OpenVPN Cliet Cannot Access LAN OpenVPN

daddy2aleeya

Hi all,

I got a problem regarding OpenVPN. Here i'll describe the scenario.

–-------------------              ------                              ------------------
        |    OpenVPN Server  | --------| WAN | ------------------ | OpenVPN Client1 |
          ---------------------              -------                            ------------------
                                                        |
                                                        |
                                                        |
                                            ------------------
                                            | OpenVPN Client2 |
                                              ------------------

I tried to connect both OpenVPN Client to OpenVPN Server which reside on Pfsense.

Here i copy the OpenVPN Server and OpenVPN Client setting :

OpenVPN Server Setting
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 10.20.2.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.20.20.0 255.255.255.0"
lport 81
ca /var/etc/openvpn_server2.ca
cert /var/etc/openvpn_server2.cert
key /var/etc/openvpn_server2.key
dh /var/etc/openvpn_server2.dh
persist-remote-ip
float

OpenVPN Client Setting
float
port 81
dev tun
dev-node ovpn
proto udp
remote 10.10.100.223 81
ping 30
persist-key
persist-tun
tls-client
ca ca.crt
cert aslahuddin.crt
key aslahuddin.key
ns-cert-type server
cipher BF-CBC
pull
verb 4

If one of the client connect to OpenVPN Server, it succesfully connected. But if the second client tried to connect to OpenVPN Server, it can successfully connected but it cannot reach the LAN of OpenVPN. And some error appear when launch the OpenVPN GUI.

"
Mon May 14 09:27:10 2007 us=277114 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.200.6/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.200.5, lease-time: 31536000]
Mon May 14 09:27:10  2007 us=709346 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Mon May 14 09:27:10 2007 us=713080 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 14 09:27:10 2007 us=714460 Route: Waiting for TUN/TAP interface to come up…
Mon May 14 09:27:11 2007 us=838429 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 14 09:27:11 2007 us=839845 Route: Waiting for TUN/TAP interface to come up...
Mon May 14 09:27:12 2007 us=965777 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon May 14 09:27:12 2007 us=967671 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.200.5
Mon May 14 09:27:12 2007 us=979577 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.  [if_index=65539]
Mon May 14 09:27:12 2007 us=981128 Route addition via IPAPI failed
Mon May 14 09:27:12 2007 us=982094 route ADD 10.20.200.0 MASK 255.255.255.0 10.20.200.5
Mon May 14 09:27:12 2007 us=985296 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.  [if_index=65539]
Mon May 14 09:27:12 2007 us=986825 Route addition via IPAPI failed"

What is actually happened? Em i hope somebody will help me on this.

Em…how many users actually can access the OpenVPN simultaneous?

Bredys

I think that your problem is windows vista :D or your client cannot add route to system via IPAPI
Try add this to your Client configs :
route-method exe
route-delay 2

but this (FlushIpNetTable failed on interface) is odd too and i dont know whats wrong…

daddy2aleeya

Hi Bredys,

My Client using Windows XP and Windows 2003 Server. The one who can access the OpenVPN Server is client that using Windows XP. While user that using Windows 2003 Server can access OpenVPN Server but it will come with the error that I've already paste in the earlier topic.

Anyway I'll try with your suggestion. Thanks Bredys. I'll update later if this suggestion cannot work.

Anyone who can help me on this please…. :)

sullrich

Nail up both clients and then show the output of these commands from a shell:

ifconfig
cat /tmp/rules.debug | grep tun
cat /tmp/rules.debug | grep tap

daddy2aleeya

sullrich

Here i paste the output of each command.

ifconfig

sis0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet 10.20.20.1 netmask 0xffffff00 broadcast 10.20.20.255
        inet6 fe80::200:24ff:fec6:dae8%sis0 prefixlen 64 scopeid 0x1
        ether 00:00:24:c6:da:e8
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sis1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet 10.10.100.223 netmask 0xffffff00 broadcast 10.10.100.255
        inet6 fe80::200:24ff:fec6:dae9%sis1 prefixlen 64 scopeid 0x2
        ether 00:00:24:c6:da:e9
        media: Ethernet autoselect (100baseTX)
        status: active
sis2: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>ether 00:00:24:c6:da:ea
        media: Ethernet autoselect (none)
        status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
enc0: flags=41 <up,running>mtu 1536
pfsync0: flags=41 <up,running>mtu 2020
        pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>mtu 33208
tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
        inet6 fe80::200:24ff:fec6:dae8%tun0 prefixlen 64 scopeid 0x8
        inet 10.20.2.1 –> 10.20.2.2 netmask 0xffffffff
        Opened by PID 6416
ng0: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng1: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng2: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng3: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng4: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng5: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng6: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng7: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng8: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng9: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng10: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng11: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng12: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng13: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng14: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng15: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
ng16: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500

cat /tmp/rules.debug | grep tun

pass out quick on tun0 all keep state label "let out anything from firewall host itself openvpn"
pass in quick on tun0 all keep state label "let out anything from firewall host itself openvpn"

cat /tmp/rules.debug | grep tap

#</pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></up,pointopoint,running,multicast></promisc></up,running></up,running></up,loopback,running,multicast></vlan_mtu></broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

sullrich

That is strange.  You should have two tun devices (tun0 and tun1) from what I understand.

Let me speak with Fernando.

daddy2aleeya

sullrich

Ok..For your info, my pfsense running on version 1.0.1-SNAPSHOT-03-27-2007.

sullrich

Just for brevity sake, please upgrade to the latest and retest.

daddy2aleeya

sullrich

I've do add the command "route-method exe" and "route-delay 2" at the Client Configuration file. And u know what…The client can access the OpenVPN Server and also the LAN of it.

