OpenVPN Cliet Cannot Access LAN OpenVPN



  • Hi all,

    I got a problem regarding OpenVPN. Here i'll describe the scenario.

    –-------------------              ------                              ------------------
            |    OpenVPN Server  | --------| WAN | ------------------ | OpenVPN Client1 |
              ---------------------              -------                            ------------------
                                                            |
                                                            |
                                                            |
                                                ------------------
                                                | OpenVPN Client2 |
                                                  ------------------

    I tried to connect both OpenVPN Client to OpenVPN Server which reside on Pfsense.

    Here i copy the OpenVPN Server and OpenVPN Client setting :

    OpenVPN Server Setting
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 10.20.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 10.20.20.0 255.255.255.0"
    lport 81
    ca /var/etc/openvpn_server2.ca
    cert /var/etc/openvpn_server2.cert
    key /var/etc/openvpn_server2.key
    dh /var/etc/openvpn_server2.dh
    persist-remote-ip
    float

    OpenVPN Client Setting
    float
    port 81
    dev tun
    dev-node ovpn
    proto udp
    remote 10.10.100.223 81
    ping 30
    persist-key
    persist-tun
    tls-client
    ca ca.crt
    cert aslahuddin.crt
    key aslahuddin.key
    ns-cert-type server
    cipher BF-CBC
    pull
    verb 4

    If one of the client connect to OpenVPN Server, it succesfully connected. But if the second client tried to connect to OpenVPN Server, it can successfully connected but it cannot reach the LAN of OpenVPN. And some error appear when launch the OpenVPN GUI.

    "
    Mon May 14 09:27:10 2007 us=277114 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.200.6/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.200.5, lease-time: 31536000]
    Mon May 14 09:27:10  2007 us=709346 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
    Mon May 14 09:27:10 2007 us=713080 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Mon May 14 09:27:10 2007 us=714460 Route: Waiting for TUN/TAP interface to come up…
    Mon May 14 09:27:11 2007 us=838429 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Mon May 14 09:27:11 2007 us=839845 Route: Waiting for TUN/TAP interface to come up...
    Mon May 14 09:27:12 2007 us=965777 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Mon May 14 09:27:12 2007 us=967671 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.200.5
    Mon May 14 09:27:12 2007 us=979577 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.  [if_index=65539]
    Mon May 14 09:27:12 2007 us=981128 Route addition via IPAPI failed
    Mon May 14 09:27:12 2007 us=982094 route ADD 10.20.200.0 MASK 255.255.255.0 10.20.200.5
    Mon May 14 09:27:12 2007 us=985296 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.  [if_index=65539]
    Mon May 14 09:27:12 2007 us=986825 Route addition via IPAPI failed"

    What is actually happened? Em i hope somebody will help me on this.

    Em…how many users actually can access the OpenVPN simultaneous?



  • I think that your problem is windows vista :D or your client cannot add route to system via IPAPI
    Try add this to your Client configs :
    route-method exe
    route-delay 2

    but this (FlushIpNetTable failed on interface) is odd too and i dont know whats wrong…



  • Hi Bredys,

    My Client using Windows XP and Windows 2003 Server. The one who can access the OpenVPN Server is client that using Windows XP. While user that using Windows 2003 Server can access OpenVPN Server but it will come with the error that I've already paste in the earlier topic.

    Anyway I'll try with your suggestion. Thanks Bredys. I'll update later if this suggestion cannot work.

    Anyone who can help me on this please…. :)



  • Nail up both clients and then show the output of these commands from a shell:

    ifconfig
    cat /tmp/rules.debug | grep tun
    cat /tmp/rules.debug | grep tap



  • sullrich

    Here i paste the output of each command.

