OpenVPN from Wireless to Internet; traffic doesn't transfer, but DNS works
-
Thank you all for taking the time to read this and provide me with some assistance; I do appreciate it (as will my fiancee).
Current goal:
To have wireless (OPT1, currently working by itself) clients able to access the Internet (WAN) only by using OpenVPN (OPT2).Current status:
Wireless (OPT1) operates just fine by itself.
OpenVPN (OPT2) from a Windows client allows connection without issue, apparently allows DNS to resolv, and attempted traffic increments the OpenVPN LAN packet counters.Current major setup:
Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
WAN gateway xxx.yyy.zzz.nnn
OPT1 (192.168.1.113/27) goes to wireless
OPT1 is not bridged
OPT1 gateway is blank
OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
OPT2 general config is Type Static
OPT2 is not bridged
OPT2 gateway is blank
VPN OpenVPN is set up as "Server"
VPN Protocol UDP
VPN Dynamic IP unchecked
VPN Local Port 1194
VPN Address Pool 192.168.2.0/24
VPN Use Static IPs is not checked
VPN Local Network is 0.0.0.0/0
VPN Authentication method is PKI
VPN Custom Options:
push "redirect-gateway def1"
Firewall - based on a forum search here, I set:
NAT - Outbound to Manual mode, and added
NAT Outbound Interface OPT2 Source 192.168.2.0/24 * * * * * NO
Rules - OPT2
Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
ALLOW TCP from * * to destination * ports 80 and 443 gateway *Client config:
client dev tun proto udp remote 192.168.1.113 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert WirelessRed1.crt key WirelessRed1.key dh dh2048.pem cipher AES-128-CBC ns-cert-type server pull verb 3
Client log:
Sun May 16 17:59:41 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009 Sun May 16 17:59:41 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sun May 16 17:59:51 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun May 16 17:59:51 2010 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ] Sun May 16 17:59:51 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Sun May 16 17:59:51 2010 Local Options hash (VER=V4): '8326dbaa' Sun May 16 17:59:51 2010 Expected Remote Options hash (VER=V4): 'b7f67de4' Sun May 16 17:59:51 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] Sun May 16 17:59:51 2010 UDPv4 link local: [undef] Sun May 16 17:59:51 2010 UDPv4 link remote: 192.168.1.113:1194 Sun May 16 17:59:51 2010 TLS: Initial packet from 192.168.1.113:1194, sid=d3ed5a15 16b52ae5 Sun May 16 17:59:52 2010 VERIFY OK: depth=1, /C=US/ST=MO/L=StLouis/O=Do_Not_Enter/OU=Do_Not_Enter/CN=Do_Not_Enter/emailAddress=mail@host.domain Sun May 16 17:59:52 2010 VERIFY OK: nsCertType=SERVER Sun May 16 17:59:52 2010 VERIFY OK: depth=0, /C=US/ST=MO/O=Do_Not_Enter/OU=Do_Not_Enter/CN=server/emailAddress=mail@host.domain Sun May 16 17:59:53 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun May 16 17:59:53 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun May 16 17:59:53 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun May 16 17:59:53 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun May 16 17:59:53 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sun May 16 17:59:53 2010 [server] Peer Connection Initiated with 192.168.1.113:1194 Sun May 16 17:59:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun May 16 17:59:56 2010 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,dhcp-option DISABLE-NBT,redirect-gateway def1,route 192.168.2.1,ping 10,ping-restart 60,ifconfig 192.168.2.6 192.168.2.5' Sun May 16 17:59:56 2010 OPTIONS IMPORT: timers and/or timeouts modified Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ifconfig/up options modified Sun May 16 17:59:56 2010 OPTIONS IMPORT: route options modified Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun May 16 17:59:56 2010 ROUTE default_gateway=192.168.1.113 Sun May 16 17:59:56 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6789521B-D7E3-4711-AE3D-1ADECB08A809}.tap Sun May 16 17:59:56 2010 TAP-Win32 Driver Version 9.6 Sun May 16 17:59:56 2010 TAP-Win32 MTU=1500 Sun May 16 17:59:56 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {6789521B-D7E3-4711-AE3D-1ADECB08A809} [DHCP-serv: 192.168.2.5, lease-time: 31536000] Sun May 16 17:59:56 2010 Successful ARP Flush on interface [4] {6789521B-D7E3-4711-AE3D-1ADECB08A809} Sun May 16 18:00:01 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up