OpenVPN + pfSense 2.0 RC3 + Cliente Debian



  • Buenas.

    Configuré OpenVPN en pfSense 2.0 RC3.

    Al parecer la generación de los certificados y las llaves quedó bien.

    Desde un cliente OpenVPN bajo Debian efectivamente me puedo conectar, pero no tengo comunicación con la LAN, no puedo hacer PING.

    Ya autoricé el tráfico UDP por el pueto 1194.

    Reitero me puedo conectar, pero no tengo comunicación con la LAN.

    A continuación el log del cliente Debian:

    openvpn --config calcar.conf 
    Thu Jun 30 12:00:10 2011 OpenVPN 2.2.0 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 16 2011
    Thu Jun 30 12:00:10 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Thu Jun 30 12:00:10 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu Jun 30 12:00:10 2011 LZO compression initialized
    Thu Jun 30 12:00:10 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Thu Jun 30 12:00:10 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
    Thu Jun 30 12:00:10 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Jun 30 12:00:10 2011 Local Options hash (VER=V4): '41690919'
    Thu Jun 30 12:00:10 2011 Expected Remote Options hash (VER=V4): '530fdded'
    Thu Jun 30 12:00:10 2011 UDPv4 link local: [undef]
    Thu Jun 30 12:00:10 2011 UDPv4 link remote: [AF_INET]190.xx.xx.24:1194
    Thu Jun 30 12:00:10 2011 TLS: Initial packet from [AF_INET]190.xx.xx.24:1194, sid=1e5a7cb0 183e966f
    Thu Jun 30 12:00:11 2011 VERIFY OK: depth=1, /C=CO/ST=ANTIOQUIA/L=MEDELLIN/O=CALCAR/CN=CALCAR_CA/emailAddress=pfsense@local
    Thu Jun 30 12:00:11 2011 VERIFY OK: depth=0, /C=CO/ST=ANTIOQUIA/L=MEDELLIN/O=CALCAR/CN=server/emailAddress=pfsense@local
    Thu Jun 30 12:00:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jun 30 12:00:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jun 30 12:00:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jun 30 12:00:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jun 30 12:00:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu Jun 30 12:00:11 2011 [server] Peer Connection Initiated with [AF_INET]190.xx.xx.24:1194
    Thu Jun 30 12:00:13 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Thu Jun 30 12:00:13 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.16.0 255.255.255.0,route 10.0.8.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.8.6 10.0.8.5'
    Thu Jun 30 12:00:13 2011 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Jun 30 12:00:13 2011 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Jun 30 12:00:13 2011 OPTIONS IMPORT: route options modified
    Thu Jun 30 12:00:13 2011 ROUTE default_gateway=192.168.1.1
    Thu Jun 30 12:00:13 2011 TUN/TAP device tun0 opened
    Thu Jun 30 12:00:13 2011 TUN/TAP TX queue length set to 100
    Thu Jun 30 12:00:13 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Jun 30 12:00:13 2011 /sbin/ifconfig tun0 10.0.8.6 pointopoint 10.0.8.5 mtu 1500
    Thu Jun 30 12:00:13 2011 /sbin/route add -net 192.168.16.0 netmask 255.255.255.0 gw 10.0.8.5
    Thu Jun 30 12:00:13 2011 /sbin/route add -net 10.0.8.1 netmask 255.255.255.255 gw 10.0.8.5
    Thu Jun 30 12:00:13 2011 Initialization Sequence Completed
    

    Ping a pfSense:

    ping 192.168.16.2
    PING 192.168.16.2 (192.168.16.2) 56(84) bytes of data.
    ^C
    --- 192.168.16.2 ping statistics ---
    25 packets transmitted, 0 received, 100% packet loss, time 24190ms
    

    Tabla de enrutamiento del cliente Debian:

    sudo route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
    10.0.8.1        10.0.8.5        255.255.255.255 UGH   0      0        0 tun0
    10.0.8.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
    192.168.16.0    10.0.8.5        255.255.255.0   UG    0      0        0 tun0
    

    Gracias por su colaboración,

    S.


Locked