Problem configuring OpenVPN connection as a Gateway



  • I successfully setup an OpenVPN client on pFsense 2.0 RC1. It connect to an OpenVPN server on my VPS.
    Here's the detail,

    Interface
    LAN (pFsense) = 192.168.1.1
    WAN1 = 192.168.3.1 (Default Gateway)
    WAN2        = 192.168.2.1 (not using)
    VPN        = 10.8.0.50 (auto assign by OpenVPN Server)

    OpenVPN Client was connecting thru WAN1 (192.168.3.1) to establish VPN connection.
    OpenVPN Server at 10.8.0.1 (10.8.0.0/24), configure with forwaring all client traffic to VPN (push "redirect-gateway def1 bypass-dhcp")

    The problem was I can't PASS any traffic to VPN using the Firewall. Like example I PASS all traffic from a LAN PC to Interface VPN under "Gateway". That PC will not able to access Internet at all. I am sure the OpenVPN connnection was working as pFsense box can PING 10.8.0.1 (OpenVPN server address) and I can use the VPN Interface to PING www.google.com or any other webpage. And traceroute also works and show that it's going thru VPN server. I can even use it to download packages within pFsense box as WAN1 was automatic route to OpenVPN server Gateway (184.82.106.57). But all PC from LAN will not be able to access Internet.

    While the OpenVPN connection was establish I can still use WAN1 (192.168.3.1) for LAN PC to access Internet by PASSing all traffic to WAN1GW. If I use default (*) all PC will not be able to access Internet as I think that's because OpenVPN route it Server Gateway to 192.168.3.1 (WAN1).

    OpenVPN log,
    Jul 31 00:19:10 openvpn[54195]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 31 00:19:11 openvpn[54195]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
    Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ifconfig/up options modified
    Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: route options modified
    Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Jul 31 00:19:11 openvpn[54195]: ROUTE default_gateway=192.168.3.1
    Jul 31 00:19:11 openvpn[54195]: TUN/TAP device /dev/tun1 opened
    Jul 31 00:19:11 openvpn[54195]: do_ifconfig, tt->ipv6=0
    Jul 31 00:19:11 openvpn[54195]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
    Jul 31 00:19:11 openvpn[54195]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
    Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
    Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
    Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
    Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
    Jul 31 00:19:11 openvpn[54195]: GID set to nogroup
    Jul 31 00:19:11 openvpn[54195]: UID set to nobody
    Jul 31 00:19:11 openvpn[54195]: Initialization Sequence Completed

    Route Table,
    Destination Gateway Flags Refs Use Mtu Netif Expire
    0.0.0.0/1 10.8.0.49 UGS 0 344 1500 ovpnc1 =>
    default 192.168.3.1 UGS 0 6093245 1500 re0
    8.8.4.4 192.168.2.1 UGHS 0 93 1500 re1
    8.8.8.8 192.168.2.1 UGHS 0 93 1500 re1
    10.8.0.0/24 10.8.0.49 UGS 0 3 1500 ovpnc1
    10.8.0.49 link#8 UH 0 0 1500 ovpnc1
    10.8.0.50 link#8 UHS 0 4598 16384 lo0
    127.0.0.1 link#4 UH 0 6688 16384 lo0
    128.0.0.0/1 10.8.0.49 UGS 0 878 1500 ovpnc1
    184.82.106.57/32 192.168.3.1 UGS 0 5483 1500 re0
    192.168.1.0/24 link#1 U 0 62509544 1500 em0
    192.168.1.1 link#1 UHS 0 0 16384 lo0
    192.168.2.0/24 link#3 U 0 31514 1500 re1
    192.168.2.2 link#3 UHS 0 0 16384 lo0
    192.168.3.0/24 link#2 U 0 1201442 1500 re0
    192.168.3.2 link#2 UHS 0 0 16384 lo0
    208.67.220.220 192.168.3.1 UGHS 0 93 1500 re0
    208.67.222.222 192.168.3.1 UGHS 0 95 1500 re0

    I sure there was someting that I have missing here, as come to think of it as OpenVPN assign an IP (10.8.0.50) to it client but 10.8.0.50 wasn't a Gateway it's just an IP assign to the VPN interface. pFsense box can use the OpenVPN traffic because it's connected to it like an odinary PC so the route works perfectly fine for it.

