Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem configuring OpenVPN connection as a Gateway

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andylai
      last edited by

      I successfully setup an OpenVPN client on pFsense 2.0 RC1. It connect to an OpenVPN server on my VPS.
      Here's the detail,

      Interface
      LAN (pFsense) = 192.168.1.1
      WAN1 = 192.168.3.1 (Default Gateway)
      WAN2        = 192.168.2.1 (not using)
      VPN        = 10.8.0.50 (auto assign by OpenVPN Server)

      OpenVPN Client was connecting thru WAN1 (192.168.3.1) to establish VPN connection.
      OpenVPN Server at 10.8.0.1 (10.8.0.0/24), configure with forwaring all client traffic to VPN (push "redirect-gateway def1 bypass-dhcp")

      The problem was I can't PASS any traffic to VPN using the Firewall. Like example I PASS all traffic from a LAN PC to Interface VPN under "Gateway". That PC will not able to access Internet at all. I am sure the OpenVPN connnection was working as pFsense box can PING 10.8.0.1 (OpenVPN server address) and I can use the VPN Interface to PING www.google.com or any other webpage. And traceroute also works and show that it's going thru VPN server. I can even use it to download packages within pFsense box as WAN1 was automatic route to OpenVPN server Gateway (184.82.106.57). But all PC from LAN will not be able to access Internet.

      While the OpenVPN connection was establish I can still use WAN1 (192.168.3.1) for LAN PC to access Internet by PASSing all traffic to WAN1GW. If I use default (*) all PC will not be able to access Internet as I think that's because OpenVPN route it Server Gateway to 192.168.3.1 (WAN1).

      OpenVPN log,
      Jul 31 00:19:10 openvpn[54195]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      Jul 31 00:19:11 openvpn[54195]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
      Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: timers and/or timeouts modified
      Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ifconfig/up options modified
      Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: route options modified
      Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
      Jul 31 00:19:11 openvpn[54195]: ROUTE default_gateway=192.168.3.1
      Jul 31 00:19:11 openvpn[54195]: TUN/TAP device /dev/tun1 opened
      Jul 31 00:19:11 openvpn[54195]: do_ifconfig, tt->ipv6=0
      Jul 31 00:19:11 openvpn[54195]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
      Jul 31 00:19:11 openvpn[54195]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
      Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
      Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
      Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
      Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
      Jul 31 00:19:11 openvpn[54195]: GID set to nogroup
      Jul 31 00:19:11 openvpn[54195]: UID set to nobody
      Jul 31 00:19:11 openvpn[54195]: Initialization Sequence Completed

      Route Table,
      Destination Gateway Flags Refs Use Mtu Netif Expire
      0.0.0.0/1 10.8.0.49 UGS 0 344 1500 ovpnc1 =>
      default 192.168.3.1 UGS 0 6093245 1500 re0
      8.8.4.4 192.168.2.1 UGHS 0 93 1500 re1
      8.8.8.8 192.168.2.1 UGHS 0 93 1500 re1
      10.8.0.0/24 10.8.0.49 UGS 0 3 1500 ovpnc1
      10.8.0.49 link#8 UH 0 0 1500 ovpnc1
      10.8.0.50 link#8 UHS 0 4598 16384 lo0
      127.0.0.1 link#4 UH 0 6688 16384 lo0
      128.0.0.0/1 10.8.0.49 UGS 0 878 1500 ovpnc1
      184.82.106.57/32 192.168.3.1 UGS 0 5483 1500 re0
      192.168.1.0/24 link#1 U 0 62509544 1500 em0
      192.168.1.1 link#1 UHS 0 0 16384 lo0
      192.168.2.0/24 link#3 U 0 31514 1500 re1
      192.168.2.2 link#3 UHS 0 0 16384 lo0
      192.168.3.0/24 link#2 U 0 1201442 1500 re0
      192.168.3.2 link#2 UHS 0 0 16384 lo0
      208.67.220.220 192.168.3.1 UGHS 0 93 1500 re0
      208.67.222.222 192.168.3.1 UGHS 0 95 1500 re0

      I sure there was someting that I have missing here, as come to think of it as OpenVPN assign an IP (10.8.0.50) to it client but 10.8.0.50 wasn't a Gateway it's just an IP assign to the VPN interface. pFsense box can use the OpenVPN traffic because it's connected to it like an odinary PC so the route works perfectly fine for it.

      Anyone had come across setting up OpenVPN connection please give me some tips.

      Thank in advance.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        First of all update to rc3

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Looks like your routes are fine. Not enough info there to tell you where or why that's failing. Does DNS work? Try traceroute to an IP to see where it goes and how far it gets.

