How to Correctly Modify Routes for OpenVPN Clients?



  • OK, I figured out how to get things working with PPTP tunnels.  But then I decided 1024-bit security + certificates was the way to go, so I'm trying to make things work with pfSense 1.01 and its OpenVPN server.

    When I set up the PPTP server, I added some rules in the pfSense Firewall Settings page (PPTP VPN interface):

    Proto TCP/UDP      source *      port *          destination other.desired.vpn.network/cidr_format        port *        gateway *          comment "PPTP access to site A"

    This worked.  I could use the built-in Windows XP PPTP support to make a new connection to site B.  Once established, I could access machines within site A's network, since B is tied to it over a WAN link with its own VPN (I don't administer that one).

    The routing worked very well but, again, I would feel more secure with a higher level of security than PPTP provides.

    Now I'm trying to get this running with OpenVPN, and I don't seem to be able to do this.  Unfortunately, there's no OpenVPN tab in the Firewall Rules…
    I tried some custom options in the OpenVPN settings on my pfSense box at site B:

    push "route site.b.network 255.255.255.0"
    question: does the subnet for this entry have to be the exact subnet of the site B network, or is it of the VPN (class C) address?  Confused.
    I tried both, but it still doesn't seem to work.

    Below is my client's openvpn config file.  Do I have to add anything else here?  If not, should I be able to tracert to an IP of site A without issues?
    Are there any other rules I must add in the firewall rules somewhere to allow communication from OpenVPN clients to go through the pfSense box's local gateway rather than the client?

    
    float
    port 1194
    dev tun
    dev-node ovpn
    proto tcp-client
    remote [site.b.endpoint.ip] [site.b.endpoint.port]
    ping 10
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo ? to enable LZO remove the #
    pull
    verb 4
    

    Thanks in advance for any help on this.  I don't have much hair left!  :)



  • OK, I found another server-side option to add to the custom options window in pfSense:

    push "redirect-gateway"

    Not sure how that works though…



  • OK, another update.

    My current custom line in pfSense is:

    push "redirect-gateway"
    

    In Windows, when I do an ipconfig /all it shows my default gateway and dns for the opvn adapter as 192.168.200.5.  Where is it getting that?!  My "address pool" is set to 192.168.200.0/24.

    My pfSense's LAN interface is 192.168.50.1.  I'm stumped.



  • if you want to use the redirect option, try reading the official openVPN howto:
    http://openvpn.net/howto.html#redirect



  • Thanks for the link!  I read over the howto 500 times last night but missed this part.

    Hopefully you can set this so it's a partial redirect, only for certain networks/addresses?  Will try this tonight.

    Thanks again!



  • OK, I tried putting this in my custom options line in the pfSense OpenVPN server settings:

    push "redirect-gateway def1"
    

    Still no go.  It looks like I have DNS, as a tracert shows name resolution is working, but it dies at the gateway address of the OpenVPN tunnel (in this case, my machine is at 192.168.51.6, the gateway is displayed as 192.168.51.5).

    Do I have to add extra rules somewhere to allow the traffic?  Looking through this m0n0wall guide it sounds like they have a very handy OpenVPN tab in the firewall rules:

    http://www.closeconsultants.com/~peter/m0n0-ovpn-wifi.html  (all the way at the bottom)

    I can't find anything that looks like a way to specify to allow OpenVPN traffic to utilize the pfSense gateway…



  • OK, I think I finally have this figured out.

    Sorta.

    I misunderstood the correct address range assignments.

    My setup:

    LAN: 192.168.50.1

    Was trying to set OpenVPN machines to address pool of 192.168.200.0/24.  Not working…

    Just tried 192.168.50.0/25 for my address pool.  Holy crap it works!

    I thought that was going to overrun the original IP range...
    I should have read up more on TCPIP :)



  • OK…

    So if I set my OpenVPN machines address pool to 192.168.50.0/25 then I can access all addresses through the VPN--EXCEPT my workstations from 192.168.50.60-65 .
    If I set my OpenVPN machines address pool to 192.168.51.0/25 then I can access my workstations from 192.168.50-65, but not a single other thing.

    Am I missing something really basic here?  Sorry if this is a stupid question...



  • I think you forgot to enable advanced outbound NAT for your ovpn client network (ex : 192.168.200.0/24).

    So you will be allowed to go out throught your OVPN server!



  • luma,

    Thanks for the reply.  Man, I hope this is it!  :)

    Will try tonight and report back.



  • I hope too :)



  • luma,

    That's EXACTLY what it was!!!!

    I owe you a cold one!  Heck, make that 12.  :D

    Thanks for your help!!!



  • Good news!


Log in to reply