OpenVPN routing
-
Hellow everybody!
I have pfSense box behind ADSL Router on WAN interface and Network switch on LAN interface.
Internet (ADSL) 192.168.1.1<->192.168.1.2 WAN(pfSense) / LAN(pfSense) 192.168.0.1 - > Switch => (192.168.0.0/24 Local Net)
The OpenVPN server runs fine, but when I decide to route all trafic trow it, nothing happends.
The roadwarior connects ok.
I see all things in local net (print, shares, etc.).
Also can connect to pfSense web interface.
But when I whant to check mail or brouse in internet it is no traffic.Roadwarior -> Windows 7 with GUI - behind router ; local network 192.168.4.0/24
This is my server configuration:
1194 UDP
address poll: 192.168.200.0/24
Local network: 192.168.0.0/24
Cryptography: AES128
Authentication method: PKI
DHCP-Opt.: DNS-Domainname ->is set!
Lzo Compression: -> Check.
Custom Opt.: push "dhcp-option DNS 192.168.0.1"; push "redirect-gateway def1" (here I try DNS with 192.168.200.1 and aslo 192.168.200.5 but it is the same).Client config:
client
dev tun
proto udp
remote address 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key keyy.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
pull
verb 3Firewall rules:
WAN: allow 1194; Block ICMP, Block IGMP, Block private networks
LAN: allow all to all; 192.168.200.0/24 to all;NAT:
WAN -> source: 192.168.0.0/24
WAN -> source: 192.168.200.0/24There is DNS, because it resolve names, but when I make:
tracert google.com
in command promt
the first hop is 192.168.200.1
and after that is no hops.The windows interface is with dhcp 192.168.200.5 IP 192.168.200.6 DNS 192.168.0.1
I Try many things from this forum and from google but nothing work. Please suggest descision.
P.P.: Sorry for my English.
-
You probably need to enable Advanced outbound NAT (firewall –> NAT --> outbound) and create a rule to NAT your OpenVPN subnet to the WAN.
-
Yes.
This is the rull: WAN -> source: 192.168.200.0/24 (see attached jpg)
This is the OpenVpn network. Am I right?
-
Finaly. It works!
I don't know what was the problem. I just made again the configuration.
Thanks!
-
hi!
i wish we could have known what the problem was, because i am having the exact same issue.
i can connect to my 3rd party VPN provider just fine.from the pfSense web-ui, if i tracert to google for example, i see its going through my tunnel.
when i use a computer in my LAN, my desktop for example, nothing !ive recently switched from Endian Firewall to pfsense, and when i was using Endian, id establish the VPN tunnel.
then try from LAN and nothing worked, UNTILL, i entered:iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEafter this everything was tunneled through my VPN.
are the 2 above iptable rules the solution to my problem ?
some background about my pfsense setup:
it is a fresh install. the only changes to the web-ui are:
added the CA in the cert manager
added a VPN client.vpn establishes just fine.
in the firewall rules page, LAN is set to allow all OUT, and allow all IN.
the WAN page has 2 rules already installed; 1 for not allowing private networks, and another for bogon netsin the openvpn log, it automatically pushes routes and appends them to my routing table. (see screenshot below)
here are a few screenshots:
first set is from my Endian Firewall which worked. the vpn tunnel has been started.
(note: ip's have been edited.)routing table.
http://dl.dropbox.com/u/66962/New%20folder/route-table_working.png
vpn initialization sequence:
http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-working.pngfinally my pfSense box, the vpn tunnel has been started.
routing table:
http://dl.dropbox.com/u/66962/New%20folder/route-table-not.working.png
vpn initialization sequence:
http://dl.dropbox.com/u/66962/New%20folder/vpn-inital-not.working.pnghelp :-\
-
It is no needed to write iptables commands. Every thing is in web GUI (except the real WAN addres when you use DynDNS and pfSense behind router - it is a little change in one config file)
I attached my config.
See the firewall rules.
What is your client local network?
and what is your local network (LAN) for pfSense?If these two netwokrs are equal as 192.168.0.0/24 for the client and for the pfSense LAN
I saw that is problem. the client don't know where to find as example 192.168.0.3.
But with extra options to redirect all traffic trow vpn is OK.
That's why I change my local net for the client to 192.168.4.0/24Look the tutorial and do it as it is writen in http://forum.pfsense.org/index.php?topic=7840.msg44065
Then look my config, and aslo the client config in the first post.
If this not help reboot the system. (i found that some times the firewall rules are not get on when i change them)
The NAT thing is important and aslo the firewall rules and networks (local, address poll, …)
when do this connect from the client and tracert some web site and see if this is routed trow vpn or not.
I aslo has a problem with seeing local network services - i see the clients but can't print, brouse shares and etc.
I make the fire wall rules and every thing is ok now and with the nat thinks i have all traffic routed trow vpn.
-
and the other part of my config