          1 Reply Last reply Reply Quote 0
          • M
            myandylai
            last edited by

            I re-install a new pfSense 2.0 RC3 again to test.

            Start pfSense 2.0 RC3 Installation

            Interfaces
            WAN = re0
            LAN = em0
            OPT1 = re1

            1. Configure Interface
            LAN
            Statis
            IP = 192.168.1.1/24
            Gateway = none
            Block private nerworks = no
            Block bogon networks = no

            WAN1 (changed from original name WAN to WAN1)
            Statis
            IP = 192.168.3.2
            Gateway = none
            Block private nerworks = yes
            Block bogon networks = yes

            OPT1
            Disabled

            2. Add Gateway
            Interface WAN1
            Name = WAN1GW
            Gateway = 192.168.3.1
            Default Gateway = yes

            3. Change Gateway of Interface WAN1 from none to WAN1GW

            4. General Setup
            Hostname = pfsense
            Domain = mydomain
            DNS servers = 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220

            Notes, At this point LAN PC already can access Internet using pfSense (192.168.1.1)

            Current Route Tables,
            Destination Gateway Flags Refs Use Mtu Netif Expire
            default 192.168.3.1 UGS 0 2668 1500 re0
            127.0.0.1 link#4 UH 0 131 16384 lo0
            192.168.1.0/24 link#1 U 0 5560 1500 em0
            192.168.1.1 link#1 UHS 0 0 16384 lo0
            192.168.3.0/24 link#2 U 0 1072 1500 re0
            192.168.3.2 link#2 UHS 0 0 16384 lo0

            5. Firewall Rules,
            No changes. Keep original setting as all traffic on LAN pass thru Default Gateway

            6. Add certs
            CAs
            Description name = OpenVPN CA1
            Method = Import an existing Certificate Authority
            Certificate date = yes (paste from ca.crt)
            Certificate PrivateKey = **empty
            Serial = **empty

            Certificates
            Method = Import from existing Certificate
            Description = OpenVPN Client 1
            Certificate data = yes (paste from client1.crt)
            Private key data = yes (paste from client1.key)

            7. Configure OpenVPN (client)
            General information
            Disable this client = no
            Server mode = Peer to Peer (SSL/TLS)
            Protocol = UDP
            Device mode = tun
            Interface = WAN1
            Local port = **empty
            Server host or address = nostatus.dyndns.org
            Server port = 1194
            Proxy host or address = **empty
            Proxy port = **empty
            Proxy Authentication method = none
            Infinitely resolve server = yes
            Description = OpenVPN Client1

            Cryptographic Settings
            TLS Authentication
            Enable authentication of TLS packets = yes
            Automatically generate a shared TLS authentication key = no
            Paste a ta.key into the blank
            Peer Certificate Authority = OpenVPN CA1
            Client Certificate = OpenVPN Client 1 (CA: OpenVPN CA1)
            Encryption algorithm = BF-CBC (128-bit)
            Hardware Crypto = no

            Tunnel Settings
            Tunnel network = **empty
            Remote network = **empty
            Limit outgoing bandwidth = **empty
            Compresssion = yes
            Type-of-Service = no

            Advanced
            user nobody;group nogroup;persist-key;persist-tun;mute-replay-warnings;ns-cert-type server;verb 3;

            The setting works,
            Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
            Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: CMD 'state 1'
            Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client disconnected
            Jul 31 16:48:22 openvpn[51553]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
            Jul 31 16:48:22 openvpn[51553]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
            Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: timers and/or timeouts modified
            Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ifconfig/up options modified
            Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: route options modified
            Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
            Jul 31 16:48:22 openvpn[51553]: ROUTE default_gateway=192.168.3.1
            Jul 31 16:48:22 openvpn[51553]: TUN/TAP device /dev/tun1 opened
            Jul 31 16:48:22 openvpn[51553]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
            Jul 31 16:48:22 openvpn[51553]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
            Jul 31 16:48:22 openvpn[51553]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
            Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
            Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
            Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
            Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
            Jul 31 16:48:22 openvpn[51553]: GID set to nogroup
            Jul 31 16:48:22 openvpn[51553]: UID set to nobody
            Jul 31 16:48:22 openvpn[51553]: Initialization Sequence Completed

            8. Assign new OpenVPN interface
            OPT2 = ovpnc1 (OpenVPN Client 1)

            9. Configure new OPT2 interface
            Enable = yes
            Description = VPN1 (change from OPT2 to VPN1)
            Type = none
            Block private networks = no
            Block bogon networks = no

