OpenVPN from Wireless to Internet; traffic doesn't transfer, but DNS works

Nadrek

Thank you all for taking the time to read this and provide me with some assistance; I do appreciate it (as will my fiancee).

Current goal:
To have wireless (OPT1, currently working by itself) clients able to access the Internet (WAN) only by using OpenVPN (OPT2).

Current status:
Wireless (OPT1) operates just fine by itself.
OpenVPN (OPT2) from a Windows client allows connection without issue, apparently allows DNS to resolv, and attempted traffic increments the OpenVPN LAN packet counters.

Current major setup:
Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
 LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
 WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
   WAN gateway xxx.yyy.zzz.nnn
 OPT1 (192.168.1.113/27) goes to wireless
   OPT1 is not bridged
   OPT1 gateway is blank
   OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
 OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
   OPT2 general config is Type Static
   OPT2 is not bridged
   OPT2 gateway is blank
 VPN OpenVPN is set up as "Server"
   VPN Protocol UDP
   VPN Dynamic IP unchecked
   VPN Local Port 1194
   VPN Address Pool 192.168.2.0/24
   VPN Use Static IPs is not checked
   VPN Local Network is 0.0.0.0/0
   VPN Authentication method is PKI
   VPN Custom Options:
     push "redirect-gateway def1"
 Firewall - based on a forum search here, I set:
   NAT - Outbound to Manual mode, and added
     NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO
   Rules - OPT2
     Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
     ALLOW TCP from * * to destination * ports 80 and 443 gateway *

Client config:

client

dev tun

proto udp

remote 192.168.1.113 1194

ping 10

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert WirelessRed1.crt

key WirelessRed1.key

dh dh2048.pem

cipher AES-128-CBC

ns-cert-type server

pull

verb 3

Client log:

Sun May 16 17:59:41 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009

Sun May 16 17:59:41 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Sun May 16 17:59:51 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Sun May 16 17:59:51 2010 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]

Sun May 16 17:59:51 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]

Sun May 16 17:59:51 2010 Local Options hash (VER=V4): '8326dbaa'

Sun May 16 17:59:51 2010 Expected Remote Options hash (VER=V4): 'b7f67de4'

Sun May 16 17:59:51 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]

Sun May 16 17:59:51 2010 UDPv4 link local: [undef]

Sun May 16 17:59:51 2010 UDPv4 link remote: 192.168.1.113:1194

Sun May 16 17:59:51 2010 TLS: Initial packet from 192.168.1.113:1194, sid=d3ed5a15 16b52ae5

Sun May 16 17:59:52 2010 VERIFY OK: depth=1, /C=US/ST=MO/L=StLouis/O=Do_Not_Enter/OU=Do_Not_Enter/CN=Do_Not_Enter/emailAddress=mail@host.domain

Sun May 16 17:59:52 2010 VERIFY OK: nsCertType=SERVER

Sun May 16 17:59:52 2010 VERIFY OK: depth=0, /C=US/ST=MO/O=Do_Not_Enter/OU=Do_Not_Enter/CN=server/emailAddress=mail@host.domain

Sun May 16 17:59:53 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Sun May 16 17:59:53 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun May 16 17:59:53 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Sun May 16 17:59:53 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun May 16 17:59:53 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Sun May 16 17:59:53 2010 [server] Peer Connection Initiated with 192.168.1.113:1194

Sun May 16 17:59:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sun May 16 17:59:56 2010 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,dhcp-option DISABLE-NBT,redirect-gateway def1,route 192.168.2.1,ping 10,ping-restart 60,ifconfig 192.168.2.6 192.168.2.5'

Sun May 16 17:59:56 2010 OPTIONS IMPORT: timers and/or timeouts modified

Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ifconfig/up options modified

Sun May 16 17:59:56 2010 OPTIONS IMPORT: route options modified

Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Sun May 16 17:59:56 2010 ROUTE default_gateway=192.168.1.113

Sun May 16 17:59:56 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6789521B-D7E3-4711-AE3D-1ADECB08A809}.tap

Sun May 16 17:59:56 2010 TAP-Win32 Driver Version 9.6 

Sun May 16 17:59:56 2010 TAP-Win32 MTU=1500

Sun May 16 17:59:56 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {6789521B-D7E3-4711-AE3D-1ADECB08A809} [DHCP-serv: 192.168.2.5, lease-time: 31536000]

