OpenVPN works but Local network unreachable

john-dev

Hello,

i just set up an openvpn server using pki authentification. Since everything is working fine, there is a major problem.
After a successfull authentication, i cant reach the pfsense system (ip: 192.170.170.1) but that's it.
I cant contact the rest of the subnet, not even another carp'ed pfsense system in the network..

Address pool is 10.0.8.0/24
Local Network is 192.170.170.0/24

I even tried to push "route…" manually but this didnt work either.

Any ideas why i only can reach the OpenVPN-Server host (and the Gateway indeed)  but no other network?

Further, i have another unimportant question. As i am using Carp to have failover, i'm missing the possibility to sync the openvpns.. any ideas how to do that? isn't that nice to add everthing twice, nor three times..

p.s.:  1.2.3-RELEASE
built on Sun Dec 6 23:21:36 EST 2009

Thank,
John

jimp

Is your client running on Vista or Windows 7? If so, make sure the client software is running as Administrator. If it isn't run as Administrator, it doesn't have the permissions it needs to add the routes which will let it contact the rest of the network.

john-dev

Hi,

i tried the client using Windows 7, but as i used Administrator privileges, the openvpn log shows me that all routes has been set successful, same does windows by using route in a command prompt.

As i said, i can reach the Pfsense system and it's virtual gateway ip.. I added the rules everbody said, like wan to openvpn port and lan to any.. but it still doesn't work..

jimp

Are you running captive portal on the LAN?

john-dev

No i don't, i read the most posts regarding to this point but didnt find a solution up to now..
Could it be possible that my second pfsense system, a carp'ed one for failover is in the same network?

jimp

Only if that system is the default gateway for items on the LAN.

john-dev

No it is not. The default gateway is a virtualip, for the carp featureat the mein pfsense system.
So, any other suggestions?

jimp

That would explain why, then. You can work around it if you add a static route on the CARP pair that points your OpenVPN tunnel network subnet to the LAN IP of this other pfSense box.

Or use the CARP pair for OpenVPN instead of this one. Is there any particular reason you are running OpenVPN on a separate unit?

john-dev

Well, actually i don't.
Maybe there is a misunderstanding.

Its gateway1 (active)–--------gateway2 (passiv)
                      ---      carp    ---
    --- OPENVPN---

And the OPENVPN users can only reach gateway1, not the second passiv one, nor any other network member.
Could it be a problem of the switches? (D-Link)
Maybe they decline to transfer anything fomr another subnet :/

jimp

Ah, OK. I misread. I thought you had a box apart from the cluster that did OpenVPN.

That should still work then, subnets don't matter to switches as long as the clients know where to send the traffic.

You may not be able to reach the secondary pfSense unit in that way, but you should be able to hit anything on LAN provided it is not filtering traffic at the client level.

john-dev

Hey,

i will output the routes set in the pfsense system, it looked to me that they are not right at all.. i will post them tomorrow (can't touch the system now).

til than!

john-dev

hey,

here the picture fo the routes set in pfsense.
Can't see a route between lan and tun0 :/

any ideas?

p.s. the blacked ips are the wan ips!
cheers,
john

jimp

Can you try some packet captures to see if the traffic makes it across the tunnel on tun0 and actually leaves (and re-enters) your LAN interface?