    Anyone had come across setting up OpenVPN connection please give me some tips.

    Thank in advance.



  • First of all update to rc3



  • Looks like your routes are fine. Not enough info there to tell you where or why that's failing. Does DNS work? Try traceroute to an IP to see where it goes and how far it gets.



  • I re-install a new pfSense 2.0 RC3 again to test.

    Start pfSense 2.0 RC3 Installation

    Interfaces
    WAN = re0
    LAN = em0
    OPT1 = re1

    1. Configure Interface
    LAN
    Statis
    IP = 192.168.1.1/24
    Gateway = none
    Block private nerworks = no
    Block bogon networks = no

    WAN1 (changed from original name WAN to WAN1)
    Statis
    IP = 192.168.3.2
    Gateway = none
    Block private nerworks = yes
    Block bogon networks = yes

    OPT1
    Disabled

    2. Add Gateway
    Interface WAN1
    Name = WAN1GW
    Gateway = 192.168.3.1
    Default Gateway = yes

    3. Change Gateway of Interface WAN1 from none to WAN1GW

    4. General Setup
    Hostname = pfsense
    Domain = mydomain
    DNS servers = 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220

    Notes, At this point LAN PC already can access Internet using pfSense (192.168.1.1)

    Current Route Tables,
    Destination Gateway Flags Refs Use Mtu Netif Expire
    default 192.168.3.1 UGS 0 2668 1500 re0
    127.0.0.1 link#4 UH 0 131 16384 lo0
    192.168.1.0/24 link#1 U 0 5560 1500 em0
    192.168.1.1 link#1 UHS 0 0 16384 lo0
    192.168.3.0/24 link#2 U 0 1072 1500 re0
    192.168.3.2 link#2 UHS 0 0 16384 lo0

    5. Firewall Rules,
    No changes. Keep original setting as all traffic on LAN pass thru Default Gateway

    6. Add certs
    CAs
    Description name = OpenVPN CA1
    Method = Import an existing Certificate Authority
    Certificate date = yes (paste from ca.crt)
    Certificate PrivateKey = **empty
    Serial = **empty

    Certificates
    Method = Import from existing Certificate
    Description = OpenVPN Client 1
    Certificate data = yes (paste from client1.crt)
    Private key data = yes (paste from client1.key)

    7. Configure OpenVPN (client)
    General information
    Disable this client = no
    Server mode = Peer to Peer (SSL/TLS)
    Protocol = UDP
    Device mode = tun
    Interface = WAN1
    Local port = **empty
    Server host or address = nostatus.dyndns.org
    Server port = 1194
    Proxy host or address = **empty
    Proxy port = **empty
    Proxy Authentication method = none
    Infinitely resolve server = yes
    Description = OpenVPN Client1

    Cryptographic Settings
    TLS Authentication
    Enable authentication of TLS packets = yes
    Automatically generate a shared TLS authentication key = no
    Paste a ta.key into the blank
    Peer Certificate Authority = OpenVPN CA1
    Client Certificate = OpenVPN Client 1 (CA: OpenVPN CA1)
    Encryption algorithm = BF-CBC (128-bit)
    Hardware Crypto = no

    Tunnel Settings
    Tunnel network = **empty
    Remote network = **empty
    Limit outgoing bandwidth = **empty
    Compresssion = yes
    Type-of-Service = no

    Advanced
    user nobody;group nogroup;persist-key;persist-tun;mute-replay-warnings;ns-cert-type server;verb 3;

    The setting works,
    Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: CMD 'state 1'
    Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client disconnected
    Jul 31 16:48:22 openvpn[51553]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 31 16:48:22 openvpn[51553]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
    Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ifconfig/up options modified
    Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: route options modified
    Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Jul 31 16:48:22 openvpn[51553]: ROUTE default_gateway=192.168.3.1
    Jul 31 16:48:22 openvpn[51553]: TUN/TAP device /dev/tun1 opened
    Jul 31 16:48:22 openvpn[51553]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jul 31 16:48:22 openvpn[51553]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
    Jul 31 16:48:22 openvpn[51553]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
    Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
    Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
    Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
    Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
    Jul 31 16:48:22 openvpn[51553]: GID set to nogroup
    Jul 31 16:48:22 openvpn[51553]: UID set to nobody
    Jul 31 16:48:22 openvpn[51553]: Initialization Sequence Completed