            Gateway VPN1 was automatically added to Gateways but was empty. So I stop OpenVPN service and start it back then the Gateway became

            Name = VPN1
            Interface = VPN1
            Gateway = 10.8.0.49
            Monitor IP 10.8.0.49
            Descriptions = Interface VPN1 Dynamic Gateway

            After all this now all LAN PC was not able to access Internet at all. Firewall rules must direct all traffic to WAN1GW for LAN PC to able to access the Internet. Directing traffic to VPN1 was not going to have connection. But pfSense box itself can use the VPN1 connection properly as I can use it to traceroute www.google.com,

            1  10.8.0.1 (10.8.0.1)  286.634 ms  285.648 ms  285.744 ms
            2  vserver254.hostnoc.net (64.191.104.2)  285.557 ms  285.966 ms  285.266 ms
            3  ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  286.791 ms  287.188 ms  287.195 ms
            4  xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  286.268 ms  286.295 ms  285.985 ms
            5  core1-0-2-0.lga.net.google.com (198.32.160.130)  292.331 ms  291.641 ms  292.409 ms
            6  72.14.238.232 (72.14.238.232)  292.123 ms
               209.85.255.68 (209.85.255.68)  292.051 ms  292.015 ms
            7  209.85.251.88 (209.85.251.88)  292.087 ms
               209.85.252.2 (209.85.252.2)  292.176 ms
               209.85.251.35 (209.85.251.35)  292.958 ms
            8  216.239.46.217 (216.239.46.217)  338.438 ms
               216.239.46.215 (216.239.46.215)  325.366 ms  326.351 ms
            9  72.14.239.90 (72.14.239.90)  434.872 ms
               209.85.242.215 (209.85.242.215)  392.571 ms  346.066 ms
            10  209.85.254.46 (209.85.254.46)  351.195 ms
               209.85.254.226 (209.85.254.226)  352.363 ms
               209.85.254.46 (209.85.254.46)  351.047 ms
            11  209.85.254.239 (209.85.254.239)  351.459 ms
               209.85.254.233 (209.85.254.233)  352.136 ms
               209.85.254.235 (209.85.254.235)  351.238 ms
            12  64.233.175.14 (64.233.175.14)  354.199 ms
               216.239.46.78 (216.239.46.78)  364.060 ms
               216.239.47.34 (216.239.47.34)  358.298 ms
            13  qw-in-f99.1e100.net (74.125.93.99)  352.759 ms  351.899 ms  351.907 ms

            But if I traceroute from a LAN PC it's not going to pass traffic to any where after pfSense box,

            traceroute to www.google.com (74.125.93.147), 30 hops max, 60 byte packets
            1  pfsense.mydomain (192.168.1.1)  0.424 ms  0.606 ms  0.593 ms
            2  * * *
            3  * * *
            4  * * *
            5  * * *
            6  * * *
            7  * * *
            8  * * *
            9  * * *
            10  * * *
            11  * * *
            12  * * *
            13  * * *
            14  * * *
            15  * * *
            16  * * *
            17  * * *^C

            It seem that the defautl gateway assign by the OpenVPN server (10.8.0.49) wasn't listening to any packet outside of the pfSense box. Here's a few screen shot I captured

            Route Tables after establish OpenVPN connection,

            Interface status from dashboard

            Gateway

            Gateway Status

            VPN1 interface (ovpnc1)
            Status up
            MAC address 00:00:00:00:00:00
            IP address 10.8.0.50  
            Subnet mask 255.255.255.255
            Gateway 10.8.0.49
            In/out packets 1566/1566 (212 KB/630 KB)
            In/out packets (pass) 1566/9380 (212 KB/630 KB)
            In/out packets (block) 0/0 (0 bytes/0 bytes)
            In/out errors 0/0
            Collisions 0

            It seem that even pfSense box cannot acess / ping the virtual gateway (10.8.0.49) assign by the OpenVPN server but able to use the connection for itself. This condition is same if I use my Ubuntu to establish a connection to OpenVPN server the auto assigned virtual gateway was basically un-accessible but the connection would still run as traffic automatically send to OpenVPN server IP (10.8.0.1).

            andylai@ubuntudesktop:~$ traceroute www.google.com
            traceroute to www.google.com (74.125.93.105), 30 hops max, 60 byte packets
            1  10.8.0.1 (10.8.0.1)  288.375 ms  292.266 ms  295.581 ms
            2  vserver254.hostnoc.net (64.191.104.2)  298.698 ms  301.438 ms  304.860 ms
            3  ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  311.722 ms  312.667 ms  315.837 ms
            4  xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  318.344 ms  322.214 ms  325.170 ms
            5  core1-0-2-0.lga.net.google.com (198.32.160.130)  333.771 ms  337.687 ms  340.635 ms
            6  72.14.238.232 (72.14.238.232)  344.324 ms 209.85.255.68 (209.85.255.68)  293.080 ms^C

            1 Reply Last reply Reply Quote 0
            • M
              Metu69salemi
              last edited by

              is this pfsense behind another nat?
              Your default gateway has address 192.168.3.1

              Can you have your internet connectivity back by disapling that opt2 interface?

