Sep 26 15:39:56 2006 us=389 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Sep 26 15:39:56 2006 us=489 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Sep 26 15:39:56 2006 us=544 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    WWTue Sep 26 15:39:56 2006 us=745 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Sep 26 15:39:56 2006 us=815 [gate] Peer Connection Initiated with 82.135.xxx.xxx:1194
    Tue Sep 26 15:39:57 2006 us=198083 SENT CONTROL [gate]: 'PUSH_REQUEST' (status=1)
    WRRRR
    Tue Sep 26 15:39:57 2006 us=421011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.0.0 255.255.255.0,route 192.168.0.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.0.6 192.168.0.5'
    Tue Sep 26 15:39:57 2006 us=421170 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Sep 26 15:39:57 2006 us=421224 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Sep 26 15:39:57 2006 us=421277 OPTIONS IMPORT: route options modified
    Tue Sep 26 15:39:57 2006 us=424986 TAP-WIN32 device [ovpn] opened: \\.\Global\{1DEB316D-F714-4F09-A654-3CDDC6909146}.tap
    Tue Sep 26 15:39:57 2006 us=425149 TAP-Win32 Driver Version 8.1
    Tue Sep 26 15:39:57 2006 us=425199 TAP-Win32 MTU=1500
    Tue Sep 26 15:39:57 2006 us=425251 Notified TAP-Win32 driver to set a DHCP IP/netmask 
    of 192.168.0.6/255.255.255.252 on interface {1DEB316D-F714-4F09-A654-3CDDC6909146} 
    [DHCP-serv: 192.168.0.5, lease-time: 31536000]
    Tue Sep 26 15:39:57 2006 us=426646 Successful ARP Flush on interface [3] {1DEB316D-F714-4F09-A654-3CDDC6909146}
    WTue Sep 26 15:39:57 2006 us=439870 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
    Tue Sep 26 15:39:57 2006 us=440041 Route: Waiting for TUN/TAP interface to come up...
    WTue Sep 26 15:39:58 2006 us=636228 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Tue Sep 26 15:39:58 2006 us=636392 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
    Tue Sep 26 15:39:58 2006 us=637248 Route addition via IPAPI succeeded
    Tue Sep 26 15:39:58 2006 us=637331 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
    Tue Sep 26 15:39:58 2006 us=638122 Route addition via IPAPI succeeded
    Tue Sep 26 15:39:58 2006 us=638196 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
    Tue Sep 26 15:39:58 2006 us=639005 Route addition via IPAPI succeeded
    Tue Sep 26 15:39:58 2006 us=639082 Initialization Sequence Completed
    RWWR
    
    

    If i do check "ipconfig" on my windows box after the above connection
    i got:

    
    thernetadapter ovpn:
    
            Verbindungsspezifisches DNS-Suffix:
            IP-Adresse. . . . . . . . . . . . : 192.168.0.6
            Subnetzmaske. . . . . . . . . . . : 255.255.255.252
            Standardgateway . . . . . . . . . :
    
    

    I wonder why there is no default gateway (= "Standardgateway"). That normal!?

    Now i am trying to ping some hosts in our office or connect via http but
    nothing happens (always time out). Since i enabled logging on my
    firewall rules i can see logs like the following:

    
    Sep 26 14:23:22 <local0.info>firewall pf: 15\. 102830 rule 44/0(match):
    pass in on tun0: 192.168.0.6.1780 > 192.168.0.177.80: S 
    1224028711:1224028711(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:23:48 <local0.info>firewall pf: 26\. 004302 rule 44/0(match):
    pass in on tun0: 192.168.0.6.1781 > 192.168.0.177.80: S
    3733786838:3733786838(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:24:08 <local0.info>firewall pf: 20\. 924645 rule 44/0(match):
    pass in on tun0: 192.168.0.6.1782 > 192.168.0.177.80: S
    2224132284:2224132284(0) win 16384 <mss 1367,nop,nop,sackok="">Sep 26 14:24:34 <local0.info>firewall pf: 26\. 003072 rule 44/0(match):
    pass in on tun0: 192.168.0.6.1783 > 192.168.0.177.80: S
    1392872411:1392872411(0) win 16384</local0.info></mss></local0.info></mss></local0.info></mss></local0.info> 
    

    So my guess is, the certificate thing works, but routing or ruleset is broken somehow…
    Can someone please push me in the right direction, i really got no
    clue at the moment what i did wrong. Is it because WAN and LAN
    are on the same subnet? Wrong rules? IP-Adresses for the ovpn-pool
    are 192.168.0.0/28 (the first 16 adresses are not used internally), that
    ok?

    Many thanks for reading this posting.
    Stefan



  • yes, you cannot have lan and wan on the same subnet.  i would chane the lan to something else, so that your wan side will stillwork.  change the lan to something like 172.16.0.0 (and the other computer that may be participating in the lan side as well).


  • LAYER 8 Moderator

    I'd say the box becomes confused ;) At first try to setup different IP and subnets to WAN and LAN to sort that problem out. Just use some other subnet on LAN if you want to test it internally first.

    Then try again and let's look further. Certificates should be fine as far as I've read and the propagation of a default route is perhaps supressed 'cause of the IP adresses residing in the same network.



  • ok thanks for the hint guys, i will try that tomorrow. You mean i should just configure
    the pfsense LAN for example to: 192.168.50.1/24 and one box on the
    switch to 192.168.50.2/24, so that i can test the connection? Did i get that right?

    BTW: what i just found out, i CAN connect to the external interface of pfsense
    on 192.168.0.106 with ssh and i can login as usual. But no internal hosts
    can be reached. So the tunnel works to pfsense, but not to our LAN.

    Thanks for reading, i will try to reassign the interfaces tomorrow and
    post what happens.



  • hello folks,

    back again at the office and i tried your suggestions.
    I configured the LAN interface from 192.168.0.100 to
    192.168.5.100/24 and connected the LAN interface with
    a new hub on which only pfsense an one testbox with
    192.168.5.30/24 is running.

    ovpn options:
    Protocol: tcp
    DynamicIP: yes
    adress pool: 192.168.5.0/28
    local network: 192.168.5.0/24
    Remote network:

    The tun0 interface has 192.168.5.1/24, on every interface i
    installed an "any, any, any,…" rule. No static routes, no bridging
    anywhere.

    Still the same problem, connection is established, i can ping the
    pfsense LAN interface from my roadwarrior but no way to reach
    the testbox on 192.168.5.30/24....

    Can someone please help me again with the setup? What could be wrong?



  • SOLVED!

    stupid me, i assigned the same subnet to the ovpn adress pool as my
    LAN network, after correcting that everything works as expected!

    Thanks again for your help, we'll keep supporting this fine product ;)



  • Yeah, that only works when bridging, and well, you can see the novella being created by my efforts to get that working. :P


Log in to reply