Sun May 16 17:59:56 2010 Successful ARP Flush on interface [4] {6789521B-D7E3-4711-AE3D-1ADECB08A809}

Sun May 16 18:00:01 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up

Sun May 16 18:00:01 2010 OpenVPN ROUTE: omitted no-op route: 192.168.1.113/255.255.255.255 -> 192.168.1.113

Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.5

Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]

Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.5

Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]

Sun May 16 18:00:01 2010 WARNING: potential route subnet conflict between local LAN [192.168.1.96/255.255.255.224] and remote VPN [0.0.0.0/0.0.0.0]

Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.5

Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]

Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.2.5

Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]

Sun May 16 18:00:01 2010 Initialization Sequence Completed

Client route PRINT after both wireless and OpenVPN connected:

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 25 31 9d 0e ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0x4 ...00 ff 67 89 52 1b ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
0x20003 ...00 0e 35 9c 31 71 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.1.113   192.168.1.120	  10

          0.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1

          0.0.0.0          0.0.0.0      192.168.2.5     192.168.2.6	  1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1

        128.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1

     192.168.1.96  255.255.255.224    192.168.1.120   192.168.1.120	  10

    192.168.1.120  255.255.255.255        127.0.0.1       127.0.0.1	  10

    192.168.1.255  255.255.255.255    192.168.1.120   192.168.1.120	  10

      192.168.2.1  255.255.255.255      192.168.2.5     192.168.2.6	  1

      192.168.2.4  255.255.255.252      192.168.2.6     192.168.2.6	  30

      192.168.2.6  255.255.255.255        127.0.0.1       127.0.0.1	  30

    192.168.2.255  255.255.255.255      192.168.2.6     192.168.2.6	  30

        224.0.0.0        240.0.0.0    192.168.1.120   192.168.1.120	  10

        224.0.0.0        240.0.0.0      192.168.2.6     192.168.2.6	  30

  255.255.255.255  255.255.255.255    192.168.1.120   192.168.1.120	  1

  255.255.255.255  255.255.255.255      192.168.2.6               2	  1

  255.255.255.255  255.255.255.255      192.168.2.6     192.168.2.6	  1

Default Gateway:       192.168.2.5

===========================================================================

Persistent Routes:

  None

jimp

Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?

Nadrek

@jimp:

Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?

Based on a forum search, I'd done that, to no effect:
  Firewall - I set (in addition to the WAN rule it added as a default):
    NAT - Outbound to Manual mode, and added
      NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO

Based on some more searching today, I removed the Local Network 0.0.0.0/0 as well (leaving a blank), also with no effect.

I am quite curious: Why are the ROUTE statements my client reports setting a gateway of 192.168.2.5, when the OpenVPN IP Address on the pfSense is 192.168.2.1?  From the client, I can ping .1, but I cannot ping .5
i.e. a route of:  0.0.0.0          128.0.0.0      192.168.2.5    192.168.2.6

jimp

That outbound NAT rule goes on WAN, not OPT2.

Nadrek

@jimp:

That outbound NAT rule goes on WAN, not OPT2.

Thank you; it's transferring data now!  I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased.

I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time.  Is there a wiki I can document this at, so others can find the right information more easily?

For anyone else going through this, the final configuration:
Current major setup:
Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
 LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
  WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
    WAN gateway xxx.yyy.zzz.nnn
 OPT1 (192.168.1.113/27) goes to wireless
   OPT1 is not bridged
   OPT1 gateway is blank
   OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
 OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
   OPT2 general config is Type Static
   OPT2 is not bridged
   OPT2 gateway is blank
 VPN OpenVPN is set up as "Server"
   VPN Protocol UDP
   VPN Dynamic IP unchecked
   VPN Local Port 1194
   VPN Address Pool 192.168.2.0/24
   VPN Use Static IPs is not checked
   VPN Local Network is blank
   VPN Authentication method is PKI
   VPN Custom Options:
     push "redirect-gateway def1"
 Firewall - based on a forum search here, I set:
   NAT - Outbound to Manual mode, and added
     NAT Outbound Interface WAN    Source 192.168.2.0/24 * * * * * NO
     NAT Outbound Interface WAN    Source 192.168.1.0/27 * * * * * NO  - Auto created rule for LAN (matches .13/27)
     *** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.
   Rules - OPT2
     Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
     ALLOW TCP from * * to destination * ports 80 and 443 gateway *