Openvpn with XP client, no route?



  • Hi All,

    This should be simple.

    I'm setting up some winXP Road Warrior clients to connect using openvpn.  I followed the instructions by stefcho, everything seemed to work fine.  The warriors connect.  But they cannot ping or connect to any of the machines with my network.  The "default gateway" is blank on the XP machines (using ipconfig at at dos prompt).

    Is this a problem with the 'tunnel settings' -> 'local network' of the vpn server? 
    My local network is 192.168.2.0 
    The vpn is 192.168.11.0 
    I think I can leave the local network blank.  Do I have to push a route?  Shouldn't it by default get a route to my lan?

    My pfSense is 2.0.1.

    Thanks,
    Julien



  • It is a problem of your OpenVPN Server.
    You need to add the routes behind your OpenVPN Server to the RoadWarriors. This can be done by setting the "local network".

    Or you add custom options like:

    push "route 192.168.100.0 255.255.255.0";
    

    And of courese - set the correct firewall rules for your OpenVPN RoadWarriors :)



  • OK,

    I have a 'local network' which is 192.168.2.0/24

    And I have this down in the advanced:
    push "route 192.168.2.0 255.255.255.0"

    There is an firewall rule in the WAN tab for the openvpn which I believe was automatically created.

    Still I am not able to get to the local machines using a Road Warrior.  I can connect fine, get an IP (which I think was 192.168.11.6.)
    But the Road Warrior cannot connect to the local machines.

    Anyone have any troubleshooting ideas?  I have pretty much the typical setup, no fancy stuff.



  • check "route print" on the Windows machine, make sure it has the route. If it doesn't, check the OpenVPN log on Windows, it'll complain with why it didn't add the route. If it does have the route, check Firewall>Rules, OpenVPN on the server side.



  • @snoopy100:

    OK,

    I have a 'local network' which is 192.168.2.0/24

    And I have this down in the advanced:
    push "route 192.168.2.0 255.255.255.0"

    There is an firewall rule in the WAN tab for the openvpn which I believe was automatically created.

    Still I am not able to get to the local machines using a Road Warrior.  I can connect fine, get an IP (which I think was 192.168.11.6.)
    But the Road Warrior cannot connect to the local machines.

    Anyone have any troubleshooting ideas?  I have pretty much the typical setup, no fancy stuff.

    Do not use the same network on both. Just use it in "Local Network" or in custom options.



  • check "route print" on the Windows machine, make sure it has the route. If it doesn't, check the OpenVPN log on Windows, it'll complain with why it didn't add the route. If it does have the route, check Firewall>Rules, OpenVPN on the server side.

    cmb, Thanks for the reply

    The LAN I'm trying to connect to is 192.168.2.0.  The tunnel network is 192.168.11.0.

    On the winXP machine  "ipconfig" gives me my local IP is 10.0.0.14 and gateway is 10.0.0.1.  Fine.
    It also lists the openVPN IP is 192.168.11.6, gateway is blank.

    "route print" gives me bunch of info, at the bottom is has the default gateway as 10.0.0.1.  No other gateway.
    I'm not sure what I'm looking for in here, what should my gateway be?

    I don't see any mention in the openvpn logs about the route, that is bugging me.

    I can ping 192.168.11.1 from the roadwarrior machine, not sure what that means.



  • @Nachtfalke:

    @snoopy100:

    OK,

    I have a 'local network' which is 192.168.2.0/24

    And I have this down in the advanced:
    push "route 192.168.2.0 255.255.255.0"

    There is an firewall rule in the WAN tab for the openvpn which I believe was automatically created.

    Still I am not able to get to the local machines using a Road Warrior.  I can connect fine, get an IP (which I think was 192.168.11.6.)
    But the Road Warrior cannot connect to the local machines.

    Anyone have any troubleshooting ideas?  I have pretty much the typical setup, no fancy stuff.

    Do not use the same network on both. Just use it in "Local Network" or in custom options.

    Thanks Nacht,

    OK, I got rid of the route in the custom options, still no dice.  I'm going to try connecting using an old linux laptop as my next stab at this.



  • You run the OpenVPN client as an user with admin rights ?

    The Windows client - does it allow connections/pings from other hosts on other subnets ? Try diabling the firewall on the client.
    Add an "any to any" firewall rule on the pfsense firewall OpenVPN tab.



  • @Nachtfalke:

    You run the OpenVPN client as an user with admin rights ?

    The Windows client - does it allow connections/pings from other hosts on other subnets ? Try diabling the firewall on the client.
    Add an "any to any" firewall rule on the pfsense firewall OpenVPN tab.

    For better troubleshooting, I connected using a Linux laptop, I think I see the route problem:

    The LAN I'm connecting to is 192.168.2.0, client PTP is 192.168.11.5, client IP is 192.168.11.6

    From the Linux laptop connected this is the "route" output:

    Destination    Gateway                Genmask              Flags  Metric Ref    Use  Iface
    192.168.11.5    *                          255.255.255.255  UH      0        0        0    tun0
    192.168.11.1    192.168.11.5      255.255.255.255  UGH  0        0        0    tun0
    192.168.11.0    192.168.11.5      255.255.255.0      UG      0        0        0    tun0        < wrong ??
    192.168.1.0      *                          255.255.255.0      U        303    0        0    eth1
    loopback          *                          255.0.0.0              U        0        0        0    lo
    default              Wireless_Broadb 0.0.0.0                  UG    303    0        0    eth1

    I think the 'wrong' line should be:
    192.168.2.0      192.168.11.5      255.255.255.0      UG      0        0        0    tun0

    So if I type the command:
    route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.11.5

    Now it works, I can ping the firewall which is 192.168.2.6 and other machines on the LAN 192.168.2.0

    So, is that line wrong?  If so, what can I do?  Or am I completely on the wrong track here?

    Julien

    OK everyone, never mind.  I just looked at my advanced options and I had 192.168.2.11 and the route being pushed.
    I changed it to: push "route 192.168.2.0 255.255.255.0";  and now it works.

    So I'm thinking, the Local Network has to be blank and the "Advance Configuration" has to have a push?


Log in to reply