Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem to run OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyanatide
      last edited by

      Hi!
      I would like to use a VPN on my pfsense but i have some problems… Here is my configuration:

      Office 1 -> server openvpn
      network: 192.168.0.0/24
      interface pfsense 192.168.0.1
      virtual interface 192.168.4.1

      Office 2 -> client Openvpn
      network: 192.168.3.0/24
      interface pfsense 192.168.3.1
      virtual interface 192.168.4.2

      ping between my two offices doesn't work. After few test, i've noticed something strange... From my office 1, i can ping 192.168.4.1, but from my pfsense it doesn't work. so, when i send a ping to 192.168.3.1, the ping go to 192.168.0.1(pfsense) and stop there. (normal, it can join 192.168.4.1). Same problem on my client with 192.168.4.2

      Any ideas?
      Thanks.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Can you post the config of your server and your client?
        (can be found under /var/etc/ )
        Also do all devices on both sides use the pfSense as their default gateway?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          cyanatide
          last edited by

          My server config:

          writepid /var/run/openvpn_server0.pid
          #user nobody
          #group nobody
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          dev tun
          proto udp
          cipher BF-CBC
          up /etc/rc.filter_configure
          down /etc/rc.filter_configure
          ifconfig 192.168.4.1 192.168.4.2
          lport 1194
          route 192.168.3.0 255.255.255.0
          secret /var/etc/openvpn_server0.secret
          persist-remote-ip
          float
          push "route 192.168.3.0 255.255.255.0"
          
          

          I can't recup config of my client for now, I will post the config later.

          And yes, on my two network, the default gateway is my pfsense.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            From the server config i see that you're trying to push the route to the 192.168.3.0/24 subnet to the client.
            However you have a PSK setup.
            In a PSK setup pushes dont work.
            You will need to add a route command to the client config, telling the client what lies on the other side of the tunnel.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • C
              cyanatide
              last edited by

              My client config:

              writepid /var/run/openvpn_client0.pid
              #user nobody
              #group nobody
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              dev tun
              proto udp
              cipher BF-CBC
              up /etc/rc.filter_configure
              down /etc/rc.filter_configure
              remote [myinternetip] 1194
              lport 1194
              ifconfig 192.168.4.2 192.168.4.1
              route 192.168.0.0 255.255.255.0
              secret /var/etc/openvpn_client0.secret
              route 192.168.3.0 255.255.255.0 [myinternetip]
              route 192.168.16.0 255.255.255.0 [myinternetip]
              

              I don't see what is wrong…

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by

                Why do you have the [myinternetip] at the routes as gateway if your intention is to direct traffic going to those networks over the vpn tunnel? The gateway is usually left empty because the default is the "gateway" address of the vpn tunnel and it usually works fine that way.

                1 Reply Last reply Reply Quote 0
                • C
                  cyanatide
                  last edited by

                  your intention is to direct traffic going to those networks over the vpn tunnel?

                  Exactly, but even if il let the gateway empty it doesn't work for each of my 3 remote network

                  My new client configuration:

                  writepid /var/run/openvpn_client0.pid
                  #user nobody
                  #group nobody
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  dev tun
                  proto udp
                  cipher BF-CBC
                  up /etc/rc.filter_configure
                  down /etc/rc.filter_configure
                  remote [myinternetip]
                  lport 1194
                  ifconfig 192.168.3.2 192.168.3.1
                  route 192.168.0.0 255.255.255.0
                  secret /var/etc/openvpn_client0.secret
                  route 192.168.3.0 255.255.255.0
                  route 192.168.16.0 255.255.255.0
                  

                  But I don't understand this line: ifconfig 192.168.3.2 192.168.3.1

                  what is 192.168.3.2? I can't ping that… In my config above, it was the spool address but i've read in different howto the i mus enter the local network (192.168.3.0/24 in my case) in the field "Interface IP" of openvpn configuration...

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    In PSK (preshared key) mode the interface ip means the 2 addresses assigned to the tunnel interface, in your case 192.168.3.1 (server) and 192.168.3.2 (client), Make sure you don't use these  addresses anywhere else in your networks because they has to be unique. Also the route for 192.168.3.0 network is not needed if those addresses are used on the tunnel interface.

                    Edit: Ok, reading a bit more of your config… I recommend you choose a network address space 10.x.y.0/24 where x and y are some random numbers 0-255 for the interface field, both sides have to match of course. Then you can keep you current numbering 192.168.0.* and 192.168.3.* on your office1 and office2 networks.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cyanatide
                      last edited by

                      ok so there is an error in this howto: http://pfsense.bol2riz.com/tutorials/openvpn/pfsense-ovpn.pdf (they put the local network and not the spool network). I've changer one more time to have "ifconfig 192.168.4.2 192.168.4.1"… But always same, it doesn't work.... :'(

                      1 Reply Last reply Reply Quote 0
                      • K
                        kpa
                        last edited by

                        Sorry I don't have a 1.2.3 pfSense system to check how things look on the configuration pages for client and server but I do remember that they were seriously confusing about where to put the tunnel network addresses when using psk mode, on one side it was called "interface address" and something else on other. On 2.0 it's all much clearer…

                        Edit: I was finally able to make something out of that pdf... On the server side the tunnel network address goes to
                        "address pool" and on the client side it goes to "Interface IP". These two have to always match.

                        And yes there is a serious error in that guide on the client edit page, the interface IP should be 192.168.10.0/24 to match what is on the server configuration.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cyanatide
                          last edited by

                          There is something I don't understand in the guide… There is two parts: Setting up OpenVPN for road warriors (= remote clients) and Setting up Site-to-Site OpenVPN.Should i have two vpn server at the end? I have only the server and the client that I give above and my objectif is to allow pc of office 1 en pc of office 2 to ping each other.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kpa
                            last edited by

                            For office-to-office type access you want a site-to-site tunnel using preshared key. Roadwarrior setup is used when you want to allow access to your network from anywhere on the net for multiple clients and that setup requires setting up a PKI (public key infrastructure) with keys and certificates (rsa keys and ssl certificates to be exact).

                            1 Reply Last reply Reply Quote 0
                            • C
                              cyanatide
                              last edited by

                              ok so, if my config seems good where can i search the problem? Is it normal that I can ping 192.168.4.1 (my spool address) from my office and not from my pfsense box?

                              1 Reply Last reply Reply Quote 0
                              • K
                                kpa
                                last edited by

                                Your config isn't fine until you've made sure that the tunnel network (what I recommended to be 10.x.y.0/24) and the two office networks are all separate subnets.

                                After that you need to make sure you have proper routes in place. On the server (office1) the remote network should be set to the subnet of office2 (192.168.3.0). On the client(office2) the remote network should be set to the subnet of office1 (192.168.0.0/24).

                                If you need additional routes on top of those they should go to advanced options as "route subnet netmask" (e.g. "route 192.168.100.0 255.255.255"), push "route …" doesn't work in PSK mode, it's for PKI roadwarrior mode.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.