Problem tunneling all client traffic through openVPN

charlie0440

I know this has been asked before I have found a few threads:
http://forum.pfsense.org/index.php?topic=32158.0#msg165821
http://forum.pfsense.org/index.php/topic,7001.0.html

But none of them solve my problem. I have previously set up a openVPN roadwarrior server on pfsense 2.01 (which intentionally does not push web traffic) following this guide http://blog.stefcho.eu/?p=492.

It works fine, as expected. So I created another for tunneling web traffic, I want the same external WAN IP. So I followed this guide which is based on the one above http://blog.stefcho.eu/?p=492

LAN IP (pfsense) 192.168.100.1
OpenVPN setup:
UDP, tun, WAN2, openVPN port 1111, uses TLS
Tunnel Network 10.0.8.0/24
Force all client generated traffic through the tunnel ticked
DNS server #1 192.168.100.1

Firewall > Rules > opt1 (WAN2):
UDP * * WAN2 address 1111 * none  
Firewall > Rules > OpenVPN

• • • • • • none

Windows firewall is disabled on the client just in case that was an issue

I can access hosts on the pfsense LAN, but have no Internet access.

I cant ping 173.194.34.65 or google.com (but it is resolving the IP address)

C:\Documents and Settings\Angie>ping google.com

Pinging google.com [173.194.41.133] with 32 bytes of data:

Reply from 10.0.8.1: Destination host unreachable.
Reply from 10.0.8.1: Destination host unreachable.
Reply from 10.0.8.1: Destination host unreachable.
Reply from 10.0.8.1: Destination host unreachable.

Ping statistics for 173.194.41.133:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

route print

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 11 85 5d 41 ...... Intel(R) PRO/100 VE Network Connection #2 - Pack
et Scheduler Miniport
0x3 ...00 ff 70 ee c3 3c ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0        128.0.0.0         10.0.8.5        10.0.8.6       1
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.215       20
         10.0.8.1  255.255.255.255         10.0.8.5        10.0.8.6       1
         10.0.8.4  255.255.255.252         10.0.8.6        10.0.8.6       30
         10.0.8.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       30
     95.149.93.73  255.255.255.255      192.168.0.1   192.168.0.215       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        128.0.0.0        128.0.0.0         10.0.8.5        10.0.8.6       1
      192.168.0.0    255.255.255.0    192.168.0.215   192.168.0.215       20
    192.168.0.215  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255    192.168.0.215   192.168.0.215       20
    192.168.100.0    255.255.255.0         10.0.8.5        10.0.8.6       1
        224.0.0.0        240.0.0.0         10.0.8.6        10.0.8.6       30
        224.0.0.0        240.0.0.0    192.168.0.215   192.168.0.215       20
  255.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       1
  255.255.255.255  255.255.255.255    192.168.0.215   192.168.0.215       1
Default Gateway:          10.0.8.5
===========================================================================
Persistent Routes:
  None

ipconfig /all

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V9
        Physical Address. . . . . . . . . : 00-FF-70-EE-C3-3C
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.8.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 10.0.8.5
        DHCP Server . . . . . . . . . . . : 10.0.8.5
        DNS Servers . . . . . . . . . . . : 192.168.100.1
        Lease Obtained. . . . . . . . . . : 15 May 2012 19:04:31
        Lease Expires . . . . . . . . . . : 15 May 2013 19:04:31

C:\Documents and Settings\Angie>tracert bbc.co.uk

Tracing route to bbc.co.uk [212.58.241.131]
over a maximum of 30 hops:

  1    74 ms    59 ms    72 ms  10.0.8.1
  2  10.0.8.1  reports: Destination host unreachable.

Trace complete.

Can anyone help, I did try adding a push redirect-gateway def1 but that didnt seem to fix it either, so I removed it and started afresh which is where I am now with the above setup

heper

tell me if i misread:
So basically you want your roadwarrior to access the internet over the VPN.

It resolves dns using the VPN. It's able to contact host within the PFsense LAN.
And firewall rules should not block it's way out.

