Problem configuring OpenVPN connection as a Gateway

andylai

I successfully setup an OpenVPN client on pFsense 2.0 RC1. It connect to an OpenVPN server on my VPS.
Here's the detail,

Interface
LAN (pFsense) = 192.168.1.1
WAN1 = 192.168.3.1 (Default Gateway)
WAN2        = 192.168.2.1 (not using)
VPN        = 10.8.0.50 (auto assign by OpenVPN Server)

OpenVPN Client was connecting thru WAN1 (192.168.3.1) to establish VPN connection.
OpenVPN Server at 10.8.0.1 (10.8.0.0/24), configure with forwaring all client traffic to VPN (push "redirect-gateway def1 bypass-dhcp")

The problem was I can't PASS any traffic to VPN using the Firewall. Like example I PASS all traffic from a LAN PC to Interface VPN under "Gateway". That PC will not able to access Internet at all. I am sure the OpenVPN connnection was working as pFsense box can PING 10.8.0.1 (OpenVPN server address) and I can use the VPN Interface to PING www.google.com or any other webpage. And traceroute also works and show that it's going thru VPN server. I can even use it to download packages within pFsense box as WAN1 was automatic route to OpenVPN server Gateway (184.82.106.57). But all PC from LAN will not be able to access Internet.

While the OpenVPN connection was establish I can still use WAN1 (192.168.3.1) for LAN PC to access Internet by PASSing all traffic to WAN1GW. If I use default (*) all PC will not be able to access Internet as I think that's because OpenVPN route it Server Gateway to 192.168.3.1 (WAN1).

OpenVPN log,
Jul 31 00:19:10 openvpn[54195]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 31 00:19:11 openvpn[54195]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: route options modified
Jul 31 00:19:11 openvpn[54195]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Jul 31 00:19:11 openvpn[54195]: ROUTE default_gateway=192.168.3.1
Jul 31 00:19:11 openvpn[54195]: TUN/TAP device /dev/tun1 opened
Jul 31 00:19:11 openvpn[54195]: do_ifconfig, tt->ipv6=0
Jul 31 00:19:11 openvpn[54195]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
Jul 31 00:19:11 openvpn[54195]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
Jul 31 00:19:11 openvpn[54195]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
Jul 31 00:19:11 openvpn[54195]: GID set to nogroup
Jul 31 00:19:11 openvpn[54195]: UID set to nobody
Jul 31 00:19:11 openvpn[54195]: Initialization Sequence Completed

Route Table,
Destination Gateway Flags Refs Use Mtu Netif Expire
0.0.0.0/1 10.8.0.49 UGS 0 344 1500 ovpnc1 =>
default 192.168.3.1 UGS 0 6093245 1500 re0
8.8.4.4 192.168.2.1 UGHS 0 93 1500 re1
8.8.8.8 192.168.2.1 UGHS 0 93 1500 re1
10.8.0.0/24 10.8.0.49 UGS 0 3 1500 ovpnc1
10.8.0.49 link#8 UH 0 0 1500 ovpnc1
10.8.0.50 link#8 UHS 0 4598 16384 lo0
127.0.0.1 link#4 UH 0 6688 16384 lo0
128.0.0.0/1 10.8.0.49 UGS 0 878 1500 ovpnc1
184.82.106.57/32 192.168.3.1 UGS 0 5483 1500 re0
192.168.1.0/24 link#1 U 0 62509544 1500 em0
192.168.1.1 link#1 UHS 0 0 16384 lo0
192.168.2.0/24 link#3 U 0 31514 1500 re1
192.168.2.2 link#3 UHS 0 0 16384 lo0
192.168.3.0/24 link#2 U 0 1201442 1500 re0
192.168.3.2 link#2 UHS 0 0 16384 lo0
208.67.220.220 192.168.3.1 UGHS 0 93 1500 re0
208.67.222.222 192.168.3.1 UGHS 0 95 1500 re0

I sure there was someting that I have missing here, as come to think of it as OpenVPN assign an IP (10.8.0.50) to it client but 10.8.0.50 wasn't a Gateway it's just an IP assign to the VPN interface. pFsense box can use the OpenVPN traffic because it's connected to it like an odinary PC so the route works perfectly fine for it.

Anyone had come across setting up OpenVPN connection please give me some tips.

