Create openvpn connection



  • hi,

    i followed these links to create an openvpn on pfsense 2.0,

    http://www.youtube.com/watch?v=odjviG-KDq8
    http://blog.stefcho.eu/?p=492

    after that i tried to connect and i got this log file, also i tried to run the openVPN program as administrator but nothing changed.


    Sat Nov 12 11:39:02 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
    Sat Nov 12 11:39:10 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sat Nov 12 11:39:10 2011 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
    Sat Nov 12 11:39:10 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Nov 12 11:39:10 2011 Control Channel Authentication: using 'jrcfw01-udp-1194-tls.key' as a OpenVPN static key file
    Sat Nov 12 11:39:10 2011 LZO compression initialized
    Sat Nov 12 11:39:10 2011 UDPv4 link local (bound): [undef]:1194
    Sat Nov 12 11:39:10 2011 UDPv4 link remote: 212.38.147.97:1194
    Sat Nov 12 11:39:10 2011 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Sat Nov 12 11:39:20 2011 [openvpntest1] Peer Connection Initiated with 212.38.147.97:1194
    Sat Nov 12 11:39:22 2011 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{2E40862B-D349-4AC8-977A-C169CB28BF1E}.tap
    Sat Nov 12 11:39:22 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.1.6/255.255.255.252 on interface {2E40862B-D349-4AC8-977A-C169CB28BF1E} [DHCP-serv: 10.0.1.5, lease-time: 31536000]
    Sat Nov 12 11:39:22 2011 Successful ARP Flush on interface [15] {2E40862B-D349-4AC8-977A-C169CB28BF1E}
    Sat Nov 12 11:39:27 2011 WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0]
    Sat Nov 12 11:39:27 2011 Initialization Sequence Completed


    i can't ping to other side, i can't map network drive and i don't know what's the wrong.

    tunnel address 10.0.1.0/24
    local address 10.0.0.1/24

    any helps
    thanks.



  • post openvpn and firewall config.

    also, did you use the client exporter or did you build your own client config?



  • WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0]



  • @chpalmer:

    WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0]

    I think this is the problem, too.
    Connection is established but if you try to ping then there is the route conflict.
    use different subnets



  • thank's for reply

    this openvpn config file


    dev tun
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote my static IP Address 1194
    tls-remote openvpntest1
    auth-user-pass
    pkcs12 jrcfw01-udp-1194.p12
    tls-auth jrcfw01-udp-1194-tls.key 1
    comp-lzo


    and i use the exporter to build the client config
    also i use a different subnet but nothing change

    thanks.



  • Do you still have a route conflict ?



  • Need openvpn server settings.



  • yes i still have conflict route

    this's my server settings


    server mode :  reomte access (ssl/tls + user auth )

    backend of authentication : local DB

    protocol : udp

    device mode : tun

    interface : pppoe

    local port : 1194

    tls authentication :  enable

    peer certificate authority :  vpn

    Server Certificate :  openvpvtest1 (CA : vpn )*in use

    DH Parameters Length : 1024 bit

    Encryption algorithm :  bf–cbc (128 bit)

    Hardware Crypto : no hardware crypto

    Tunnel Network : 10.0.1.0/24

    Local Network : 10.0.0.0/24

    Concurrent connections : 2

    Compression : enable

    Inter-client communication :

    Dynamic IP :  enable

    Address Pool :  enable


    thanks.



  • If you still have subnet conflict than you have to solve this first.
    you have the same subnet (10.0.0.0/24) on two points.
    change this!!! restart openvpn server and try again.



  • I solved my conflict problem by check redirect gateway from openvpn server settings

    redirect gateway : Force all client generated traffic through the tunnel.

    but still can't ping or map my network drive

    this my new openvpn log file


    Tue Nov 15 13:17:02 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
    Tue Nov 15 13:17:11 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Nov 15 13:17:11 2011 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
    Tue Nov 15 13:17:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Nov 15 13:17:12 2011 Control Channel Authentication: using 'jrcfw01-udp-1194-tls.key' as a OpenVPN static key file
    Tue Nov 15 13:17:12 2011 LZO compression initialized
    Tue Nov 15 13:17:12 2011 UDPv4 link local (bound): [undef]:1194
    Tue Nov 15 13:17:12 2011 UDPv4 link remote: 212.38.147.97:1194
    Tue Nov 15 13:17:12 2011 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Tue Nov 15 13:17:16 2011 [openvpntest1] Peer Connection Initiated with 212.38.147.97:1194
    Tue Nov 15 13:17:19 2011 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{2E40862B-D349-4AC8-977A-C169CB28BF1E}.tap
    Tue Nov 15 13:17:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.1.6/255.255.255.252 on interface {2E40862B-D349-4AC8-977A-C169CB28BF1E} [DHCP-serv: 10.0.1.5, lease-time: 31536000]
    Tue Nov 15 13:17:19 2011 Successful ARP Flush on interface [15] {2E40862B-D349-4AC8-977A-C169CB28BF1E}
    Tue Nov 15 13:17:24 2011 Initialization Sequence Completed


    any suggestion
    thanks.



  • Did you create Firewall rules according to the tunnel network (subnet) on the new OpenVPN firewall tab ?



  • on the new openVPN tab I found this rule

    protocol    source    port    Destination    Port    Gateway    Queue

    *            *          *            *            *          *          none

    is this enough ? or I need to add something else.

    thanks.



  • This is enough. It allows all traffic from all OpenVPN connections to everywhere.

    Can you do a tracert from the OpenVPN Client and check till which point/hop the traffic comes ?
    Are you sure that the firewall of the destination's host is correctly configured? Perhaps try with complete turned off firewall first.

    can you post a screenshot or something else of your network topology ?



  • hello,

    thanks for reply, i do nothing on the destination host

    should i do something on it ? ;D



  • this's my network environment

    office 1
    pfsense 2.0-RELEASE (i386)
    LAN      : 10.0.0.0/24
    WAN    : 212.38.142.254

    • i have more than one LAN in this office

    office 2 
    pfsense 2.0-RELEASE (i386)
    LAN      :  10.0.1.0/24
    WAN    : 212.38.142.151



  • on office1 you have to:

    push "route 10.0.0.0 255.255.255.0";
    

    So the client (office2) gets an route through openvpn to your LAN on office1.
    If you configured this correct and configured the correct firewall rules on both sites than this should be possible:

    pfsense (office2) from GUI can ping pfsense (office1) and clients on office1 LAN and vice versa.

    So now I am not sure at all but you need additional configuration on the client (office2) so that the LAN(s) behind this router are reachable.
    On office1 you could add a client specific override for the client (office2). Add this in advanced options:

    iroute 10.0.1.0 255.255.255.0;
    

    Restart OpenVPN Server (office1) and Client (office2).

    But take a look here:
    http://forum.pfsense.org/index.php/topic,12888.0.html



  • Ok, after a week of this…I may be alone here, but I feel like if we had all the particulars up front, this issue would've been solved several days ago.  Lets go back to the beginning... please give us explicit details on what you're trying to do.

    At first, it sounded like you were trying to get a road warrior setup going.  Now it looks like you may be doing site to site... instead of us speculating and taking pot shots, let us know what you're doing and provide ALL the details so we can help you.  Also a network map would be helpful.



  • Okay, it's working now
    i change the client machine
    thanks for all of you

    other thing can i make it automatically connect when windows start i mean on startup windows XP ?


Log in to reply