Re: OpenVPN issue

Blind

Hoping I'm posting this in the right area.

I used the wizard, created the certificates, created a user, exported the package, and the openVPN connects, however I can't ping anything on the other end?
The wizard created 2 rules in the firewall, but I also tried disabling the firewall.

My openvpn server config is as follows -
Server mode - Remote access (SSL/TLS + user auth)
Backend for auth - Local (I'd like to go to LDAP/Active Directory though)
Protocol - UDP
Interface - WAN
Local port - 1194
TLS auth is checked, with the TLS 2048bit static key in the box
Peer + Server certificates are selected as the ones I created in the wizard
DH Param length - 1024 bits
Encryption alg - AES-128-CBC (128-bit)

Tunnel network - 10.1.0.0/16
Redirect gateway - disabled
Local network - 172.16.0.0/16
Concurrent connections - 30
Compression - off
TOS - off
inter-client communication - on
Dynamic IP - on
Address pool - on
DNS Default domain - on / myADdomain.com
DNS Servers - on / intDNSserver1, intDNSserver2
NTP Server - off
NetBIOS - off
Advanced - empty

Here's the status log from the client side -

Tue May 11 14:04:32 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue May 11 14:04:42 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 11 14:04:42 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue May 11 14:04:42 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 11 14:04:42 2010 Control Channel Authentication: using 'pfsense2-udp-1194-tls.key' as a OpenVPN static key file
Tue May 11 14:04:42 2010 UDPv4 link local (bound): [undef]:1194
Tue May 11 14:04:42 2010 UDPv4 link remote: 174.34.67.44:1194
Tue May 11 14:04:42 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 11 14:04:43 2010 [ZGopenVPNsvr] Peer Connection Initiated with 174.34.67.44:1194
Tue May 11 14:04:45 2010 Options error: --dhcp-option: unknown option type 'NTP' or missing parameter
Tue May 11 14:04:45 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{82AF9C78-941C-475F-A6A7-12D2C26C1449}.tap
Tue May 11 14:04:46 2010 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address Local Area Connection 3 dhcp
Tue May 11 14:04:47 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.6/255.255.255.252 on interface {82AF9C78-941C-475F-A6A7-12D2C26C1449} [DHCP-serv: 10.1.0.5, lease-time: 31536000]
Tue May 11 14:04:47 2010 Successful ARP Flush on interface [196610] {82AF9C78-941C-475F-A6A7-12D2C26C1449}
Tue May 11 14:04:58 2010 Initialization Sequence Completed

Thank you for any help!

as an aside - I'm switching to pfsense from Untangle, mainly for the multi-wan ability, so I setup openVPN on untangle before and it worked great.

jimp

I split this off into its own topic, since it's really a separate issue and not a comment on the howto.

It sounds like the client isn't getting the routes it needs. Did you set the "Local Network" for the OpenVPN server?

If the client is on Vista/7, it should be run as Administrator, too.

MrHorizontal

First, eliminate the doh! factor and ensure the firewall rules allow traffic from OpenVPN - it has it's own special tab that you need to allow any and all traffic through.

If it's still not the issue, we need detailed logs, as it'd probably be a route that needs to be pushed by the server that isn't. To diagnose this, can you post:

• the actual OpenVPN conf from the server - the file is in /var/etc/openvpn/openvpnX.conf where X is the ID in the address bar.
• Add 'verb 5' to the client conf (advanced configuration) and post the log output from the client.
• Mask out any sensitive IP addresses / domain names and post it here.

jimp

@MrHorizontal:

First, eliminate the doh! factor and ensure the firewall rules allow traffic from OpenVPN - it has it's own special tab that you need to allow any and all traffic through.

He already did that :-)

The wizard created 2 rules in the firewall, but I also tried disabling the firewall.

There is a checkbox in the wizard that adds the needed firewall rule(s) automatically to the WAN and OpenVPN tab.