Thank in advance.

Metu69salemi

First of all update to rc3

cmb

Looks like your routes are fine. Not enough info there to tell you where or why that's failing. Does DNS work? Try traceroute to an IP to see where it goes and how far it gets.

myandylai

I re-install a new pfSense 2.0 RC3 again to test.

Start pfSense 2.0 RC3 Installation

Interfaces
WAN = re0
LAN = em0
OPT1 = re1

1. Configure Interface
LAN
Statis
IP = 192.168.1.1/24
Gateway = none
Block private nerworks = no
Block bogon networks = no

WAN1 (changed from original name WAN to WAN1)
Statis
IP = 192.168.3.2
Gateway = none
Block private nerworks = yes
Block bogon networks = yes

OPT1
Disabled

2. Add Gateway
Interface WAN1
Name = WAN1GW
Gateway = 192.168.3.1
Default Gateway = yes

3. Change Gateway of Interface WAN1 from none to WAN1GW

4. General Setup
Hostname = pfsense
Domain = mydomain
DNS servers = 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220

Notes, At this point LAN PC already can access Internet using pfSense (192.168.1.1)

Current Route Tables,
Destination Gateway Flags Refs Use Mtu Netif Expire
default 192.168.3.1 UGS 0 2668 1500 re0
127.0.0.1 link#4 UH 0 131 16384 lo0
192.168.1.0/24 link#1 U 0 5560 1500 em0
192.168.1.1 link#1 UHS 0 0 16384 lo0
192.168.3.0/24 link#2 U 0 1072 1500 re0
192.168.3.2 link#2 UHS 0 0 16384 lo0

5. Firewall Rules,
No changes. Keep original setting as all traffic on LAN pass thru Default Gateway

6. Add certs
CAs
Description name = OpenVPN CA1
Method = Import an existing Certificate Authority
Certificate date = yes (paste from ca.crt)
Certificate PrivateKey = **empty
Serial = **empty

Certificates
Method = Import from existing Certificate
Description = OpenVPN Client 1
Certificate data = yes (paste from client1.crt)
Private key data = yes (paste from client1.key)

7. Configure OpenVPN (client)
General information
Disable this client = no
Server mode = Peer to Peer (SSL/TLS)
Protocol = UDP
Device mode = tun
Interface = WAN1
Local port = **empty
Server host or address = nostatus.dyndns.org
Server port = 1194
Proxy host or address = **empty
Proxy port = **empty
Proxy Authentication method = none
Infinitely resolve server = yes
Description = OpenVPN Client1

Cryptographic Settings
TLS Authentication
Enable authentication of TLS packets = yes
Automatically generate a shared TLS authentication key = no
Paste a ta.key into the blank
Peer Certificate Authority = OpenVPN CA1
Client Certificate = OpenVPN Client 1 (CA: OpenVPN CA1)
Encryption algorithm = BF-CBC (128-bit)
Hardware Crypto = no

Tunnel Settings
Tunnel network = **empty
Remote network = **empty
Limit outgoing bandwidth = **empty
Compresssion = yes
Type-of-Service = no

Advanced
user nobody;group nogroup;persist-key;persist-tun;mute-replay-warnings;ns-cert-type server;verb 3;

The setting works,
Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: CMD 'state 1'
Jul 31 16:48:21 openvpn[51553]: MANAGEMENT: Client disconnected
Jul 31 16:48:22 openvpn[51553]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 31 16:48:22 openvpn[51553]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.50 10.8.0.49'
Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: route options modified
Jul 31 16:48:22 openvpn[51553]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Jul 31 16:48:22 openvpn[51553]: ROUTE default_gateway=192.168.3.1
Jul 31 16:48:22 openvpn[51553]: TUN/TAP device /dev/tun1 opened
Jul 31 16:48:22 openvpn[51553]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 31 16:48:22 openvpn[51553]: /sbin/ifconfig ovpnc1 10.8.0.50 10.8.0.49 mtu 1500 netmask 255.255.255.255 up
Jul 31 16:48:22 openvpn[51553]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.8.0.50 10.8.0.49 init
Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 184.82.106.57 192.168.3.1 255.255.255.255
Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 0.0.0.0 10.8.0.49 128.0.0.0
Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 128.0.0.0 10.8.0.49 128.0.0.0
Jul 31 16:48:22 openvpn[51553]: /sbin/route add -net 10.8.0.0 10.8.0.49 255.255.255.0
Jul 31 16:48:22 openvpn[51553]: GID set to nogroup
Jul 31 16:48:22 openvpn[51553]: UID set to nobody
Jul 31 16:48:22 openvpn[51553]: Initialization Sequence Completed