Sun May 16 18:00:01 2010 OpenVPN ROUTE: omitted no-op route: 192.168.1.113/255.255.255.255 -> 192.168.1.113 Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.5 Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive] Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.5 Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive] Sun May 16 18:00:01 2010 WARNING: potential route subnet conflict between local LAN [192.168.1.96/255.255.255.224] and remote VPN [0.0.0.0/0.0.0.0] Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.5 Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive] Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.2.5 Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive] Sun May 16 18:00:01 2010 Initialization Sequence Completed
Client route PRINT after both wireless and OpenVPN connected:
=========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 11 25 31 9d 0e ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport 0x4 ...00 ff 67 89 52 1b ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport 0x20003 ...00 0e 35 9c 31 71 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.113 192.168.1.120 10 0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 1 0.0.0.0 0.0.0.0 192.168.2.5 192.168.2.6 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 128.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 1 192.168.1.96 255.255.255.224 192.168.1.120 192.168.1.120 10 192.168.1.120 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.1.255 255.255.255.255 192.168.1.120 192.168.1.120 10 192.168.2.1 255.255.255.255 192.168.2.5 192.168.2.6 1 192.168.2.4 255.255.255.252 192.168.2.6 192.168.2.6 30 192.168.2.6 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.2.255 255.255.255.255 192.168.2.6 192.168.2.6 30 224.0.0.0 240.0.0.0 192.168.1.120 192.168.1.120 10 224.0.0.0 240.0.0.0 192.168.2.6 192.168.2.6 30 255.255.255.255 255.255.255.255 192.168.1.120 192.168.1.120 1 255.255.255.255 255.255.255.255 192.168.2.6 2 1 255.255.255.255 255.255.255.255 192.168.2.6 192.168.2.6 1 Default Gateway: 192.168.2.5 =========================================================================== Persistent Routes: None
-
Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?
-
Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?
Based on a forum search, I'd done that, to no effect:
Firewall - I set (in addition to the WAN rule it added as a default):
NAT - Outbound to Manual mode, and added
NAT Outbound Interface OPT2 Source 192.168.2.0/24 * * * * * NOBased on some more searching today, I removed the Local Network 0.0.0.0/0 as well (leaving a blank), also with no effect.
I am quite curious: Why are the ROUTE statements my client reports setting a gateway of 192.168.2.5, when the OpenVPN IP Address on the pfSense is 192.168.2.1? From the client, I can ping .1, but I cannot ping .5
i.e. a route of: 0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 -
That outbound NAT rule goes on WAN, not OPT2.
-
That outbound NAT rule goes on WAN, not OPT2.
Thank you; it's transferring data now! I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased.
I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time. Is there a wiki I can document this at, so others can find the right information more easily?
For anyone else going through this, the final configuration:
Current major setup:
Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
WAN gateway xxx.yyy.zzz.nnn
OPT1 (192.168.1.113/27) goes to wireless
OPT1 is not bridged
OPT1 gateway is blank
OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
OPT2 general config is Type Static
OPT2 is not bridged
OPT2 gateway is blank
VPN OpenVPN is set up as "Server"
VPN Protocol UDP
VPN Dynamic IP unchecked
VPN Local Port 1194
VPN Address Pool 192.168.2.0/24
VPN Use Static IPs is not checked
VPN Local Network is blank
VPN Authentication method is PKI
VPN Custom Options:
push "redirect-gateway def1"
Firewall - based on a forum search here, I set:
NAT - Outbound to Manual mode, and added
NAT Outbound Interface WAN Source 192.168.2.0/24 * * * * * NO
NAT Outbound Interface WAN Source 192.168.1.0/27 * * * * * NO - Auto created rule for LAN (matches .13/27)
*** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.
Rules - OPT2
Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
ALLOW TCP from * * to destination * ports 80 and 443 gateway *