But it still appear some errors on it..

"
Tue May 15 09:03:45 2007 us=886389 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 09:03:45 2007 us=891004 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Tue May 15 09:03:47 2007 us=971039 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 09:03:47 2007 us=972576 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 09:03:50 2007 us=42204 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 09:03:50 2007 us=43927 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
Tue May 15 09:03:50 2007 us=657776 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
Tue May 15 09:03:50 2007 us=713620 Initialization Sequence Completed
"

What is actually the error…

Can i just ignoring it or i've to do something to fix it. The client now can ping the LAN after i adding the command....

One more...users actually can access the OpenVPN simultaneous? Like PPTP, the maximum concurrent connections is 16.....

jeroen234

upgrade to pfsense 1.2 there are a ziljun bugs been fixt between 1.0.1 and 1.2
also for openvpn

daddy2aleeya

Hi all,

Just now i got another errors…

"
Tue May 15 14:01:51 2007 us=771310 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Tue May 15 14:01:51 2007 us=772634 TAP-Win32 Driver Version 8.4
Tue May 15 14:01:51 2007 us=772659 TAP-Win32 MTU=1500
Tue May 15 14:01:51 2007 us=772692 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 14:01:51 2007 us=774597 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Tue May 15 14:01:54 2007 us=29738 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:54 2007 us=29987 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 14:01:56 2007 us=264608 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:56 2007 us=264882 Route: Waiting for TUN/TAP interface to come up...
Tue May 15 14:01:57 2007 us=497527 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 14:01:57 2007 us=497788 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=561374 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=622633 Initialization Sequence Completed
"

jeroen234

I'll upgrade to pfsense 1.2 later. But what's actually they fix in the 1.2 version for OpenVPN?

fernandotcl

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

daddy2aleeya

@fernandotcl:

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

fernandotcl

How to kill OpenVPN daemon in pfsense..I'm not familiar with it..

I try to do edit /var/etc/openvpn_server0.conf configuration file without killing the OpenVPN daemon process.. but it appear some errors after i start running it back..

**"

openvpn –config /var/etc/openvpn_server0.conf

Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:15: lport (2.0.6)
Use --help for more information.
"**

daddy2aleeya

Hi all,

I had already upgrade to 1.2-BETA-1 version on Friday. And i already retest the OpenVPN. But the error is still the same…

"
Mon May 21 09:34:09 2007 us=379704 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Mon May 21 09:34:09 2007 us=379930 TAP-Win32 Driver Version 8.4
Mon May 21 09:34:09 2007 us=379950 TAP-Win32 MTU=1500
Mon May 21 09:34:09 2007 us=379980 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Mon May 21 09:34:09 2007 us=663039 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Mon May 21 09:34:11 2007 us=876367 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 21 09:34:11 2007 us=876411 Route: Waiting for TUN/TAP interface to come up…
Mon May 21 09:34:14 2007 us=46950 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon May 21 09:34:14 2007 us=47002 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Mon May 21 09:34:14 2007 us=110468 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 10.10.30.31 p=0 i=65540 t=0 pr=3 a=0 h=0 m=20/20/20/10/3
10.10.0.0 255.255.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
10.10.100.19 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=20/20/20/1/1
10.20.2.10 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=30/30/30/1/1
10.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
224.0.0.0 240.0.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
255.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=1/1/1/1/3
SYSTEM ADAPTER LIST
TAP-Win32 Adapter V8 - Virtual Machine Network Services Driver
  Index = 65539
  GUID = {3890476B-0667-4DE4-832E-0FB996C0862A}
  IP = 10.20.2.10/255.255.255.252
  MAC = 00:ff:38:90:47:6b
  GATEWAY = 
  DHCP SERV = 10.20.2.9
  DHCP LEASE OBTAINED = Mon May 21 09:34:12 2007
  DHCP LEASE EXPIRES  = Tue May 20 09:34:12 2008
Realtek RTL8139 Family PCI Fast Ethernet NIC - Virtual Machine Network Services Driver
  Index = 65540
  GUID = {091D56D5-0FAF-44D3-917A-CA2971FAD5EF}
  IP = 10.10.100.19/255.255.0.0
  MAC = 00:13:d4:62:34:f8
  GATEWAY = 10.10.30.31/0.0.0.0
  DHCP SERV = 10.10.10.11
  DHCP LEASE OBTAINED = Mon May 21 07:45:04 2007
  DHCP LEASE EXPIRES  = Tue May 22 07:45:04 2007
  PRI WINS = 10.10.10.11/0.0.0.0
  SEC WINS = 10.10.10.1/0.0.0.0
Mon May 21 09:34:14 2007 us=197036 Initialization Sequence Completed
"

daddy2aleeya

Hi all,

Just wanna update with the current issue…I'm currently running 1.2-BETA-1 version...

I just get the solution for this problem...I change the user configuration from "route-delay 2"  to "route-delay 10" and the OpenVPN can successfully accessing OpenVPN Server and also can ping the LAN.
float
port 81
dev-node vpn
proto udp
remote 10.10.100.223 81
ping 30
persist-tun
persist-key
tls-client
ca ca.crt
cert 21.crt
key 21.key
ns-cert-type server
cipher BF-CBC
route-method exe
route-delay 10
pull
verb 4

Any info regarding this issue why some client can connect successfully without any problem and some clients need to change the configuration as above. Need feedback from the expertise..

Thanks…