8. Assign new OpenVPN interface
OPT2 = ovpnc1 (OpenVPN Client 1)

9. Configure new OPT2 interface
Enable = yes
Description = VPN1 (change from OPT2 to VPN1)
Type = none
Block private networks = no
Block bogon networks = no

Gateway VPN1 was automatically added to Gateways but was empty. So I stop OpenVPN service and start it back then the Gateway became

Name = VPN1
Interface = VPN1
Gateway = 10.8.0.49
Monitor IP 10.8.0.49
Descriptions = Interface VPN1 Dynamic Gateway

After all this now all LAN PC was not able to access Internet at all. Firewall rules must direct all traffic to WAN1GW for LAN PC to able to access the Internet. Directing traffic to VPN1 was not going to have connection. But pfSense box itself can use the VPN1 connection properly as I can use it to traceroute www.google.com,

1  10.8.0.1 (10.8.0.1)  286.634 ms  285.648 ms  285.744 ms
2  vserver254.hostnoc.net (64.191.104.2)  285.557 ms  285.966 ms  285.266 ms
3  ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  286.791 ms  287.188 ms  287.195 ms
4  xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  286.268 ms  286.295 ms  285.985 ms
5  core1-0-2-0.lga.net.google.com (198.32.160.130)  292.331 ms  291.641 ms  292.409 ms
6  72.14.238.232 (72.14.238.232)  292.123 ms
   209.85.255.68 (209.85.255.68)  292.051 ms  292.015 ms
7  209.85.251.88 (209.85.251.88)  292.087 ms
   209.85.252.2 (209.85.252.2)  292.176 ms
   209.85.251.35 (209.85.251.35)  292.958 ms
8  216.239.46.217 (216.239.46.217)  338.438 ms
   216.239.46.215 (216.239.46.215)  325.366 ms  326.351 ms
9  72.14.239.90 (72.14.239.90)  434.872 ms
   209.85.242.215 (209.85.242.215)  392.571 ms  346.066 ms
10  209.85.254.46 (209.85.254.46)  351.195 ms
   209.85.254.226 (209.85.254.226)  352.363 ms
   209.85.254.46 (209.85.254.46)  351.047 ms
11  209.85.254.239 (209.85.254.239)  351.459 ms
   209.85.254.233 (209.85.254.233)  352.136 ms
   209.85.254.235 (209.85.254.235)  351.238 ms
12  64.233.175.14 (64.233.175.14)  354.199 ms
   216.239.46.78 (216.239.46.78)  364.060 ms
   216.239.47.34 (216.239.47.34)  358.298 ms
13  qw-in-f99.1e100.net (74.125.93.99)  352.759 ms  351.899 ms  351.907 ms

But if I traceroute from a LAN PC it's not going to pass traffic to any where after pfSense box,

traceroute to www.google.com (74.125.93.147), 30 hops max, 60 byte packets
1  pfsense.mydomain (192.168.1.1)  0.424 ms  0.606 ms  0.593 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *^C

It seem that the defautl gateway assign by the OpenVPN server (10.8.0.49) wasn't listening to any packet outside of the pfSense box. Here's a few screen shot I captured

Route Tables after establish OpenVPN connection,

Interface status from dashboard

Gateway

Gateway Status

VPN1 interface (ovpnc1)
Status up
MAC address 00:00:00:00:00:00
IP address 10.8.0.50  
Subnet mask 255.255.255.255
Gateway 10.8.0.49
In/out packets 1566/1566 (212 KB/630 KB)
In/out packets (pass) 1566/9380 (212 KB/630 KB)
In/out packets (block) 0/0 (0 bytes/0 bytes)
In/out errors 0/0
Collisions 0

It seem that even pfSense box cannot acess / ping the virtual gateway (10.8.0.49) assign by the OpenVPN server but able to use the connection for itself. This condition is same if I use my Ubuntu to establish a connection to OpenVPN server the auto assigned virtual gateway was basically un-accessible but the connection would still run as traffic automatically send to OpenVPN server IP (10.8.0.1).

