Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn problem with 2rc1

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    7 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaun
      last edited by

      Hi everyone,

      this is my topology:

      LAN: Multiple subnets of 172.90.0.0/16 with OSPF routing protocol
      Default gateway: juniper firewall connected by point-to-point OSPF link: 172.90.0.0/30 (Juniper is 172.90.0.1) (WAN Juniper interface has public static IP, let's say 8.8.8.7)
      PFSense role and position:
      LAN Interface: connected by subnet 172.90.0.4/30 (172.90.0.5 PFSense)
      WAN: connected with static public IP (different from juniper, lets say 8.8.8.8)
      PFSense Static Routes:
      172.90.0.0/16 gw 172.90.0.6 (for LAN connections)
      0.0.0.0/0 gw 8.8.8.1 (that is the remote ISP router)

      PFsense should work has OVPN concentrator.
      I managed to crete SSL/TLS+Auth connection from a remote client.
      PFsense correctly assigns a /30 subnet to ovpn connection taken from address pool 172.90.254.0/24
      PFsense correctly pushes route 172.90.0.0/16 to remote client.
      Connection is correctly established!!
      However, client can't go anywhere in 172.90.0.0/16

      I've tried the wizard, it configured firewall rules. The problem is routing or firewalling, I'm sure. OVPN connection is correct and stable. I simply can't go anywhere. I have double-checked static routes on pfsense and on router 172.90.0.6. Everything here is fine.

      Funny thing is that I've managed to make all work with PFsense 1.2.3
      On PFsense 2 there is something different I can't understand.
      Any suggestion?

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        You should need more firewall rules on pfSense 2.0 than on 1.2.3.
        Double check those especially under OpenVPN tab.

        1 Reply Last reply Reply Quote 0
        • Y
          yaun
          last edited by

          It wasn't a problem connected with firewall rules!
          address pool (tunnel network): 172.90.254.0/24
          PFSense creates the interface ovpns1
          from ifconfig:
          ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                  options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
                  inet 172.90.254.1 –> 172.90.254.2 netmask 0xffffffff
                  nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474

          No one is connected in VPN, so WHY is the interface UP?!?
          Why it uses 172.90.254.0/30 subnet?!?
          If I connect with OVPN client, PFSense assigns to me 172.90.254.1, gw 172.90.254.2.... WHY?!?!
          It's not right at all! It seems really a BUG.
          Why does the interface ovpns1 stay always on?
          I've managed to make it work, but I have to configure a client override with tunnel network 172.90.254.4/30.
          This way PFSense assigns to me 172.90.254.5, gw 172.90.254.6, and IT WORKS.
          However, no TUN interfaces area created!
          There's alway and only:
          ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                  options=80000 <linkstate>inet6 fe80::21d:9ff:fefb:54f0%ovpns1 prefixlen 64 scopeid 0x7
                  inet 172.90.254.1 --> 172.90.254.2 netmask 0xffffffff
                  nd6 options=3 <performnud,accept_rtadv>Opened by PID 22474</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Most of that is just how OpenVPN works.

            ovpns1 is the tun interface. With PKI mode, the server side only ever shows one interface. The server's interface is always up. OpenVPN uses /30 networks out of your larger pool, one /30 for each client connection. The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.

            You don't provide enough detail about your OpenVPN server config to speculate as to why you are seeing the other behaviors, but OpenVPN works correctly when properly configured.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • Y
              yaun
              last edited by

              The first client usually gets .6->.5 though, but that could be a client misconfiguration as well.

              That was the point: I was given .2->.1 and it didn't work.
              Unfortunately, I've deleted pfsense, so I can't paste my conf, but it was auto-generated by the wizard: no strange configuration, tun mode, tunnel network 172.90.254.0/24.

              Without client override, server gave me 172.90.254.2->.1 (same address as ovpns1 interface) and it didn't obviously work.
              I had other openvpn server, but I'm not sure that they took the first /30 out of the address pool. I'm quite sure that they created different tun virtual interfaces, one for each connected client (tun0, tun1…)

              As far as my client conf is concerned, it is always the same: it didn't work without client override of the tunnel network.

              This is my client configuration:
              script-security 2
              port 1194
              remote XXX.XXX.XXX.XXX 1194
              dev tun
              tun-mtu 1500
              proto udp
              tls-client
              client
              nobind
              ca xxxx.crt
              cert xxxxx.crt
              key xxxxxxx.key
              dh xxxxxx.pem
              auth-nocache
              keepalive 10 120
              ns-cert-type server
              verb 3
              cipher AES-256-CBC
              auth SHA1
              pull
              auth-user-pass

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The tun interface bit may be OS specific then but on FreeBSD, a PKI server only has one tun interface, and on 2.0 that is renamed, so it's always ovpns <number>where the number is the id of the vpn instance.

                I just went through the wizard, setup an OpenVPN instance, exported a config, and had a successful client connection with no problems, routing how I like.

                My client config is:

                dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 192.168.197.148 1209
auth-user-pass
pkcs12 pfsense-udp-1209.p12
tls-auth pfsense-udp-1209-tls.key 1
comp-lzo

                And FYI, my /var/etc/openvpn/server1.conf

                dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.197.148
tls-server
server 10.16.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
lport 1209
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
push "route 192.168.3.0 255.255.255.0"

```</number>

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • Y
                  yaun
                  last edited by

                  I tried again from scratch.
                  Now it works.
                  I wasn't even able to do firewall rules on ovpn tunnels. Now they match correctly.
                  I tried to remember what I've done the previous time.
                  The problem was probably related to a misleading tutorial that suggested to assign a new interface to ovpns1. I tried this conf but it didn't work. I rolled back, but I think that the conf has been hopeless corrupted.
                  Thank you, you've been precious!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.