Blind

yes the local network is set, yes the openvpn tab of the firewall has a rule to allow all traffic.

here's the server.conf file-

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
server 10.1.0.0 255.255.0.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
lport 1194
management 127.0.0.1 1194
max-clients 30
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DOMAIN zg.com"
push "dhcp-option DNS 172.16.0.5"
push "dhcp-option DNS 172.16.0.6"
push "dhcp-option NTP "
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

and here's the client connection log with verb 5 -

Wed May 12 10:53:52 2010 us=31000 Current Parameter Settings:
Wed May 12 10:53:52 2010 us=31000   config = 'pfsense2-udp-1194-config.ovpn'
Wed May 12 10:53:52 2010 us=31000   mode = 0
Wed May 12 10:53:52 2010 us=31000   show_ciphers = DISABLED
Wed May 12 10:53:52 2010 us=31000   show_digests = DISABLED
Wed May 12 10:53:52 2010 us=31000   show_engines = DISABLED
Wed May 12 10:53:52 2010 us=31000   genkey = DISABLED
Wed May 12 10:53:52 2010 us=31000   key_pass_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   show_tls_ciphers = DISABLED
Wed May 12 10:53:52 2010 us=31000 Connection profiles [default]:
Wed May 12 10:53:52 2010 us=31000   proto = udp
Wed May 12 10:53:52 2010 us=31000   local = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   local_port = 1194
Wed May 12 10:53:52 2010 us=31000   remote = 'x.x.x.x'
Wed May 12 10:53:52 2010 us=31000   remote_port = 1194
Wed May 12 10:53:52 2010 us=31000   remote_float = DISABLED
Wed May 12 10:53:52 2010 us=31000   bind_defined = DISABLED
Wed May 12 10:53:52 2010 us=31000   bind_local = ENABLED
Wed May 12 10:53:52 2010 us=31000   connect_retry_seconds = 5
Wed May 12 10:53:52 2010 us=31000   connect_timeout = 10
Wed May 12 10:53:52 2010 us=31000   connect_retry_max = 0
Wed May 12 10:53:52 2010 us=31000   socks_proxy_server = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   socks_proxy_port = 0
Wed May 12 10:53:52 2010 us=31000   socks_proxy_retry = DISABLED
Wed May 12 10:53:52 2010 us=31000 Connection profiles END
Wed May 12 10:53:52 2010 us=31000   remote_random = DISABLED
Wed May 12 10:53:52 2010 us=31000   ipchange = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   dev = 'tun'
Wed May 12 10:53:52 2010 us=31000   dev_type = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   dev_node = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   lladdr = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   topology = 1
Wed May 12 10:53:52 2010 us=31000   tun_ipv6 = DISABLED
Wed May 12 10:53:52 2010 us=31000   ifconfig_local = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   ifconfig_remote_netmask = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   ifconfig_noexec = DISABLED
Wed May 12 10:53:52 2010 us=31000   ifconfig_nowarn = DISABLED
Wed May 12 10:53:52 2010 us=31000   shaper = 0
Wed May 12 10:53:52 2010 us=31000   tun_mtu = 1500
Wed May 12 10:53:52 2010 us=31000   tun_mtu_defined = ENABLED
Wed May 12 10:53:52 2010 us=31000   link_mtu = 1500
Wed May 12 10:53:52 2010 us=31000   link_mtu_defined = DISABLED
Wed May 12 10:53:52 2010 us=31000   tun_mtu_extra = 0
Wed May 12 10:53:52 2010 us=31000   tun_mtu_extra_defined = DISABLED
Wed May 12 10:53:52 2010 us=31000   fragment = 0
Wed May 12 10:53:52 2010 us=31000   mtu_discover_type = -1
Wed May 12 10:53:52 2010 us=31000   mtu_test = 0
Wed May 12 10:53:52 2010 us=31000   mlock = DISABLED
Wed May 12 10:53:52 2010 us=31000   keepalive_ping = 0
Wed May 12 10:53:52 2010 us=31000   keepalive_timeout = 0
Wed May 12 10:53:52 2010 us=31000   inactivity_timeout = 0
Wed May 12 10:53:52 2010 us=31000   ping_send_timeout = 0
Wed May 12 10:53:52 2010 us=31000   ping_rec_timeout = 0
Wed May 12 10:53:52 2010 us=31000   ping_rec_timeout_action = 0
Wed May 12 10:53:52 2010 us=31000   ping_timer_remote = DISABLED
Wed May 12 10:53:52 2010 us=31000   remap_sigusr1 = 0
Wed May 12 10:53:52 2010 us=31000   explicit_exit_notification = 0
Wed May 12 10:53:52 2010 us=31000   persist_tun = ENABLED
Wed May 12 10:53:52 2010 us=31000   persist_local_ip = DISABLED
Wed May 12 10:53:52 2010 us=31000   persist_remote_ip = DISABLED
Wed May 12 10:53:52 2010 us=31000   persist_key = ENABLED
Wed May 12 10:53:52 2010 us=31000   mssfix = 1450
Wed May 12 10:53:52 2010 us=31000   resolve_retry_seconds = 1000000000
