Problem to run OpenVPN



  • Hi!
    I would like to use a VPN on my pfsense but i have some problems… Here is my configuration:

    Office 1 -> server openvpn
    network: 192.168.0.0/24
    interface pfsense 192.168.0.1
    virtual interface 192.168.4.1

    Office 2 -> client Openvpn
    network: 192.168.3.0/24
    interface pfsense 192.168.3.1
    virtual interface 192.168.4.2

    ping between my two offices doesn't work. After few test, i've noticed something strange... From my office 1, i can ping 192.168.4.1, but from my pfsense it doesn't work. so, when i send a ping to 192.168.3.1, the ping go to 192.168.0.1(pfsense) and stop there. (normal, it can join 192.168.4.1). Same problem on my client with 192.168.4.2

    Any ideas?
    Thanks.



  • Can you post the config of your server and your client?
    (can be found under /var/etc/ )
    Also do all devices on both sides use the pfSense as their default gateway?



  • My server config:

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 192.168.4.1 192.168.4.2
    lport 1194
    route 192.168.3.0 255.255.255.0
    secret /var/etc/openvpn_server0.secret
    persist-remote-ip
    float
    push "route 192.168.3.0 255.255.255.0"
    
    

    I can't recup config of my client for now, I will post the config later.

    And yes, on my two network, the default gateway is my pfsense.



  • From the server config i see that you're trying to push the route to the 192.168.3.0/24 subnet to the client.
    However you have a PSK setup.
    In a PSK setup pushes dont work.
    You will need to add a route command to the client config, telling the client what lies on the other side of the tunnel.



  • My client config:

    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote [myinternetip] 1194
    lport 1194
    ifconfig 192.168.4.2 192.168.4.1
    route 192.168.0.0 255.255.255.0
    secret /var/etc/openvpn_client0.secret
    route 192.168.3.0 255.255.255.0 [myinternetip]
    route 192.168.16.0 255.255.255.0 [myinternetip]
    

    I don't see what is wrong…



  • Why do you have the [myinternetip] at the routes as gateway if your intention is to direct traffic going to those networks over the vpn tunnel? The gateway is usually left empty because the default is the "gateway" address of the vpn tunnel and it usually works fine that way.



  • your intention is to direct traffic going to those networks over the vpn tunnel?

    Exactly, but even if il let the gateway empty it doesn't work for each of my 3 remote network

    My new client configuration:

    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote [myinternetip]
    lport 1194
    ifconfig 192.168.3.2 192.168.3.1
    route 192.168.0.0 255.255.255.0
    secret /var/etc/openvpn_client0.secret
    route 192.168.3.0 255.255.255.0
    route 192.168.16.0 255.255.255.0
    

    But I don't understand this line: ifconfig 192.168.3.2 192.168.3.1

    what is 192.168.3.2? I can't ping that… In my config above, it was the spool address but i've read in different howto the i mus enter the local network (192.168.3.0/24 in my case) in the field "Interface IP" of openvpn configuration...



  • In PSK (preshared key) mode the interface ip means the 2 addresses assigned to the tunnel interface, in your case 192.168.3.1 (server) and 192.168.3.2 (client), Make sure you don't use these  addresses anywhere else in your networks because they has to be unique. Also the route for 192.168.3.0 network is not needed if those addresses are used on the tunnel interface.

    Edit: Ok, reading a bit more of your config… I recommend you choose a network address space 10.x.y.0/24 where x and y are some random numbers 0-255 for the interface field, both sides have to match of course. Then you can keep you current numbering 192.168.0.* and 192.168.3.* on your office1 and office2 networks.



  • ok so there is an error in this howto: http://pfsense.bol2riz.com/tutorials/openvpn/pfsense-ovpn.pdf (they put the local network and not the spool network). I've changer one more time to have "ifconfig 192.168.4.2 192.168.4.1"… But always same, it doesn't work.... :'(



  • Sorry I don't have a 1.2.3 pfSense system to check how things look on the configuration pages for client and server but I do remember that they were seriously confusing about where to put the tunnel network addresses when using psk mode, on one side it was called "interface address" and something else on other. On 2.0 it's all much clearer…

    Edit: I was finally able to make something out of that pdf... On the server side the tunnel network address goes to
    "address pool" and on the client side it goes to "Interface IP". These two have to always match.

    And yes there is a serious error in that guide on the client edit page, the interface IP should be 192.168.10.0/24 to match what is on the server configuration.



  • There is something I don't understand in the guide… There is two parts: Setting up OpenVPN for road warriors (= remote clients) and Setting up Site-to-Site OpenVPN.Should i have two vpn server at the end? I have only the server and the client that I give above and my objectif is to allow pc of office 1 en pc of office 2 to ping each other.



  • For office-to-office type access you want a site-to-site tunnel using preshared key. Roadwarrior setup is used when you want to allow access to your network from anywhere on the net for multiple clients and that setup requires setting up a PKI (public key infrastructure) with keys and certificates (rsa keys and ssl certificates to be exact).



  • ok so, if my config seems good where can i search the problem? Is it normal that I can ping 192.168.4.1 (my spool address) from my office and not from my pfsense box?



  • Your config isn't fine until you've made sure that the tunnel network (what I recommended to be 10.x.y.0/24) and the two office networks are all separate subnets.

    After that you need to make sure you have proper routes in place. On the server (office1) the remote network should be set to the subnet of office2 (192.168.3.0). On the client(office2) the remote network should be set to the subnet of office1 (192.168.0.0/24).

    If you need additional routes on top of those they should go to advanced options as "route subnet netmask" (e.g. "route 192.168.100.0 255.255.255"), push "route …" doesn't work in PSK mode, it's for PKI roadwarrior mode.


Log in to reply