OpenVPN routing

kup4ooo

Hellow everybody!

I have pfSense box behind ADSL Router on WAN interface and Network switch on LAN interface.
Internet (ADSL) 192.168.1.1<->192.168.1.2 WAN(pfSense) / LAN(pfSense) 192.168.0.1 - > Switch => (192.168.0.0/24 Local Net)
The OpenVPN server runs fine, but when I decide to route all trafic trow it, nothing happends.
The roadwarior connects ok.
I see all things in local net (print, shares, etc.).
Also can connect to pfSense web interface.
But when I whant to check mail or brouse in internet it is no traffic.

Roadwarior -> Windows 7 with GUI - behind router ; local network 192.168.4.0/24

This is my server configuration:
1194 UDP
address poll: 192.168.200.0/24
Local network: 192.168.0.0/24
Cryptography: AES128
Authentication method: PKI
DHCP-Opt.: DNS-Domainname ->is set!
Lzo Compression: -> Check.
Custom Opt.: push "dhcp-option DNS 192.168.0.1"; push "redirect-gateway def1"  (here I try DNS with 192.168.200.1 and aslo 192.168.200.5 but it is the same).

Client config:

client
dev tun
proto udp
remote address 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key keyy.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
pull
verb 3

Firewall rules:
WAN: allow 1194; Block ICMP, Block IGMP, Block private networks
LAN: allow  all to all; 192.168.200.0/24  to all;

NAT:
WAN -> source: 192.168.0.0/24
WAN -> source: 192.168.200.0/24

There is DNS, because it resolve names, but when I make:
tracert google.com
in command promt
the first hop is 192.168.200.1
and after that is no hops.

The windows interface is with dhcp 192.168.200.5 IP 192.168.200.6 DNS 192.168.0.1

I Try many things from this forum and from google but nothing work. Please suggest descision.

P.P.: Sorry for my English.

GruensFroeschli

You probably need to enable Advanced outbound NAT (firewall –> NAT --> outbound) and create a rule to NAT your OpenVPN subnet to the WAN.

kup4ooo

Yes.

This is the rull: WAN -> source: 192.168.200.0/24 (see attached jpg)

This is the OpenVpn network. Am I right?

kup4ooo

Finaly. It works!

I don't know what was the problem. I just made again the configuration.

Thanks!

ericab

hi!

i wish we could have known what the problem was, because i am having the exact same issue.
i can connect to my 3rd party VPN provider just fine.

from the pfSense web-ui, if i tracert to google for example, i see its going through my tunnel.
when i use a computer in my LAN, my desktop for example, nothing !

ive recently switched from Endian Firewall to pfsense, and when i was using Endian, id establish the VPN tunnel.
then try from LAN and nothing worked, UNTILL, i entered:

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

after this everything was tunneled through my VPN.

are the 2 above iptable rules the solution to my problem ?

some background about my pfsense setup:

it is a fresh install. the only changes to the web-ui are:
added the CA in the cert manager
added a VPN client.

vpn establishes just fine.

in the firewall rules page, LAN is set to allow all OUT, and allow all IN.
the WAN page has 2 rules already installed; 1 for not allowing private networks, and another for bogon nets

in the openvpn log, it automatically pushes routes and appends them to my routing table. (see screenshot below)

here are a few screenshots:

first set is from my Endian Firewall  which worked. the vpn tunnel has been started.
(note: ip's have been edited.)

routing table.
http://dl.dropbox.com/u/66962/New%20folder/route-table_working.png
vpn initialization sequence:
http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-working.png

finally my pfSense box, the vpn tunnel has been started.
routing table:
http://dl.dropbox.com/u/66962/New%20folder/route-table-not.working.png
vpn initialization sequence:
http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-not.working.png

help  :-\

kup4ooo

It is no needed to write iptables commands. Every thing is in web GUI (except the real WAN addres when you use DynDNS and pfSense behind router - it is a little change in one config file)

I attached my config.
See the firewall rules.
What is your client local network?
and what is your local network (LAN) for pfSense?

If these two netwokrs are equal as 192.168.0.0/24 for the client and for the pfSense LAN
I saw that is problem. the client don't know where to find as example 192.168.0.3.
But with extra options to redirect all traffic trow vpn is OK.
That's why I change my local net for the client to 192.168.4.0/24

Look the tutorial and do it as it is writen in http://forum.pfsense.org/index.php?topic=7840.msg44065

Then look my config, and aslo the client config in the first post.

If this not help reboot the system. (i found that some times the firewall rules are not get on when i change them)

The NAT thing is important and aslo the firewall rules and networks (local, address poll, …)

when do this connect from the client and tracert some web site and see if this is routed trow vpn or not.

I aslo has a problem with seeing local network services - i see the clients but can't print, brouse shares and etc.

I make the fire wall rules and every thing is ok now and with the nat thinks i have all traffic routed trow vpn.

kup4ooo

and the other part of my config