OpenVPN from Wireless to Internet; traffic doesn't transfer, but DNS works



  • Thank you all for taking the time to read this and provide me with some assistance; I do appreciate it (as will my fiancee).

    Current goal:
    To have wireless (OPT1, currently working by itself) clients able to access the Internet (WAN) only by using OpenVPN (OPT2).

    Current status:
    Wireless (OPT1) operates just fine by itself.
    OpenVPN (OPT2) from a Windows client allows connection without issue, apparently allows DNS to resolv, and attempted traffic increments the OpenVPN LAN packet counters.

    Current major setup:
    Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
    Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
     LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
     WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
       WAN gateway xxx.yyy.zzz.nnn
     OPT1 (192.168.1.113/27) goes to wireless
       OPT1 is not bridged
       OPT1 gateway is blank
       OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
     OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
       OPT2 general config is Type Static
       OPT2 is not bridged
       OPT2 gateway is blank
     VPN OpenVPN is set up as "Server"
       VPN Protocol UDP
       VPN Dynamic IP unchecked
       VPN Local Port 1194
       VPN Address Pool 192.168.2.0/24
       VPN Use Static IPs is not checked
       VPN Local Network is 0.0.0.0/0
       VPN Authentication method is PKI
       VPN Custom Options:
         push "redirect-gateway def1"
     Firewall - based on a forum search here, I set:
       NAT - Outbound to Manual mode, and added
         NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO
       Rules - OPT2
         Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
         ALLOW TCP from * * to destination * ports 80 and 443 gateway *

    Client config:

    client
    
    dev tun
    
    proto udp
    
    remote 192.168.1.113 1194
    
    ping 10
    
    resolv-retry infinite
    
    nobind
    
    persist-key
    
    persist-tun
    
    ca ca.crt
    
    cert WirelessRed1.crt
    
    key WirelessRed1.key
    
    dh dh2048.pem
    
    cipher AES-128-CBC
    
    ns-cert-type server
    
    pull
    
    verb 3
    
    

    Client log:

    Sun May 16 17:59:41 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
    
    Sun May 16 17:59:41 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    
    Sun May 16 17:59:51 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    
    Sun May 16 17:59:51 2010 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
    
    Sun May 16 17:59:51 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
    
    Sun May 16 17:59:51 2010 Local Options hash (VER=V4): '8326dbaa'
    
    Sun May 16 17:59:51 2010 Expected Remote Options hash (VER=V4): 'b7f67de4'
    
    Sun May 16 17:59:51 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    
    Sun May 16 17:59:51 2010 UDPv4 link local: [undef]
    
    Sun May 16 17:59:51 2010 UDPv4 link remote: 192.168.1.113:1194
    
    Sun May 16 17:59:51 2010 TLS: Initial packet from 192.168.1.113:1194, sid=d3ed5a15 16b52ae5
    
    Sun May 16 17:59:52 2010 VERIFY OK: depth=1, /C=US/ST=MO/L=StLouis/O=Do_Not_Enter/OU=Do_Not_Enter/CN=Do_Not_Enter/emailAddress=mail@host.domain
    
    Sun May 16 17:59:52 2010 VERIFY OK: nsCertType=SERVER
    
    Sun May 16 17:59:52 2010 VERIFY OK: depth=0, /C=US/ST=MO/O=Do_Not_Enter/OU=Do_Not_Enter/CN=server/emailAddress=mail@host.domain
    
    Sun May 16 17:59:53 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    
    Sun May 16 17:59:53 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    
    Sun May 16 17:59:53 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    
    Sun May 16 17:59:53 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    
    Sun May 16 17:59:53 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    
    Sun May 16 17:59:53 2010 [server] Peer Connection Initiated with 192.168.1.113:1194
    
    Sun May 16 17:59:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    
    Sun May 16 17:59:56 2010 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,dhcp-option DISABLE-NBT,redirect-gateway def1,route 192.168.2.1,ping 10,ping-restart 60,ifconfig 192.168.2.6 192.168.2.5'
    
    Sun May 16 17:59:56 2010 OPTIONS IMPORT: timers and/or timeouts modified
    
    Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ifconfig/up options modified
    
    Sun May 16 17:59:56 2010 OPTIONS IMPORT: route options modified
    
    Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    
    Sun May 16 17:59:56 2010 ROUTE default_gateway=192.168.1.113
    
    Sun May 16 17:59:56 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6789521B-D7E3-4711-AE3D-1ADECB08A809}.tap
    
    Sun May 16 17:59:56 2010 TAP-Win32 Driver Version 9.6 
    
    Sun May 16 17:59:56 2010 TAP-Win32 MTU=1500
    
    Sun May 16 17:59:56 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {6789521B-D7E3-4711-AE3D-1ADECB08A809} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
    
    Sun May 16 17:59:56 2010 Successful ARP Flush on interface [4] {6789521B-D7E3-4711-AE3D-1ADECB08A809}
    
