Problem accessing LAN from roadwarrior (SOLVED)



  • Hye guys,

    I installed and configured my OpenVPN server and a few clients.
    I can connect from my clients, they receive an IP adress, all is OK, but…
    I can't acces or even ping any of my IPs into my LAN.

    LAN (10.x.x.x) <=> OpenVPN/Firewall (PFsense) <=> Internet <=> Freebox (192.168.0.254) <=> Client (192.168.0.1) OpenVPN network (172.16.100.1)
                             10.50.7.250         81.x.x.65

    When I make a traceroute from my client to an LAN IP, the first jump is my Freebox IP and then the packet is lost.
    I guess than in a working configuration, the freebox would be transparent as I am connected with a tunnel to the PFsense server.

    When I "ipconfig" on my client, there is no gateway.
    And when I "route print", the default route is 192.168.0.254.

    My questions are :
            - What is the gateway for an openVPN client ? openVPN box public IP ? Virtual IP ? Where can I configure that ?
            - Is there any way (once I'll know the gateway IP ^^) to "push" the new gateway and "desactivate" the first default gateway to have all the traffic routed by the VPN ?

    And finally, the plus one :
            - Can we add a password to allow the connection instead of a simple certificate management ?

    Thank you all for your answers


  • Rebel Alliance Developer Netgate

    The 'gateway' for an OpenVPN connection is the other end of it's point-to-point link. For example, if you use 10.0.10.0/24 for your OpenVPN client subnet, the first client will get 10.0.10.6/30 with a gateway of 10.0.10.5/30.

    If the client config file, if you want to redirect all traffic over openvpn, you can use:

    redirect-gateway def1
    

    That will cause OpenVPN to take over as the client's default gateway.

    As for the password, there is a tutorial floating around for doing some auth on top of certificates, but I don't recall the exact methodology. I believe it is possible in 2.0 as is. That said, you can always provide a password when you generate the certificates, and it should cause a prompt during the connection in that case.



  • OK, thanks for your answer.

    What I'm not getting is :
        1°/ why the first client in your example is not 10.0.10.1 ?
        2°/ is 10.0.10.5 a virtual gateway defined by OpenVPN internal system ?
        3°/ even if I don't want to redirect all traffic through my VPN, what can be wrong with the ping ?
                      my firewall rules are : - pass all UDPtraffic from any to any on port 1194 (OpenVPN default)
                                                    - pass all UDP/TCP traffic from my VPN network to my LAN
        4°/ I think I tryed to put a password when generating certificates. I will search more about that.

    Thanks a lot


  • Rebel Alliance Developer Netgate

    The .0/30 pair which uses .1 and .2 on the server end is assigned to the server itself. This is just a byproduct of how OpenVPN doles out addresses inside of it's pool. It uses 5 and 6 (.4/30), then 9 and 10 (.8/30), then 13 and 14 (.12/30), etc, etc.

    The .5 address is a virtual address internal to OpenVPN. It likely will not show up on any routing table or interface list.

    This may help understand the situation a little better:
    http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3F

    Where are you entering the firewall rules to allow traffic from your VPN subnet? OpenVPN is not filtered on 1.2.3 by default, so those rules should not be on WAN or LAN interfaces. Not sure if that would cause you trouble, but it might cause other unintended problems.

    What do your LAN rules look like? Do you have traffic restricted at all? Or is it just a rule to allow all from LAN Net to anywhere?

    Also, if you don't mind, can you post a (sanitized of private info) copy of your client config file?



  • OK, so maybe its my firewall rules. By the way I run PfSense 1.2.3
    But in any case, would I see my Freebox IP when I traceroute a LAN IP ? I think not…

    I defined the rules on the WAN interface.

    LAN rules look like : pass all from LAN to any
    I have no other rules yet cause i am actually just testing OpenVPN on this server. Nothing else is in production.

    Here is my client config file :
    client
    dev tun
    dev-node <vpn_interface>proto udp
    remote <public pfsense="" ip="">1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca <ca_name>.crt
    cert <client_name>.crt
    key <client_name>.key
    ns-cert-type server
    comp-lzo
    verb 3</client_name></client_name></ca_name></public></vpn_interface>


  • Rebel Alliance Developer Netgate

    You are correct, you should not be seeing your local firewall IP. It looks like you are missing one crucial line from your client config:

    pull
    

    Without that line, the server isn't sending the routes for the VPN subnets to the client.


  • Rebel Alliance Developer Netgate

    Did you ever get this to work? Did adding 'pull' to your config make a difference?



  • Sorry for my silence.

    I will work on this subject on Wednesday and post my feedback then.

    See you



  • Hye jimp.

    I'm still trying to make it work, but no success, even with the "pull" option.

    In a previous post, you tell me that the Gateway should be 10.0.10.5, but I have no gateway configured when i'm connected.

    Weired…



  • By the way :

    I get that at the end of my client log :

    Wed Mar 10 16:41:31 2010 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.  [if_index=25]
    Wed Mar 10 16:41:31 2010 Route addition via IPAPI failed
    Wed Mar 10 16:41:31 2010 route ADD 10.0.10.1 MASK 255.255.255.255 10.0.10.5
    Wed Mar 10 16:41:31 2010 Warning: route gateway is not reachable on any active network adapters: 10.0.10.5
    Wed Mar 10 16:41:31 2010 Route addition via IPAPI failed
    Wed Mar 10 16:41:31 2010 Initialization Sequence Completed



  • I'm going foreward !!

    I read on a forum that under Vista and Windows 7 clients, it needs to add those lines on the client configuration file :

    route-method exe
    route-delay 2

    Since I added them, no more errors in my log, I can ping the internal address of my pfsense box.

    But i can't ping any other IP yet and my gateway doesn't appear



  • OK it works !!!!!  :)

    My last problem was an internal routing problem.

    So the solution seems to be :

    For clients running Vista or Seven, add those two lines at the end of your client configuration file :

    route-method exe
        route-delay 2

    Thank you for your help Jimp !!
    See you


Log in to reply