andylai@ubuntudesktop:~$ traceroute www.google.com
traceroute to www.google.com (74.125.93.105), 30 hops max, 60 byte packets
1  10.8.0.1 (10.8.0.1)  288.375 ms  292.266 ms  295.581 ms
2  vserver254.hostnoc.net (64.191.104.2)  298.698 ms  301.438 ms  304.860 ms
3  ec0-61.agg04.sctn01.hostnoc.net (96.9.184.62)  311.722 ms  312.667 ms  315.837 ms
4  xe2-04.gwy03.sctn01.hostnoc.net (64.120.243.37)  318.344 ms  322.214 ms  325.170 ms
5  core1-0-2-0.lga.net.google.com (198.32.160.130)  333.771 ms  337.687 ms  340.635 ms
6  72.14.238.232 (72.14.238.232)  344.324 ms 209.85.255.68 (209.85.255.68)  293.080 ms^C

Metu69salemi

is this pfsense behind another nat?
Your default gateway has address 192.168.3.1

Can you have your internet connectivity back by disapling that opt2 interface?

myandylai

Yes. My default gateway 192.168.3.1 was a router (NAT enable) and if I disable OPT2 (VPN) or just disable OpenVPN connection I will have internet connection back on all LAN PC.

Metu69salemi

I'm having working openvpn connections without interface. Do you need to assign rules for vpn usage?
But ofcourse it's not the meaning that it can't work with interface

andylai

I am planning to let certain LAN PC to access through VPN and other going directly to normal WAN gateway or maybe only certain ports forwarded through VPN while other to normal WAN gateway.

Anyway can share on how to use OpenVPN connection without interface? I have success making an OpenVPN connection working but bumped on a wall on how to use it. pfSense box itself can use the VPN connection but can't share the connection to connected LAN PC.

Thanks in advance.

Metu69salemi

Yes it's easy to share that knowledge

• create openvpn server

• create users for it

• export user settings with installing package

• install package to client computers

• hard usage

Are you trying to have routing with vyprvpn or something similar? If that is the case, please use search here is someone else also who've done it with success

myandylai

I am actually doing the other way around. pfSense box was an OpenVPN client connecting to a server outside the WAN. Then I would use the OpenVPN connection as an interface and direct traffic from LAN to it (established OpenVPN connection).

Metu69salemi

Ok, that's something what i've not accomplished yet. had no devices enough to test that –> someone else has to answer

myandylai

Thanks Metu69salemi. At the mean while I am going to keep on testing. Next I would disable server push route (push "redirect-gateway def1 bypass-dhcp") on my VPN server and manually route traffic to the VPN connection and hoping to get positive result.

andylai

I still can't send traffic from LAN to VPN (client) connection establish in pfSense even disabling OpenVPN server push route. But pfSense box itself can utilize the connection (VPN) properly. Anyway is there any difference between the 2 ifconfig below as I found pfSense was difference from my Ubuntu box.

in Ubuntu
Tue Aug  9 00:40:27 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500

In pfSense
Aug 9 00:43:06 openvpn[59781]: /sbin/ifconfig ovpnc1 10.8.0.30 10.8.0.29 mtu 1500 netmask 255.255.255.255 up

Thanks in advance.

myandylai

I got the OpenVPN running as an Interface (WAN). All the trouble was on the OpenVPN server site. Although I wasn't setting up site-to-site OpenVPN network but I was still required to route pfSense box LAN subnet to the OpenVPN server. Thanks to http://forum.pfsense.org/index.php/topic,12888.0.html.

Solution,

OpenVPN Server configuration /etc/openvpn/server.conf
1. Enable "client-config-dir ccd"
2. Add "route 192.168.1.0 255.255.255.0" (my pfSense box IP was 192.168.1.1 and all other LAN PC IP was behind)
3. Add "iroute 192.168.1.0 255.255.255.0" to /etc/openvpn/ccd/client8 (client8 was the Common Name of my client certificate)
4. Restart OpenVPN.
5. WAOLA…..Enjoy.

Take me a week to just a simple task. Hope this may help other people that are going to configure the samething. And thank for everyone that helping me out.