    8. Assign new OpenVPN interface
    OPT2 = ovpnc1 (OpenVPN Client 1)

    9. Configure new OPT2 interface
    Enable = yes
    Description = VPN1 (change from OPT2 to VPN1)
    Type = none
    Block private networks = no
    Block bogon networks = no

    Gateway VPN1 was automatically added to Gateways but was empty. So I stop OpenVPN service and start it back then the Gateway became

    Name = VPN1
    Interface = VPN1
    Gateway = 10.8.0.49
    Monitor IP 10.8.0.49
    Descriptions = Interface VPN1 Dynamic Gateway

    After all this now all LAN PC was not able to access Internet at all. Firewall rules must direct all traffic to WAN1GW for LAN PC to able to access the Internet. Directing traffic to VPN1 was not going to have connection. But pfSense box itself can use the VPN1 connection properly as I can use it to traceroute www.google.com,

    1  10.8.0.1 (10.8.0.1)  286.634 ms  285.648 ms  285.744 ms
    2  vserver254.hostnoc.net (64.191.104.2)  285.557 ms  285.966 ms  285.266 ms
    3  ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  286.791 ms  287.188 ms  287.195 ms
    4  xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  286.268 ms  286.295 ms  285.985 ms
    5  core1-0-2-0.lga.net.google.com (198.32.160.130)  292.331 ms  291.641 ms  292.409 ms
    6  72.14.238.232 (72.14.238.232)  292.123 ms
       209.85.255.68 (209.85.255.68)  292.051 ms  292.015 ms
    7  209.85.251.88 (209.85.251.88)  292.087 ms
       209.85.252.2 (209.85.252.2)  292.176 ms
       209.85.251.35 (209.85.251.35)  292.958 ms
    8  216.239.46.217 (216.239.46.217)  338.438 ms
       216.239.46.215 (216.239.46.215)  325.366 ms  326.351 ms
    9  72.14.239.90 (72.14.239.90)  434.872 ms
       209.85.242.215 (209.85.242.215)  392.571 ms  346.066 ms
    10  209.85.254.46 (209.85.254.46)  351.195 ms
       209.85.254.226 (209.85.254.226)  352.363 ms
       209.85.254.46 (209.85.254.46)  351.047 ms
    11  209.85.254.239 (209.85.254.239)  351.459 ms
       209.85.254.233 (209.85.254.233)  352.136 ms
       209.85.254.235 (209.85.254.235)  351.238 ms
    12  64.233.175.14 (64.233.175.14)  354.199 ms
       216.239.46.78 (216.239.46.78)  364.060 ms
       216.239.47.34 (216.239.47.34)  358.298 ms
    13  qw-in-f99.1e100.net (74.125.93.99)  352.759 ms  351.899 ms  351.907 ms

    But if I traceroute from a LAN PC it's not going to pass traffic to any where after pfSense box,

    traceroute to www.google.com (74.125.93.147), 30 hops max, 60 byte packets
    1  pfsense.mydomain (192.168.1.1)  0.424 ms  0.606 ms  0.593 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  * * *
    7  * * *
    8  * * *
    9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *^C

    It seem that the defautl gateway assign by the OpenVPN server (10.8.0.49) wasn't listening to any packet outside of the pfSense box. Here's a few screen shot I captured

    Route Tables after establish OpenVPN connection,

    Interface status from dashboard

    Gateway

    Gateway Status

    VPN1 interface (ovpnc1)
    Status up
    MAC address 00:00:00:00:00:00
    IP address 10.8.0.50  
    Subnet mask 255.255.255.255
    Gateway 10.8.0.49
    In/out packets 1566/1566 (212 KB/630 KB)
    In/out packets (pass) 1566/9380 (212 KB/630 KB)
    In/out packets (block) 0/0 (0 bytes/0 bytes)
    In/out errors 0/0
    Collisions 0