Wed May 12 10:53:52 2010 us=31000   username = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   groupname = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   chroot_dir = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   cd_dir = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   writepid = '[UNDEF]'
Wed May 12 10:53:52 2010 us=31000   up_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   down_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   down_pre = DISABLED
Wed May 12 10:53:52 2010 us=265000   up_restart = DISABLED
Wed May 12 10:53:52 2010 us=265000   up_delay = DISABLED
Wed May 12 10:53:52 2010 us=265000   daemon = DISABLED
Wed May 12 10:53:52 2010 us=265000   inetd = 0
Wed May 12 10:53:52 2010 us=265000   log = DISABLED
Wed May 12 10:53:52 2010 us=265000   suppress_timestamps = DISABLED
Wed May 12 10:53:52 2010 us=265000   nice = 0
Wed May 12 10:53:52 2010 us=265000   verbosity = 5
Wed May 12 10:53:52 2010 us=265000   mute = 0
Wed May 12 10:53:52 2010 us=265000   gremlin = 0
Wed May 12 10:53:52 2010 us=265000   status_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   status_file_version = 1
Wed May 12 10:53:52 2010 us=265000   status_file_update_freq = 60
Wed May 12 10:53:52 2010 us=265000   occ = ENABLED
Wed May 12 10:53:52 2010 us=265000   rcvbuf = 0
Wed May 12 10:53:52 2010 us=265000   sndbuf = 0
Wed May 12 10:53:52 2010 us=265000   sockflags = 0
Wed May 12 10:53:52 2010 us=265000   fast_io = DISABLED
Wed May 12 10:53:52 2010 us=265000   lzo = 0
Wed May 12 10:53:52 2010 us=265000   route_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   route_default_gateway = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   route_default_metric = 0
Wed May 12 10:53:52 2010 us=265000   route_noexec = DISABLED
Wed May 12 10:53:52 2010 us=265000   route_delay = 5
Wed May 12 10:53:52 2010 us=265000   route_delay_window = 30
Wed May 12 10:53:52 2010 us=265000   route_delay_defined = ENABLED
Wed May 12 10:53:52 2010 us=265000   route_nopull = DISABLED
Wed May 12 10:53:52 2010 us=265000   route_gateway_via_dhcp = DISABLED
Wed May 12 10:53:52 2010 us=265000   max_routes = 100
Wed May 12 10:53:52 2010 us=265000   allow_pull_fqdn = DISABLED
Wed May 12 10:53:52 2010 us=265000   management_addr = '[UNDEF]'
Wed May 12 10:53:52 2010 us=265000   management_port = 0
Wed May 12 10:53:52 2010 us=265000   management_user_pass = '[UNDEF]'
Wed May 12 10:53:52 2010 us=281000   management_log_history_cache = 250
Wed May 12 10:53:52 2010 us=281000   management_echo_buffer_size = 100
Wed May 12 10:53:52 2010 us=281000   management_write_peer_info_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=281000   management_client_user = '[UNDEF]'
Wed May 12 10:53:52 2010 us=281000   management_client_group = '[UNDEF]'
Wed May 12 10:53:52 2010 us=281000   management_flags = 0
Wed May 12 10:53:52 2010 us=281000   shared_secret_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=281000   key_direction = 2
Wed May 12 10:53:52 2010 us=281000   ciphername_defined = ENABLED
Wed May 12 10:53:52 2010 us=281000   ciphername = 'AES-128-CBC'
Wed May 12 10:53:52 2010 us=281000   authname_defined = ENABLED
Wed May 12 10:53:52 2010 us=281000   authname = 'SHA1'
Wed May 12 10:53:52 2010 us=281000   prng_hash = 'SHA1'
Wed May 12 10:53:52 2010 us=281000   prng_nonce_secret_len = 16
Wed May 12 10:53:52 2010 us=281000   keysize = 0
Wed May 12 10:53:52 2010 us=328000   engine = DISABLED
Wed May 12 10:53:52 2010 us=328000   replay = ENABLED
Wed May 12 10:53:52 2010 us=343000   mute_replay_warnings = DISABLED
Wed May 12 10:53:52 2010 us=343000   replay_window = 64
Wed May 12 10:53:52 2010 us=343000   replay_time = 15
Wed May 12 10:53:52 2010 us=343000   packet_id_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   use_iv = ENABLED
Wed May 12 10:53:52 2010 us=343000   test_crypto = DISABLED
Wed May 12 10:53:52 2010 us=343000   tls_server = DISABLED
Wed May 12 10:53:52 2010 us=343000   tls_client = ENABLED
Wed May 12 10:53:52 2010 us=343000   key_method = 2
Wed May 12 10:53:52 2010 us=343000   ca_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   ca_path = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   dh_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   cert_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   priv_key_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   pkcs12_file = 'pfsense2-udp-1194.p12'
Wed May 12 10:53:52 2010 us=343000   cryptoapi_cert = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   cipher_list = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   tls_verify = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   tls_remote = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   crl_file = '[UNDEF]'