    ifconfig

    sis0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 10.20.20.1 netmask 0xffffff00 broadcast 10.20.20.255
            inet6 fe80::200:24ff:fec6:dae8%sis0 prefixlen 64 scopeid 0x1
            ether 00:00:24:c6:da:e8
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    sis1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 10.10.100.223 netmask 0xffffff00 broadcast 10.10.100.255
            inet6 fe80::200:24ff:fec6:dae9%sis1 prefixlen 64 scopeid 0x2
            ether 00:00:24:c6:da:e9
            media: Ethernet autoselect (100baseTX)
            status: active
    sis2: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>ether 00:00:24:c6:da:ea
            media: Ethernet autoselect (none)
            status: no carrier
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    enc0: flags=41 <up,running>mtu 1536
    pfsync0: flags=41 <up,running>mtu 2020
            pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=100 <promisc>mtu 33208
    tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
            inet6 fe80::200:24ff:fec6:dae8%tun0 prefixlen 64 scopeid 0x8
            inet 10.20.2.1 –> 10.20.2.2 netmask 0xffffffff
            Opened by PID 6416
    ng0: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng1: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng2: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng3: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng4: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng5: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng6: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng7: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng8: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng9: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng10: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng11: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng12: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng13: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng14: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng15: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500
    ng16: flags=8890 <pointopoint,noarp,simplex,multicast>mtu 1500

    cat /tmp/rules.debug | grep tun

    pass out quick on tun0 all keep state label "let out anything from firewall host itself openvpn"
    pass in quick on tun0 all keep state label "let out anything from firewall host itself openvpn"

    cat /tmp/rules.debug | grep tap

    #</pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></up,pointopoint,running,multicast></promisc></up,running></up,running></up,loopback,running,multicast></vlan_mtu></broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>



  • That is strange.  You should have two tun devices (tun0 and tun1) from what I understand.

    Let me speak with Fernando.



  • sullrich

    Ok..For your info, my pfsense running on version 1.0.1-SNAPSHOT-03-27-2007.



  • Just for brevity sake, please upgrade to the latest and retest.



  • sullrich

    I've do add the command "route-method exe" and "route-delay 2" at the Client Configuration file. And u know what…The client can access the OpenVPN Server and also the LAN of it.

    But it still appear some errors on it..

    "
    Tue May 15 09:03:45 2007 us=886389 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
    Tue May 15 09:03:45 2007 us=891004 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
    Tue May 15 09:03:47 2007 us=971039 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 15 09:03:47 2007 us=972576 Route: Waiting for TUN/TAP interface to come up…
    Tue May 15 09:03:50 2007 us=42204 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Tue May 15 09:03:50 2007 us=43927 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
    Tue May 15 09:03:50 2007 us=657776 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
    Tue May 15 09:03:50 2007 us=713620 Initialization Sequence Completed
    "

    What is actually the error…

    Can i just ignoring it or i've to do something to fix it. The client now can ping the LAN after i adding the command....

    One more...users actually can access the OpenVPN simultaneous? Like PPTP, the maximum concurrent connections is 16.....



  • upgrade to pfsense 1.2 there are a ziljun bugs been fixt between 1.0.1 and 1.2
    also for openvpn



  • Hi all,

    Just now i got another errors…

    "
    Tue May 15 14:01:51 2007 us=771310 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
    Tue May 15 14:01:51 2007 us=772634 TAP-Win32 Driver Version 8.4
    Tue May 15 14:01:51 2007 us=772659 TAP-Win32 MTU=1500
    Tue May 15 14:01:51 2007 us=772692 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
    Tue May 15 14:01:51 2007 us=774597 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
    Tue May 15 14:01:54 2007 us=29738 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 15 14:01:54 2007 us=29987 Route: Waiting for TUN/TAP interface to come up…
    Tue May 15 14:01:56 2007 us=264608 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 15 14:01:56 2007 us=264882 Route: Waiting for TUN/TAP interface to come up...
    Tue May 15 14:01:57 2007 us=497527 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Tue May 15 14:01:57 2007 us=497788 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
    The route addition failed: The parameter is incorrect.
    Tue May 15 14:01:57 2007 us=561374 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
    The route addition failed: The parameter is incorrect.
    Tue May 15 14:01:57 2007 us=622633 Initialization Sequence Completed
    "

    jeroen234

    I'll upgrade to pfsense 1.2 later. But what's actually they fix in the 1.2 version for OpenVPN?