    It seem that even pfSense box cannot acess / ping the virtual gateway (10.8.0.49) assign by the OpenVPN server but able to use the connection for itself. This condition is same if I use my Ubuntu to establish a connection to OpenVPN server the auto assigned virtual gateway was basically un-accessible but the connection would still run as traffic automatically send to OpenVPN server IP (10.8.0.1).

    andylai@ubuntudesktop:~$ traceroute www.google.com
    traceroute to www.google.com (74.125.93.105), 30 hops max, 60 byte packets
    1  10.8.0.1 (10.8.0.1)  288.375 ms  292.266 ms  295.581 ms
    vserver254.hostnoc.net (64.191.104.2)  298.698 ms  301.438 ms  304.860 ms
    ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  311.722 ms  312.667 ms  315.837 ms
    xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  318.344 ms  322.214 ms  325.170 ms
    core1-0-2-0.lga.net.google.com (198.32.160.130)  333.771 ms  337.687 ms  340.635 ms
    6  72.14.238.232 (72.14.238.232)  344.324 ms 209.85.255.68 (209.85.255.68)  293.080 ms^C



  • is this pfsense behind another nat?
    Your default gateway has address 192.168.3.1

    Can you have your internet connectivity back by disapling that opt2 interface?



  • Yes. My default gateway 192.168.3.1 was a router (NAT enable) and if I disable OPT2 (VPN) or just disable OpenVPN connection I will have internet connection back on all LAN PC.



  • I'm having working openvpn connections without interface. Do you need to assign rules for vpn usage?
    But ofcourse it's not the meaning that it can't work with interface



  • I am planning to let certain LAN PC to access through VPN and other going directly to normal WAN gateway or maybe only certain ports forwarded through VPN while other to normal WAN gateway.

    Anyway can share on how to use OpenVPN connection without interface? I have success making an OpenVPN connection working but bumped on a wall on how to use it. pfSense box itself can use the VPN connection but can't share the connection to connected LAN PC.

    Thanks in advance.



  • Yes it's easy to share that knowledge

    • create openvpn server

    • create users for it

    • export user settings with installing package

    • install package to client computers

    • hard usage

    Are you trying to have routing with vyprvpn or something similar? If that is the case, please use search here is someone else also who've done it with success



  • I am actually doing the other way around. pfSense box was an OpenVPN client connecting to a server outside the WAN. Then I would use the OpenVPN connection as an interface and direct traffic from LAN to it (established OpenVPN connection).



  • Ok, that's something what i've not accomplished yet. had no devices enough to test that –> someone else has to answer



  • Thanks Metu69salemi. At the mean while I am going to keep on testing. Next I would disable server push route (push "redirect-gateway def1 bypass-dhcp") on my VPN server and manually route traffic to the VPN connection and hoping to get positive result.



  • I still can't send traffic from LAN to VPN (client) connection establish in pfSense even disabling OpenVPN server push route. But pfSense box itself can utilize the connection (VPN) properly. Anyway is there any difference between the 2 ifconfig below as I found pfSense was difference from my Ubuntu box.

    in Ubuntu
    Tue Aug  9 00:40:27 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500

    In pfSense
    Aug 9 00:43:06 openvpn[59781]: /sbin/ifconfig ovpnc1 10.8.0.30 10.8.0.29 mtu 1500 netmask 255.255.255.255 up

    Thanks in advance.



  • I got the OpenVPN running as an Interface (WAN). All the trouble was on the OpenVPN server site. Although I wasn't setting up site-to-site OpenVPN network but I was still required to route pfSense box LAN subnet to the OpenVPN server. Thanks to http://forum.pfsense.org/index.php/topic,12888.0.html.

    Solution,

    OpenVPN Server configuration /etc/openvpn/server.conf
    1. Enable "client-config-dir ccd"
    2. Add "route 192.168.1.0 255.255.255.0" (my pfSense box IP was 192.168.1.1 and all other LAN PC IP was behind)
    3. Add "iroute 192.168.1.0 255.255.255.0" to /etc/openvpn/ccd/client8 (client8 was the Common Name of my client certificate)
    4. Restart OpenVPN.
    5. WAOLA…..Enjoy.

    Take me a week to just a simple task. Hope this may help other people that are going to configure the samething. And thank for everyone that helping me out.


Locked