Wed May 12 10:53:52 2010 us=343000   ns_cert_type = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=343000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_ku[i] = 0
Wed May 12 10:53:52 2010 us=390000   remote_cert_eku = '[UNDEF]'
Wed May 12 10:53:52 2010 us=390000   tls_timeout = 2
Wed May 12 10:53:52 2010 us=390000   renegotiate_bytes = 0
Wed May 12 10:53:52 2010 us=390000   renegotiate_packets = 0
Wed May 12 10:53:52 2010 us=390000   renegotiate_seconds = 3600
Wed May 12 10:53:52 2010 us=390000   handshake_window = 60
Wed May 12 10:53:52 2010 us=390000   transition_window = 3600
Wed May 12 10:53:52 2010 us=390000   single_session = DISABLED
Wed May 12 10:53:52 2010 us=390000   tls_exit = DISABLED
Wed May 12 10:53:52 2010 us=390000   tls_auth_file = 'pfsense2-udp-1194-tls.key'
Wed May 12 10:53:52 2010 us=390000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_protected_authentication = DISABLED
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=406000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_private_mode = 00000000
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_cert_private = DISABLED
Wed May 12 10:53:52 2010 us=437000   pkcs11_pin_cache_period = -1
Wed May 12 10:53:52 2010 us=437000   pkcs11_id = '[UNDEF]'
Wed May 12 10:53:52 2010 us=437000   pkcs11_id_management = DISABLED
Wed May 12 10:53:52 2010 us=437000   server_network = 0.0.0.0
Wed May 12 10:53:52 2010 us=437000   server_netmask = 0.0.0.0
Wed May 12 10:53:52 2010 us=437000   server_bridge_ip = 0.0.0.0
Wed May 12 10:53:52 2010 us=437000   server_bridge_netmask = 0.0.0.0
Wed May 12 10:53:52 2010 us=437000   server_bridge_pool_start = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   server_bridge_pool_end = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_defined = DISABLED
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_start = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_end = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_netmask = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_persist_filename = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   ifconfig_pool_persist_refresh_freq = 600
Wed May 12 10:53:52 2010 us=500000   n_bcast_buf = 256
Wed May 12 10:53:52 2010 us=500000   tcp_queue_limit = 64
Wed May 12 10:53:52 2010 us=500000   real_hash_size = 256
Wed May 12 10:53:52 2010 us=500000   virtual_hash_size = 256
Wed May 12 10:53:52 2010 us=500000   client_connect_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   learn_address_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   client_disconnect_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   client_config_dir = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   ccd_exclusive = DISABLED
Wed May 12 10:53:52 2010 us=500000   tmp_dir = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   push_ifconfig_defined = DISABLED
Wed May 12 10:53:52 2010 us=500000   push_ifconfig_local = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   push_ifconfig_remote_netmask = 0.0.0.0
Wed May 12 10:53:52 2010 us=500000   enable_c2c = DISABLED
Wed May 12 10:53:52 2010 us=500000   duplicate_cn = DISABLED
Wed May 12 10:53:52 2010 us=500000   cf_max = 0
Wed May 12 10:53:52 2010 us=500000   cf_per = 0
Wed May 12 10:53:52 2010 us=500000   max_clients = 1024
Wed May 12 10:53:52 2010 us=500000   max_routes_per_client = 256
Wed May 12 10:53:52 2010 us=500000   auth_user_pass_verify_script = '[UNDEF]'
Wed May 12 10:53:52 2010 us=500000   auth_user_pass_verify_script_via_file = DISABLED
Wed May 12 10:53:52 2010 us=500000   ssl_flags = 0
Wed May 12 10:53:52 2010 us=515000   client = ENABLED
Wed May 12 10:53:52 2010 us=515000   pull = ENABLED
Wed May 12 10:53:52 2010 us=515000   auth_user_pass_file = 'stdin'
Wed May 12 10:53:52 2010 us=515000   show_net_up = DISABLED
Wed May 12 10:53:52 2010 us=515000   route_method = 0
Wed May 12 10:53:52 2010 us=515000   ip_win32_defined = DISABLED
Wed May 12 10:53:52 2010 us=515000   ip_win32_type = 3
Wed May 12 10:53:52 2010 us=515000   dhcp_masq_offset = 0
Wed May 12 10:53:52 2010 us=515000   dhcp_lease_time = 31536000
Wed May 12 10:53:52 2010 us=515000   tap_sleep = 0
Wed May 12 10:53:52 2010 us=515000   dhcp_options = DISABLED
Wed May 12 10:53:52 2010 us=515000   dhcp_renew = DISABLED
Wed May 12 10:53:52 2010 us=515000   dhcp_pre_release = DISABLED
Wed May 12 10:53:52 2010 us=515000   dhcp_release = DISABLED