    Sun May 16 18:00:01 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
    
    Sun May 16 18:00:01 2010 OpenVPN ROUTE: omitted no-op route: 192.168.1.113/255.255.255.255 -> 192.168.1.113
    
    Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.5
    
    Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
    
    Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.5
    
    Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
    
    Sun May 16 18:00:01 2010 WARNING: potential route subnet conflict between local LAN [192.168.1.96/255.255.255.224] and remote VPN [0.0.0.0/0.0.0.0]
    
    Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.5
    
    Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
    
    Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.2.5
    
    Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
    
    Sun May 16 18:00:01 2010 Initialization Sequence Completed
    
    

    Client route PRINT after both wireless and OpenVPN connected:

    ===========================================================================
    
    Interface List
    
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 11 25 31 9d 0e ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    0x4 ...00 ff 67 89 52 1b ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
    0x20003 ...00 0e 35 9c 31 71 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
    ===========================================================================
    
    ===========================================================================
    
    Active Routes:
    
    Network Destination        Netmask          Gateway       Interface  Metric
    
              0.0.0.0          0.0.0.0    192.168.1.113   192.168.1.120	  10
    
              0.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1
    
              0.0.0.0          0.0.0.0      192.168.2.5     192.168.2.6	  1
    
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
    
            128.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1
    
         192.168.1.96  255.255.255.224    192.168.1.120   192.168.1.120	  10
    
        192.168.1.120  255.255.255.255        127.0.0.1       127.0.0.1	  10
    
        192.168.1.255  255.255.255.255    192.168.1.120   192.168.1.120	  10
    
          192.168.2.1  255.255.255.255      192.168.2.5     192.168.2.6	  1
    
          192.168.2.4  255.255.255.252      192.168.2.6     192.168.2.6	  30
    
          192.168.2.6  255.255.255.255        127.0.0.1       127.0.0.1	  30
    
        192.168.2.255  255.255.255.255      192.168.2.6     192.168.2.6	  30
    
            224.0.0.0        240.0.0.0    192.168.1.120   192.168.1.120	  10
    
            224.0.0.0        240.0.0.0      192.168.2.6     192.168.2.6	  30
    
      255.255.255.255  255.255.255.255    192.168.1.120   192.168.1.120	  1
    
      255.255.255.255  255.255.255.255      192.168.2.6               2	  1
    
      255.255.255.255  255.255.255.255      192.168.2.6     192.168.2.6	  1
    
    Default Gateway:       192.168.2.5
    
    ===========================================================================
    
    Persistent Routes:
    
      None
    
    

  • Rebel Alliance Developer Netgate

    Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?



  • @jimp:

    Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?

    Based on a forum search, I'd done that, to no effect:
      Firewall - I set (in addition to the WAN rule it added as a default):
        NAT - Outbound to Manual mode, and added
          NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO

    Based on some more searching today, I removed the Local Network 0.0.0.0/0 as well (leaving a blank), also with no effect.

    I am quite curious: Why are the ROUTE statements my client reports setting a gateway of 192.168.2.5, when the OpenVPN IP Address on the pfSense is 192.168.2.1?  From the client, I can ping .1, but I cannot ping .5
    i.e. a route of:  0.0.0.0          128.0.0.0      192.168.2.5    192.168.2.6


  • Rebel Alliance Developer Netgate

    That outbound NAT rule goes on WAN, not OPT2.



  • @jimp:

    That outbound NAT rule goes on WAN, not OPT2.

    Thank you; it's transferring data now!  I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased.

    I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time.  Is there a wiki I can document this at, so others can find the right information more easily?

    For anyone else going through this, the final configuration:
    Current major setup:
    Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
    Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
     LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
      WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
        WAN gateway xxx.yyy.zzz.nnn
     OPT1 (192.168.1.113/27) goes to wireless
       OPT1 is not bridged
       OPT1 gateway is blank
       OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
     OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
       OPT2 general config is Type Static
       OPT2 is not bridged
       OPT2 gateway is blank
     VPN OpenVPN is set up as "Server"
       VPN Protocol UDP
       VPN Dynamic IP unchecked
       VPN Local Port 1194
       VPN Address Pool 192.168.2.0/24
       VPN Use Static IPs is not checked
       VPN Local Network is blank
       VPN Authentication method is PKI
       VPN Custom Options:
         push "redirect-gateway def1"
     Firewall - based on a forum search here, I set:
       NAT - Outbound to Manual mode, and added
         NAT Outbound Interface WAN    Source 192.168.2.0/24 * * * * * NO
         NAT Outbound Interface WAN    Source 192.168.1.0/27 * * * * * NO  - Auto created rule for LAN (matches .13/27)
         *** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.
       Rules - OPT2
         Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
         ALLOW TCP from * * to destination * ports 80 and 443 gateway *


Locked