Openvpm config



  • OK I am new to most of this so please take it easy on me.

    I am trying to get my pfsense box setup so I can vpn into my home network and use rdp to control my systems.  The best I can do is ping the gateway of 192.168.0.1.  I can connect to or ping anything else.  here is my config for the client.

    client
    dev tun
    proto tcp
    remote www.xyz.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert vpn_client3.crt
    key vpn_client3.key
    ns-cert-type server
    comp-lzo
    pull
    verb 3

    XConnection log

    Wed Dec 01 12:47:31 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Dec 01 12:47:31 2010 OPTIONS IMPORT: –ifconfig/up options modified
    Wed Dec 01 12:47:31 2010 OPTIONS IMPORT: route options modified
    Wed Dec 01 12:47:31 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Dec 01 12:47:31 2010 TAP-WIN32 device [Local Area Connection 6] opened: \.\Global{7DFC95CE-BA7A-4116-B23F-EF217C6677B5}.tap
    Wed Dec 01 12:47:31 2010 TAP-Win32 Driver Version 8.4
    Wed Dec 01 12:47:31 2010 TAP-Win32 MTU=1500
    Wed Dec 01 12:47:31 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.102/255.255.255.252 on interface {7DFC95CE-BA7A-4116-B23F-EF217C6677B5} [DHCP-serv: 192.168.0.101, lease-time: 31536000]
    Wed Dec 01 12:47:31 2010 Successful ARP Flush on interface [65542] {7DFC95CE-BA7A-4116-B23F-EF217C6677B5}
    Wed Dec 01 12:47:31 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Dec 01 12:47:31 2010 Route: Waiting for TUN/TAP interface to come up…
    Wed Dec 01 12:47:32 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Dec 01 12:47:32 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Dec 01 12:47:33 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Dec 01 12:47:33 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Dec 01 12:47:34 2010 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Wed Dec 01 12:47:34 2010 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.101
    Wed Dec 01 12:47:34 2010 Route addition via IPAPI succeeded
    Wed Dec 01 12:47:34 2010 route ADD 192.168.0.97 MASK 255.255.255.255 192.168.0.101
    Wed Dec 01 12:47:34 2010 Route addition via IPAPI succeeded
    Wed Dec 01 12:47:34 2010 Initialization Sequence Completed

    I can't get the correct gateway.

    Anything super ovbious to you pros?



  • The most common error is to have duplication of subnets.  The subnet that you wish to have access to through the vpn, the vpn subnet, and the subnet that you are connecting from, should all be different.

    If your home network is 192.168.0.0/24, you may want to change it to a less common one as many places that you will want to vpn from (hotels etc) will also use that as their guest subnet.

    The VPN should be giving out addresses in a completely different, and uncommon, subnet…something in the middle of the 10.x.x.x range is probably best. (this is the Address Pool setting in pfSense's OpenVPN setup.



  • @Xyzzy:

    The most common error is to have duplication of subnets.  The subnet that you wish to have access to through the vpn, the vpn subnet, and the subnet that you are connecting from, should all be different.

    If your home network is 192.168.0.0/24, you may want to change it to a less common one as many places that you will want to vpn from (hotels etc) will also use that as their guest subnet.

    The VPN should be giving out addresses in a completely different, and uncommon, subnet…something in the middle of the 10.x.x.x range is probably best. (this is the Address Pool setting in pfSense's OpenVPN setup.

    So if I do a 172 home and a 10 vpn that should get me going?



  • Well, use something like 172.22.5.x/24 for your home network and 172.22.7.x/24 for your VPN.  There's no need to use anything larger than a /24.



  • @Cry:

    Well, use something like 172.22.5.x/24 for your home network and 172.22.7.x/24 for your VPN.  There's no need to use anything larger than a /24.

    I have tried this and still can't browse my network.  I get conected fine but can't go anyplace.



  • Did you remember to push "redirect-gateway def1" or similar to tell the clients to route traffic through the VPN?  If you haven't already you really should read the OpenVPN documentation (as found from the OpenVPN site).  Remember too that if the pfSense host isn't the default gateway on the network you need to enable static routes on the default gateway.



  • @Cry:

    Did you remember to push "redirect-gateway def1" or similar to tell the clients to route traffic through the VPN?  If you haven't already you really should read the OpenVPN documentation (as found from the OpenVPN site).  Remember too that if the pfSense host isn't the default gateway on the network you need to enable static routes on the default gateway.

    Well i have it working as long as I stay on the wireless network at work.  If I get on the 10. lan here at the office I can connect but not go anywhere.  I am set to use udp and think I might try tcp.  Would that make any difference.  We use an asa here and I think it's the issue.



  • UDP isn't likely to be the problem.  When you connect from this 10. network, what does the client log show?  Are you by any chance also use a 10. network for your VPN or your remote network?


Log in to reply