Wed May 12 10:53:52 2010 us=515000   domain = '[UNDEF]'
Wed May 12 10:53:52 2010 us=515000   netbios_scope = '[UNDEF]'
Wed May 12 10:53:52 2010 us=531000   netbios_node_type = 0
Wed May 12 10:53:52 2010 us=531000   disable_nbt = DISABLED
Wed May 12 10:53:52 2010 us=531000 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Wed May 12 10:53:57 2010 us=390000 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed May 12 10:53:57 2010 us=390000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 12 10:53:57 2010 us=390000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed May 12 10:53:57 2010 us=500000 Control Channel Authentication: using 'pfsense2-udp-1194-tls.key' as a OpenVPN static key file
Wed May 12 10:53:57 2010 us=500000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 12 10:53:57 2010 us=500000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 12 10:53:57 2010 us=500000 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed May 12 10:53:57 2010 us=500000 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed May 12 10:53:57 2010 us=500000 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed May 12 10:53:57 2010 us=500000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed May 12 10:53:57 2010 us=500000 Local Options hash (VER=V4): '0f816d6e'
Wed May 12 10:53:57 2010 us=500000 Expected Remote Options hash (VER=V4): '2f3e190a'
Wed May 12 10:53:57 2010 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 12 10:53:57 2010 us=500000 UDPv4 link local (bound): [undef]:1194
Wed May 12 10:53:57 2010 us=500000 UDPv4 link remote: 174.34.67.44:1194
Wed May 12 10:53:57 2010 us=515000 TLS: Initial packet from 174.34.67.44:1194, sid=916d48dd 8b5392d6
Wed May 12 10:53:57 2010 us=515000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 12 10:53:57 2010 us=640000 VERIFY OK: depth=1, /C=US/ST=California/L=Camarillo/O=Zindagi_Games__Inc./emailAddress=it@x.com/CN=ZGopenVPN
Wed May 12 10:53:57 2010 us=640000 VERIFY OK: depth=0, /C=US/ST=California/L=Camarillo/O=Zindagi_Games__Inc./emailAddress=it@x.com/CN=ZGopenVPNsvr
Wed May 12 10:53:58 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed May 12 10:53:58 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 12 10:53:58 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed May 12 10:53:58 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 12 10:53:58 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed May 12 10:53:58 2010 [ZGopenVPNsvr] Peer Connection Initiated with 174.34.67.44:1194
Wed May 12 10:54:00 2010 us=62000 SENT CONTROL [ZGopenVPNsvr]: 'PUSH_REQUEST' (status=1)
Wed May 12 10:54:02 2010 us=250000 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,dhcp-option DOMAIN zg.com,dhcp-option DNS 172.16.0.5,dhcp-option DNS 172.16.0.6,dhcp-option NTP ,route 10.1.0.0 255.255.0.0,topology net30,ping 10,ping-restart 60,ifconfig 10.1.0.6 10.1.0.5'
Wed May 12 10:54:02 2010 us=250000 Options error: --dhcp-option: unknown option type 'NTP' or missing parameter
Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: timers and/or timeouts modified
Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: --ifconfig/up options modified
Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: route options modified
Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May 12 10:54:02 2010 us=265000 ROUTE default_gateway=192.168.1.1
Wed May 12 10:54:02 2010 us=265000 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{82AF9C78-941C-475F-A6A7-12D2C26C1449}.tap
Wed May 12 10:54:02 2010 us=265000 TAP-Win32 Driver Version 9.6 
Wed May 12 10:54:02 2010 us=265000 TAP-Win32 MTU=1500
Wed May 12 10:54:02 2010 us=265000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.6/255.255.255.252 on interface {82AF9C78-941C-475F-A6A7-12D2C26C1449} [DHCP-serv: 10.1.0.5, lease-time: 31536000]
Wed May 12 10:54:02 2010 us=265000 DHCP option string: 0f067a67 2e636f6d 0608ac10 0005ac10 0006
Wed May 12 10:54:02 2010 us=265000 Successful ARP Flush on interface [2] {82AF9C78-941C-475F-A6A7-12D2C26C1449}
Wed May 12 10:54:07 2010 us=296000 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed May 12 10:54:07 2010 us=296000 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.0.0 10.1.0.5
Wed May 12 10:54:07 2010 us=296000 Route addition via IPAPI succeeded [adaptive]
Wed May 12 10:54:07 2010 us=296000 C:\WINDOWS\system32\route.exe ADD 10.1.0.0 MASK 255.255.0.0 10.1.0.5
Wed May 12 10:54:07 2010 us=296000 Route addition via IPAPI succeeded [adaptive]
Wed May 12 10:54:07 2010 us=296000 Initialization Sequence Completed

