Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN routing

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kup4ooo
      last edited by

      Hellow everybody!

      I have pfSense box behind ADSL Router on WAN interface and Network switch on LAN interface.
      Internet (ADSL) 192.168.1.1<->192.168.1.2 WAN(pfSense) / LAN(pfSense) 192.168.0.1 - > Switch => (192.168.0.0/24 Local Net)
      The OpenVPN server runs fine, but when I decide to route all trafic trow it, nothing happends.
      The roadwarior connects ok.
      I see all things in local net (print, shares, etc.).
      Also can connect to pfSense web interface.
      But when I whant to check mail or brouse in internet it is no traffic.

      Roadwarior -> Windows 7 with GUI - behind router ; local network 192.168.4.0/24

      This is my server configuration:
      1194 UDP
      address poll: 192.168.200.0/24
      Local network: 192.168.0.0/24
      Cryptography: AES128
      Authentication method: PKI
      DHCP-Opt.: DNS-Domainname ->is set!
      Lzo Compression: -> Check.
      Custom Opt.: push "dhcp-option DNS 192.168.0.1"; push "redirect-gateway def1"  (here I try DNS with 192.168.200.1 and aslo 192.168.200.5 but it is the same).

      Client config:

      client
      dev tun
      proto udp
      remote address 1194
      ping 10
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert cert.crt
      key keyy.key
      ns-cert-type server
      cipher AES-128-CBC
      comp-lzo
      pull
      verb 3

      Firewall rules:
      WAN: allow 1194; Block ICMP, Block IGMP, Block private networks
      LAN: allow  all to all; 192.168.200.0/24  to all;

      NAT:
      WAN -> source: 192.168.0.0/24
      WAN -> source: 192.168.200.0/24

      There is DNS, because it resolve names, but when I make:
      tracert google.com
      in command promt
      the first hop is 192.168.200.1
      and after that is no hops.

      The windows interface is with dhcp 192.168.200.5 IP 192.168.200.6 DNS 192.168.0.1

      I Try many things from this forum and from google but nothing work. Please suggest descision.

      P.P.: Sorry for my English.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        You probably need to enable Advanced outbound NAT (firewall –> NAT --> outbound) and create a rule to NAT your OpenVPN subnet to the WAN.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • K
          kup4ooo
          last edited by

          Yes.

          This is the rull: WAN -> source: 192.168.200.0/24 (see attached jpg)

          This is the OpenVpn network. Am I right?

          NAT.jpg
          NAT.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • K
            kup4ooo
            last edited by

            Finaly. It works!

            I don't know what was the problem. I just made again the configuration.

            Thanks!

            1 Reply Last reply Reply Quote 0
            • E
              ericab
              last edited by

              hi!

              i wish we could have known what the problem was, because i am having the exact same issue.
              i can connect to my 3rd party VPN provider just fine.

              from the pfSense web-ui, if i tracert to google for example, i see its going through my tunnel.
              when i use a computer in my LAN, my desktop for example, nothing !

              ive recently switched from Endian Firewall to pfsense, and when i was using Endian, id establish the VPN tunnel.
              then try from LAN and nothing worked, UNTILL, i entered:

              iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
              iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

              after this everything was tunneled through my VPN.

              are the 2 above iptable rules the solution to my problem ?

              some background about my pfsense setup:

              it is a fresh install. the only changes to the web-ui are:
              added the CA in the cert manager
              added a VPN client.

              vpn establishes just fine.

              in the firewall rules page, LAN is set to allow all OUT, and allow all IN.
              the WAN page has 2 rules already installed; 1 for not allowing private networks, and another for bogon nets

              in the openvpn log, it automatically pushes routes and appends them to my routing table. (see screenshot below)

              here are a few screenshots:

              first set is from my Endian Firewall  which worked. the vpn tunnel has been started.
              (note: ip's have been edited.)

              routing table.
              http://dl.dropbox.com/u/66962/New%20folder/route-table_working.png
              vpn initialization sequence:
              http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-working.png

              finally my pfSense box, the vpn tunnel has been started.
              routing table:
              http://dl.dropbox.com/u/66962/New%20folder/route-table-not.working.png
              vpn initialization sequence:
              http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-not.working.png

              help  :-\

              1 Reply Last reply Reply Quote 0
              • K
                kup4ooo
                last edited by

                It is no needed to write iptables commands. Every thing is in web GUI (except the real WAN addres when you use DynDNS and pfSense behind router - it is a little change in one config file)

                I attached my config.
                See the firewall rules.
                What is your client local network?
                and what is your local network (LAN) for pfSense?

                If these two netwokrs are equal as 192.168.0.0/24 for the client and for the pfSense LAN
                I saw that is problem. the client don't know where to find as example 192.168.0.3.
                But with extra options to redirect all traffic trow vpn is OK.
                That's why I change my local net for the client to 192.168.4.0/24

                Look the tutorial and do it as it is writen in http://forum.pfsense.org/index.php?topic=7840.msg44065

                Then look my config, and aslo the client config in the first post.

                If this not help reboot the system. (i found that some times the firewall rules are not get on when i change them)

                The NAT thing is important and aslo the firewall rules and networks (local, address poll, …)

                when do this connect from the client and tracert some web site and see if this is routed trow vpn or not.

                I aslo has a problem with seeing local network services - i see the clients but can't print, brouse shares and etc.

                I make the fire wall rules and every thing is ok now and with the nat thinks i have all traffic routed trow vpn.

                1.jpg
                1.jpg_thumb
                2.jpg
                2.jpg_thumb
                3.jpg
                3.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • K
                  kup4ooo
                  last edited by

                  and the other part of my config

                  4.jpg
                  4.jpg_thumb
                  5.jpg
                  5.jpg_thumb
                  6.jpg
                  6.jpg_thumb
                  7.jpg
                  7.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.