              1 Reply Last reply Reply Quote 0
              • M
                myandylai
                last edited by

                Yes. My default gateway 192.168.3.1 was a router (NAT enable) and if I disable OPT2 (VPN) or just disable OpenVPN connection I will have internet connection back on all LAN PC.

                1 Reply Last reply Reply Quote 0
                • M
                  Metu69salemi
                  last edited by

                  I'm having working openvpn connections without interface. Do you need to assign rules for vpn usage?
                  But ofcourse it's not the meaning that it can't work with interface

                  1 Reply Last reply Reply Quote 0
                  • A
                    andylai
                    last edited by

                    I am planning to let certain LAN PC to access through VPN and other going directly to normal WAN gateway or maybe only certain ports forwarded through VPN while other to normal WAN gateway.

                    Anyway can share on how to use OpenVPN connection without interface? I have success making an OpenVPN connection working but bumped on a wall on how to use it. pfSense box itself can use the VPN connection but can't share the connection to connected LAN PC.

                    Thanks in advance.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Metu69salemi
                      last edited by

                      Yes it's easy to share that knowledge

                      • create openvpn server

                      • create users for it

                      • export user settings with installing package

                      • install package to client computers

                      • hard usage

                      Are you trying to have routing with vyprvpn or something similar? If that is the case, please use search here is someone else also who've done it with success

                      1 Reply Last reply Reply Quote 0
                      • M
                        myandylai
                        last edited by

                        I am actually doing the other way around. pfSense box was an OpenVPN client connecting to a server outside the WAN. Then I would use the OpenVPN connection as an interface and direct traffic from LAN to it (established OpenVPN connection).

                        1 Reply Last reply Reply Quote 0
                        • M
                          Metu69salemi
                          last edited by

                          Ok, that's something what i've not accomplished yet. had no devices enough to test that –> someone else has to answer

                          1 Reply Last reply Reply Quote 0
                          • M
                            myandylai
                            last edited by

                            Thanks Metu69salemi. At the mean while I am going to keep on testing. Next I would disable server push route (push "redirect-gateway def1 bypass-dhcp") on my VPN server and manually route traffic to the VPN connection and hoping to get positive result.

                            1 Reply Last reply Reply Quote 0
                            • A
                              andylai
                              last edited by

                              I still can't send traffic from LAN to VPN (client) connection establish in pfSense even disabling OpenVPN server push route. But pfSense box itself can utilize the connection (VPN) properly. Anyway is there any difference between the 2 ifconfig below as I found pfSense was difference from my Ubuntu box.

                              in Ubuntu
                              Tue Aug  9 00:40:27 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500

                              In pfSense
                              Aug 9 00:43:06 openvpn[59781]: /sbin/ifconfig ovpnc1 10.8.0.30 10.8.0.29 mtu 1500 netmask 255.255.255.255 up

                              Thanks in advance.

                              1 Reply Last reply Reply Quote 0
                              • M
                                myandylai
                                last edited by

                                I got the OpenVPN running as an Interface (WAN). All the trouble was on the OpenVPN server site. Although I wasn't setting up site-to-site OpenVPN network but I was still required to route pfSense box LAN subnet to the OpenVPN server. Thanks to http://forum.pfsense.org/index.php/topic,12888.0.html.

                                Solution,

                                OpenVPN Server configuration /etc/openvpn/server.conf
                                1. Enable "client-config-dir ccd"
                                2. Add "route 192.168.1.0 255.255.255.0" (my pfSense box IP was 192.168.1.1 and all other LAN PC IP was behind)
                                3. Add "iroute 192.168.1.0 255.255.255.0" to /etc/openvpn/ccd/client8 (client8 was the Common Name of my client certificate)
                                4. Restart OpenVPN.
                                5. WAOLA…..Enjoy.

                                Take me a week to just a simple task. Hope this may help other people that are going to configure the samething. And thank for everyone that helping me out.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.