  • There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

    This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.



  • @fernandotcl:

    There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

    This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

    fernandotcl

    How to kill OpenVPN daemon in pfsense..I'm not familiar with it..

    I try to do edit /var/etc/openvpn_server0.conf configuration file without killing the OpenVPN daemon process.. but it appear some errors after i start running it back..

    **"

    openvpn –config /var/etc/openvpn_server0.conf

    Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:15: lport (2.0.6)
    Use --help for more information.
    "**



  • Hi all,

    I had already upgrade to 1.2-BETA-1 version on Friday. And i already retest the OpenVPN. But the error is still the same…

    "
    Mon May 21 09:34:09 2007 us=379704 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
    Mon May 21 09:34:09 2007 us=379930 TAP-Win32 Driver Version 8.4
    Mon May 21 09:34:09 2007 us=379950 TAP-Win32 MTU=1500
    Mon May 21 09:34:09 2007 us=379980 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
    Mon May 21 09:34:09 2007 us=663039 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
    Mon May 21 09:34:11 2007 us=876367 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Mon May 21 09:34:11 2007 us=876411 Route: Waiting for TUN/TAP interface to come up…
    Mon May 21 09:34:14 2007 us=46950 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Mon May 21 09:34:14 2007 us=47002 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
    The route addition failed: The parameter is incorrect.
    Mon May 21 09:34:14 2007 us=110468 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
    The route addition failed: The parameter is incorrect.
    SYSTEM ROUTING TABLE
    0.0.0.0 0.0.0.0 10.10.30.31 p=0 i=65540 t=0 pr=3 a=0 h=0 m=20/20/20/10/3
    10.10.0.0 255.255.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
    10.10.100.19 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=20/20/20/1/1
    10.20.2.10 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=30/30/30/1/1
    10.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
    127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
    127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
    224.0.0.0 240.0.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
    255.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=1/1/1/1/3
    SYSTEM ADAPTER LIST
    TAP-Win32 Adapter V8 - Virtual Machine Network Services Driver
      Index = 65539
      GUID = {3890476B-0667-4DE4-832E-0FB996C0862A}
      IP = 10.20.2.10/255.255.255.252
      MAC = 00:ff:38:90:47:6b
      GATEWAY = 
      DHCP SERV = 10.20.2.9
      DHCP LEASE OBTAINED = Mon May 21 09:34:12 2007
      DHCP LEASE EXPIRES  = Tue May 20 09:34:12 2008
    Realtek RTL8139 Family PCI Fast Ethernet NIC - Virtual Machine Network Services Driver
      Index = 65540
      GUID = {091D56D5-0FAF-44D3-917A-CA2971FAD5EF}
      IP = 10.10.100.19/255.255.0.0
      MAC = 00:13:d4:62:34:f8
      GATEWAY = 10.10.30.31/0.0.0.0
      DHCP SERV = 10.10.10.11
      DHCP LEASE OBTAINED = Mon May 21 07:45:04 2007
      DHCP LEASE EXPIRES  = Tue May 22 07:45:04 2007
      PRI WINS = 10.10.10.11/0.0.0.0
      SEC WINS = 10.10.10.1/0.0.0.0
    Mon May 21 09:34:14 2007 us=197036 Initialization Sequence Completed
    "



  • Hi all,

    Just wanna update with the current issue…I'm currently running 1.2-BETA-1 version...

    I just get the solution for this problem...I change the user configuration from "route-delay 2"  to "route-delay 10" and the OpenVPN can successfully accessing OpenVPN Server and also can ping the LAN.
    float
    port 81
    dev-node vpn
    proto udp
    remote 10.10.100.223 81
    ping 30
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert 21.crt
    key 21.key
    ns-cert-type server
    cipher BF-CBC
    route-method exe
    route-delay 10
    pull
    verb 4

    Any info regarding this issue why some client can connect successfully without any problem and some clients need to change the configuration as above. Need feedback from the expertise..

    Thanks…


Log in to reply