On the client I manually changed the dns servers of the openVPN interface to match the internal lan IP of pfsense and added a couple of test dns entries to the DNS forwarder on the pfsense gui, and the client gets those names, but here's a tracert on one of them -

[code]
C:\Documents and Settings\Administrator>tracert perforce

Tracing route to perforce.zg.com [172.16.0.100]
over a maximum of 30 hops:

  1    14 ms    16 ms    18 ms  10.1.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.[/code]

so it's able to get the DNS record from the pfsense box when that is set as a DNS provider, but when I have the DNS provider set as one of my internal DNS servers, nothing.

Seems like nothing is getting past the pfsense box.[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]

Blind

also, I can ping the pfsense LAN address from the ovpn client (a windows server 2003 box running at my house, just convenient because I can remote desktop into it to get this openvpn config working)

and I can also connect to the webGUI on the pfsense box from that client.

just seems anything past the pfsense box does not work.

jimp

Is the pfSense box the gateway for the devices on LAN?

Blind

@jimp:

Is the pfSense box the gateway for the devices on LAN?

no, at the moment I have this box setup along side our main gateway.

all LAN devices gateway is 172.16.0.1

this test box is 172.16.0.2

jimp

Then that is why they can't get back. The traffic is going back to their gateway, not the pfSense box.

So you can either:

1. Change their gateway to the pfsense test box
2. Put a static route for the client subnet (tunnel network) in the main router that will route that traffic to your test box's LAN IP.

Blind

ahhh sonufa….

I changed the gateway on my PC here and sure enough I'm able to ping it from the openvpn client.

thanks that does make sense, didn't even think about that, so I'll chock this up as a successful test config.

MrHorizontal

yeah, welcome to the dark art of OpenVPN's builtin routing table mangler! It took me nearly a week to figure out exactly what it was doing when I did the loadbalancing thing, but once you've got the hang of it, you can get OpenVPN to do the dirty work above and beyond its call of duty of just setting up an encrypted tunnel for you.

As a basic crash course, for every tunnel, OVPN creates 2 gateways for each connection. In your case the local end of the tunnel is 10.1.0.6 and the server end of the tunnel is 10.1.0.5 (this is what 'topology net30' does in the PUSH REPLY message). The server then needs to hint to the client what the actual gateway is which also has to be in the 10.1.0.0/16 network (I assume this 10.1.0.1?), so it sets up a second gateway via a static route to 10.1.0.1 through 10.1.0.5. To route to 172.16.0.1 you need to add a third static route to the client so that it knows to send stuff to 172.16.0.0/12 through 10.1.0.1.

Thankfully OVPN can do this for you and manage for the lifetime of the tunnel, so add:

push "route 172.16.0.1 255.240.0.0 10.1.0.1"

to the advanced box in the server page so that the client then pulls this and sets up the route.

Force all client generated traffic through the tunnel' box on the server (equivalent to adding 'push "redirect-gateway def1"' to the server conf), and it will setup a further load of routes that overrides the 0.0.0.0 default network and pass all traffic through the tunnel.