Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN from Wireless to Internet; traffic doesn't transfer, but DNS works

    OpenVPN
    2
    5
    3828
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nadrek last edited by

      Thank you all for taking the time to read this and provide me with some assistance; I do appreciate it (as will my fiancee).

      Current goal:
      To have wireless (OPT1, currently working by itself) clients able to access the Internet (WAN) only by using OpenVPN (OPT2).

      Current status:
      Wireless (OPT1) operates just fine by itself.
      OpenVPN (OPT2) from a Windows client allows connection without issue, apparently allows DNS to resolv, and attempted traffic increments the OpenVPN LAN packet counters.

      Current major setup:
      Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
      Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
       LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
       WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
         WAN gateway xxx.yyy.zzz.nnn
       OPT1 (192.168.1.113/27) goes to wireless
         OPT1 is not bridged
         OPT1 gateway is blank
         OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
       OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
         OPT2 general config is Type Static
         OPT2 is not bridged
         OPT2 gateway is blank
       VPN OpenVPN is set up as "Server"
         VPN Protocol UDP
         VPN Dynamic IP unchecked
         VPN Local Port 1194
         VPN Address Pool 192.168.2.0/24
         VPN Use Static IPs is not checked
         VPN Local Network is 0.0.0.0/0
         VPN Authentication method is PKI
         VPN Custom Options:
           push "redirect-gateway def1"
       Firewall - based on a forum search here, I set:
         NAT - Outbound to Manual mode, and added
           NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO
         Rules - OPT2
           Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
           ALLOW TCP from * * to destination * ports 80 and 443 gateway *

      Client config:

      client
      
      dev tun
      
      proto udp
      
      remote 192.168.1.113 1194
      
      ping 10
      
      resolv-retry infinite
      
      nobind
      
      persist-key
      
      persist-tun
      
      ca ca.crt
      
      cert WirelessRed1.crt
      
      key WirelessRed1.key
      
      dh dh2048.pem
      
      cipher AES-128-CBC
      
      ns-cert-type server
      
      pull
      
      verb 3
      
      

      Client log:

      Sun May 16 17:59:41 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
      
      Sun May 16 17:59:41 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
      
      Sun May 16 17:59:51 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      
      Sun May 16 17:59:51 2010 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
      
      Sun May 16 17:59:51 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
      
      Sun May 16 17:59:51 2010 Local Options hash (VER=V4): '8326dbaa'
      
      Sun May 16 17:59:51 2010 Expected Remote Options hash (VER=V4): 'b7f67de4'
      
      Sun May 16 17:59:51 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
      
      Sun May 16 17:59:51 2010 UDPv4 link local: [undef]
      
      Sun May 16 17:59:51 2010 UDPv4 link remote: 192.168.1.113:1194
      
      Sun May 16 17:59:51 2010 TLS: Initial packet from 192.168.1.113:1194, sid=d3ed5a15 16b52ae5
      
      Sun May 16 17:59:52 2010 VERIFY OK: depth=1, /C=US/ST=MO/L=StLouis/O=Do_Not_Enter/OU=Do_Not_Enter/CN=Do_Not_Enter/emailAddress=mail@host.domain
      
      Sun May 16 17:59:52 2010 VERIFY OK: nsCertType=SERVER
      
      Sun May 16 17:59:52 2010 VERIFY OK: depth=0, /C=US/ST=MO/O=Do_Not_Enter/OU=Do_Not_Enter/CN=server/emailAddress=mail@host.domain
      
      Sun May 16 17:59:53 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
      
      Sun May 16 17:59:53 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      
      Sun May 16 17:59:53 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
      
      Sun May 16 17:59:53 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      
      Sun May 16 17:59:53 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
      
      Sun May 16 17:59:53 2010 [server] Peer Connection Initiated with 192.168.1.113:1194
      
      Sun May 16 17:59:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      
      Sun May 16 17:59:56 2010 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,dhcp-option DISABLE-NBT,redirect-gateway def1,route 192.168.2.1,ping 10,ping-restart 60,ifconfig 192.168.2.6 192.168.2.5'
      
      Sun May 16 17:59:56 2010 OPTIONS IMPORT: timers and/or timeouts modified
      
      Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ifconfig/up options modified
      
      Sun May 16 17:59:56 2010 OPTIONS IMPORT: route options modified
      
      Sun May 16 17:59:56 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
      
      Sun May 16 17:59:56 2010 ROUTE default_gateway=192.168.1.113
      
      Sun May 16 17:59:56 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{6789521B-D7E3-4711-AE3D-1ADECB08A809}.tap
      
      Sun May 16 17:59:56 2010 TAP-Win32 Driver Version 9.6 
      
      Sun May 16 17:59:56 2010 TAP-Win32 MTU=1500
      
      Sun May 16 17:59:56 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {6789521B-D7E3-4711-AE3D-1ADECB08A809} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
      
      Sun May 16 17:59:56 2010 Successful ARP Flush on interface [4] {6789521B-D7E3-4711-AE3D-1ADECB08A809}
      
      Sun May 16 18:00:01 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
      
      Sun May 16 18:00:01 2010 OpenVPN ROUTE: omitted no-op route: 192.168.1.113/255.255.255.255 -> 192.168.1.113
      
      Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.5
      
      Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
      
      Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.5
      
      Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
      
      Sun May 16 18:00:01 2010 WARNING: potential route subnet conflict between local LAN [192.168.1.96/255.255.255.224] and remote VPN [0.0.0.0/0.0.0.0]
      
      Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.5
      
      Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
      
      Sun May 16 18:00:01 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.2.5
      
      Sun May 16 18:00:01 2010 Route addition via IPAPI succeeded [adaptive]
      
      Sun May 16 18:00:01 2010 Initialization Sequence Completed
      
      

      Client route PRINT after both wireless and OpenVPN connected:

      ===========================================================================
      
      Interface List
      
      0x1 ........................... MS TCP Loopback interface
      0x2 ...00 11 25 31 9d 0e ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
      0x4 ...00 ff 67 89 52 1b ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
      0x20003 ...00 0e 35 9c 31 71 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
      ===========================================================================
      
      ===========================================================================
      
      Active Routes:
      
      Network Destination        Netmask          Gateway       Interface  Metric
      
                0.0.0.0          0.0.0.0    192.168.1.113   192.168.1.120	  10
      
                0.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1
      
                0.0.0.0          0.0.0.0      192.168.2.5     192.168.2.6	  1
      
              127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
      
              128.0.0.0        128.0.0.0      192.168.2.5     192.168.2.6	  1
      
           192.168.1.96  255.255.255.224    192.168.1.120   192.168.1.120	  10
      
          192.168.1.120  255.255.255.255        127.0.0.1       127.0.0.1	  10
      
          192.168.1.255  255.255.255.255    192.168.1.120   192.168.1.120	  10
      
            192.168.2.1  255.255.255.255      192.168.2.5     192.168.2.6	  1
      
            192.168.2.4  255.255.255.252      192.168.2.6     192.168.2.6	  30
      
            192.168.2.6  255.255.255.255        127.0.0.1       127.0.0.1	  30
      
          192.168.2.255  255.255.255.255      192.168.2.6     192.168.2.6	  30
      
              224.0.0.0        240.0.0.0    192.168.1.120   192.168.1.120	  10
      
              224.0.0.0        240.0.0.0      192.168.2.6     192.168.2.6	  30
      
        255.255.255.255  255.255.255.255    192.168.1.120   192.168.1.120	  1
      
        255.255.255.255  255.255.255.255      192.168.2.6               2	  1
      
        255.255.255.255  255.255.255.255      192.168.2.6     192.168.2.6	  1
      
      Default Gateway:       192.168.2.5
      
      ===========================================================================
      
      Persistent Routes:
      
        None
      
      
      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          Nadrek last edited by

          @jimp:

          Have you tried to switch to Manual Outbound NAT and add a rule to match the traffic from your OpenVPN address pool/tunnel network?

          Based on a forum search, I'd done that, to no effect:
            Firewall - I set (in addition to the WAN rule it added as a default):
              NAT - Outbound to Manual mode, and added
                NAT Outbound Interface OPT2    Source 192.168.2.0/24 * * * * * NO

          Based on some more searching today, I removed the Local Network 0.0.0.0/0 as well (leaving a blank), also with no effect.

          I am quite curious: Why are the ROUTE statements my client reports setting a gateway of 192.168.2.5, when the OpenVPN IP Address on the pfSense is 192.168.2.1?  From the client, I can ping .1, but I cannot ping .5
          i.e. a route of:  0.0.0.0          128.0.0.0      192.168.2.5    192.168.2.6

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            That outbound NAT rule goes on WAN, not OPT2.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • N
              Nadrek last edited by

              @jimp:

              That outbound NAT rule goes on WAN, not OPT2.

              Thank you; it's transferring data now!  I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased.

              I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time.  Is there a wiki I can document this at, so others can find the right information more easily?

              For anyone else going through this, the final configuration:
              Current major setup:
              Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
              Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
               LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
                WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
                  WAN gateway xxx.yyy.zzz.nnn
               OPT1 (192.168.1.113/27) goes to wireless
                 OPT1 is not bridged
                 OPT1 gateway is blank
                 OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
               OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
                 OPT2 general config is Type Static
                 OPT2 is not bridged
                 OPT2 gateway is blank
               VPN OpenVPN is set up as "Server"
                 VPN Protocol UDP
                 VPN Dynamic IP unchecked
                 VPN Local Port 1194
                 VPN Address Pool 192.168.2.0/24
                 VPN Use Static IPs is not checked
                 VPN Local Network is blank
                 VPN Authentication method is PKI
                 VPN Custom Options:
                   push "redirect-gateway def1"
               Firewall - based on a forum search here, I set:
                 NAT - Outbound to Manual mode, and added
                   NAT Outbound Interface WAN    Source 192.168.2.0/24 * * * * * NO
                   NAT Outbound Interface WAN    Source 192.168.1.0/27 * * * * * NO  - Auto created rule for LAN (matches .13/27)
                   *** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.
                 Rules - OPT2
                   Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
                   ALLOW TCP from * * to destination * ports 80 and 443 gateway *

              1 Reply Last reply Reply Quote 0
              • First post
                Last post