My first guess would be that this is a NAT issue. Try using AON (advanced outbound nat).
Do not enable this from a remote location if you have complex routing!
Once enable make sure to create a NAT rule on you WAN connections for the VPN-subnet.

jeroen

charlie0440

I have AON enabled and have this rule:

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
WAN2 10.0.8.0/24 * * * * * NO

I also added one for the WAN incase it was coming through there
WAN  10.0.8.0/24 * * * * *    NO

Still no joy

heper

can you tell me what device 10.0.8.5 is ? (you use it as gateway), but it appears that your pfsense is 10.0.8.1

charlie0440

Thats is a good question, it is what pfsense has defaulted it to, I do not specify 10.0.8.5 anywhere.

What do you suggest, should i add in the advanced option:
push "redirect-gateway def1"

Edit tried adding the above and I get no output under gateway when viewing ipconfig /all

charlie0440

here are some screen shots which someone can hopefully help with:

wm408

Here is my configuration for road warrior from the top to bottom in the GUI (if I use xxxx this means its filled but not specified here):

Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for auth: Local Database
protocol: UDP
device mode: tun
interface: WAN
local port: xxxx
description: xxxx
TLS Authentication checked with a 2048bit key
peer certificiate authority: xxxx
Server Certificate: xxxx
DH Paramaters Length: 2048 bits
Encryption Algorithm: xxxx
Hardware crypto: xxxx
Certificiate depth: xxxx
Tunnel Network: 10.0.0.0/24
Redirect Gateway: checked
Compression: checked
Dynamic IP: checked
Address Pool: Checked
DNS Default Domain: checked
DNS Servers: filled
Advanced: user nobody;group nobody

–---- Here is the actual config file itself inside /var/etc/openvpn generated by openvpn –-----
(all of these options are automatically generated based on my options selected in the GUI except
the user nobody;group nobody advanced options)

dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher xxxx
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxxx
tls-server
server 10.0.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/xxxx.php via-env
tls-verify /var/etc/openvpn/xxxx.tls-verify.php
lport xxxx
management /var/etc/openvpn/xxxx.sock unix
push "route xxxx 255.255.255.0"
push "dhcp-option DOMAIN xxxx"
push "dhcp-option DNS xxxx"
push "redirect-gateway def1"
ca /var/etc/openvpn/xxxx.ca
cert /var/etc/openvpn/xxxx.cert
key /var/etc/openvpn/xxxx.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/xxxx.tls-auth 0
comp-lzo
persist-remote-ip
float
user nobody
group nobody

---------- My NAT Out rule under AON –-----------

Interf.    Source    s.port    dest.    d.port    NAT addr      Stat.prt        descr.
WAN    10.0.0.0/24    *          *        *  *      *              NO            Description

---------- My firewall rule under the OpenVPN tab under Firewall > Rules –----

ID  Proto      Source      port    Dest.  Port  Gate  Queue  Sched.  Descrip.
        *      10.0.0.0/24      *      *        *      *      *

wm408

I didn't include my external firewall rule, but yours looks fine.

You can ping internal addresses on the OpenVPN network from the client OK correct?  I had this problem recently when I upgraded to 2.0.1 but it was just a fundamental NAT issue.

All of your configuration seems fine… ArgH.

charlie0440

yes i can ping PC's on the LAN. I can't get my head around it!

wm408

When my problem with NAT was going on.. I had the same symptom.

No firewall block would show because it wasn't getting blocked.
The client could resolve hostnames no problem but couldn't ping back out the gateway.

Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn?

@charlie0440:

yes i can ping PC's on the LAN. I can't get my head around it!

wm408

Try leaving concurrent connections blank.
Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice.

charlie0440

@wm408:

Try leaving concurrent connections blank.
Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice.

Tried that, didn't fix it.

@wm408:

Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn?

No, most of those NAT were made automatically.

Come to think of it I will have to play with the WAN gateways, as one day (after setting up failover) some subnets stopped having internet. I had to change from gateway = * to gateway = WAN for them to get online. I will try the same for OpenVPN

EDIT - SUCCESS :)

I had to change the OpenVPN firewall rules to use the WAN2 gateway:

• 10.0.8.0/24 * * * WAN2_312403 none

Thanks for all the help!