• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Openvpn problem with 2rc1

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
7 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yaun
    last edited by Apr 5, 2011, 8:22 AM

    Hi everyone,

    this is my topology:

    LAN: Multiple subnets of 172.90.0.0/16 with OSPF routing protocol
    Default gateway: juniper firewall connected by point-to-point OSPF link: 172.90.0.0/30 (Juniper is 172.90.0.1) (WAN Juniper interface has public static IP, let's say 8.8.8.7)
    PFSense role and position:
    LAN Interface: connected by subnet 172.90.0.4/30 (172.90.0.5 PFSense)
    WAN: connected with static public IP (different from juniper, lets say 8.8.8.8)
    PFSense Static Routes:
    172.90.0.0/16 gw 172.90.0.6 (for LAN connections)
    0.0.0.0/0 gw 8.8.8.1 (that is the remote ISP router)

    PFsense should work has OVPN concentrator.
    I managed to crete SSL/TLS+Auth connection from a remote client.
    PFsense correctly assigns a /30 subnet to ovpn connection taken from address pool 172.90.254.0/24
    PFsense correctly pushes route 172.90.0.0/16 to remote client.
    Connection is correctly established!!
    However, client can't go anywhere in 172.90.0.0/16

    I've tried the wizard, it configured firewall rules. The problem is routing or firewalling, I'm sure. OVPN connection is correct and stable. I simply can't go anywhere. I have double-checked static routes on pfsense and on router 172.90.0.6. Everything here is fine.

    Funny thing is that I've managed to make all work with PFsense 1.2.3
    On PFsense 2 there is something different I can't understand.
    Any suggestion?

    1 Reply Last reply Reply Quote 0
    • E
      eri--
      last edited by Apr 5, 2011, 10:09 AM

      You should need more firewall rules on pfSense 2.0 than on 1.2.3.
      Double check those especially under OpenVPN tab.

      1 Reply Last reply Reply Quote 0
      • Y
        yaun
        last edited by Apr 5, 2011, 3:49 PM

        It wasn't a problem connected with firewall rules!
        address pool (tunnel network): 172.90.254.0/24
        PFSense creates the interface ovpns1
        from ifconfig:
        ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
                inet 172.90.254.1 –> 172.90.254.2 netmask 0xffffffff
                nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474

        No one is connected in VPN, so WHY is the interface UP?!?
        Why it uses 172.90.254.0/30 subnet?!?
        If I connect with OVPN client, PFSense assigns to me 172.90.254.1, gw 172.90.254.2.... WHY?!?!
        It's not right at all! It seems really a BUG.
        Why does the interface ovpns1 stay always on?
        I've managed to make it work, but I have to configure a client override with tunnel network 172.90.254.4/30.
        This way PFSense assigns to me 172.90.254.5, gw 172.90.254.6, and IT WORKS.
        However, no TUN interfaces area created!
        There's alway and only:
        ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
                inet 172.90.254.1 --> 172.90.254.2 netmask 0xffffffff
                nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 6, 2011, 1:37 PM

          Most of that is just how OpenVPN works.

          ovpns1 is the tun interface. With PKI mode, the server side only ever shows one interface. The server's interface is always up. OpenVPN uses /30 networks out of your larger pool, one /30 for each client connection. The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.

          You don't provide enough detail about your OpenVPN server config to speculate as to why you are seeing the other behaviors, but OpenVPN works correctly when properly configured.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • Y
            yaun
            last edited by Apr 6, 2011, 2:54 PM

            The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.

            That was the point: I was given .2->.1 and it didn't work.
            Unfortunately, I've deleted pfsense, so I can't paste my conf, but it was auto-generated by the wizard: no strange configuration, tun mode, tunnel network 172.90.254.0/24.

            Without client override, server gave me 172.90.254.2->.1 (same address as ovpns1 interface) and it didn't obviously work.
            I had other openvpn server, but I'm not sure that they took the first /30 out of the address pool. I'm quite sure that they created different tun virtual interfaces, one for each connected client (tun0, tun1…)

            As far as my client conf is concerned, it is always the same: it didn't work without client override of the tunnel network.

            This is my client configuration:
            script-security 2
            port 1194
            remote XXX.XXX.XXX.XXX 1194
            dev tun
            tun-mtu 1500
            proto udp
            tls-client
            client
            nobind
            ca xxxx.crt
            cert xxxxx.crt
            key xxxxxxx.key
            dh xxxxxx.pem
            auth-nocache
            keepalive 10 120
            ns-cert-type server
            verb 3
            cipher AES-256-CBC
            auth SHA1
            pull
            auth-user-pass

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Apr 6, 2011, 3:12 PM Apr 6, 2011, 3:08 PM

              The tun interface bit may be OS specific then but on FreeBSD, a PKI server only has one tun interface, and on 2.0 that is renamed, so it's always ovpns <number>where the number is the id of the vpn instance.

              I just went through the wizard, setup an OpenVPN instance, exported a config, and had a successful client connection with no problems, routing how I like.

              My client config is:

              dev tun
              persist-tun
              persist-key
              proto udp
              cipher AES-128-CBC
              tls-client
              client
              resolv-retry infinite
              remote 192.168.197.148 1209
              auth-user-pass
              pkcs12 pfsense-udp-1209.p12
              tls-auth pfsense-udp-1209-tls.key 1
              comp-lzo
              
              

              And FYI, my /var/etc/openvpn/server1.conf

              dev ovpns1
              dev-type tun
              dev-node /dev/tun1
              writepid /var/run/openvpn_server1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-128-CBC
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 192.168.197.148
              tls-server
              server 10.16.10.0 255.255.255.0
              client-config-dir /var/etc/openvpn-csc
              username-as-common-name
              auth-user-pass-verify /var/etc/openvpn/server1.php via-env
              lport 1209
              management /var/etc/openvpn/server1.sock unix
              push "route 192.168.1.0 255.255.255.0"
              client-to-client
              ca /var/etc/openvpn/server1.ca 
              cert /var/etc/openvpn/server1.cert 
              key /var/etc/openvpn/server1.key 
              dh /etc/dh-parameters.1024
              tls-auth /var/etc/openvpn/server1.tls-auth 0
              comp-lzo
              persist-remote-ip
              float
              push "route 192.168.3.0 255.255.255.0"
              
              ```</number>

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • Y
                yaun
                last edited by Apr 7, 2011, 6:42 AM

                I tried again from scratch.
                Now it works.
                I wasn't even able to do firewall rules on ovpn tunnels. Now they match correctly.
                I tried to remember what I've done the previous time.
                The problem was probably related to a misleading tutorial that suggested to assign a new interface to ovpns1. I tried this conf but it didn't work. I rolled back, but I think that the conf has been hopeless corrupted.
                Thank you, you've been precious!

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received