OpenVPN Cliet Cannot Access LAN OpenVPN

sullrich · May 15, 2007, 1:05 AM

That is strange. You should have two tun devices (tun0 and tun1) from what I understand.

Let me speak with Fernando.

daddy2aleeya · May 15, 2007, 1:16 AM

sullrich

Ok..For your info, my pfsense running on version 1.0.1-SNAPSHOT-03-27-2007.

sullrich · May 15, 2007, 3:40 AM

Just for brevity sake, please upgrade to the latest and retest.

daddy2aleeya · May 15, 2007, 3:50 AM

sullrich

I've do add the command "route-method exe" and "route-delay 2" at the Client Configuration file. And u know what…The client can access the OpenVPN Server and also the LAN of it.

But it still appear some errors on it..

"
Tue May 15 09:03:45 2007 us=886389 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 09:03:45 2007 us=891004 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index.
Tue May 15 09:03:47 2007 us=971039 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 09:03:47 2007 us=972576 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 09:03:50 2007 us=42204 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 09:03:50 2007 us=43927 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
Tue May 15 09:03:50 2007 us=657776 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
Tue May 15 09:03:50 2007 us=713620 Initialization Sequence Completed
"

What is actually the error…

Can i just ignoring it or i've to do something to fix it. The client now can ping the LAN after i adding the command....

One more...users actually can access the OpenVPN simultaneous? Like PPTP, the maximum concurrent connections is 16.....

jeroen234 · May 15, 2007, 5:21 AM

upgrade to pfsense 1.2 there are a ziljun bugs been fixt between 1.0.1 and 1.2
also for openvpn

daddy2aleeya · May 15, 2007, 6:02 AM

Hi all,

Just now i got another errors…

"
Tue May 15 14:01:51 2007 us=771310 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Tue May 15 14:01:51 2007 us=772634 TAP-Win32 Driver Version 8.4
Tue May 15 14:01:51 2007 us=772659 TAP-Win32 MTU=1500
Tue May 15 14:01:51 2007 us=772692 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 14:01:51 2007 us=774597 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index.
Tue May 15 14:01:54 2007 us=29738 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:54 2007 us=29987 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 14:01:56 2007 us=264608 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:56 2007 us=264882 Route: Waiting for TUN/TAP interface to come up...
Tue May 15 14:01:57 2007 us=497527 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 14:01:57 2007 us=497788 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=561374 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=622633 Initialization Sequence Completed
"

jeroen234

I'll upgrade to pfsense 1.2 later. But what's actually they fix in the 1.2 version for OpenVPN?

fernandotcl · May 15, 2007, 1:27 PM

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

daddy2aleeya · May 16, 2007, 1:01 AM

@fernandotcl:

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

fernandotcl

How to kill OpenVPN daemon in pfsense..I'm not familiar with it..

I try to do edit /var/etc/openvpn_server0.conf configuration file without killing the OpenVPN daemon process.. but it appear some errors after i start running it back..

**"

openvpn –config /var/etc/openvpn_server0.conf

Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:15: lport (2.0.6)
Use --help for more information.
"**

daddy2aleeya · May 21, 2007, 1:42 AM

Hi all,

I had already upgrade to 1.2-BETA-1 version on Friday. And i already retest the OpenVPN. But the error is still the same…

"
Mon May 21 09:34:09 2007 us=379704 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Mon May 21 09:34:09 2007 us=379930 TAP-Win32 Driver Version 8.4
Mon May 21 09:34:09 2007 us=379950 TAP-Win32 MTU=1500
Mon May 21 09:34:09 2007 us=379980 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Mon May 21 09:34:09 2007 us=663039 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index.
Mon May 21 09:34:11 2007 us=876367 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 21 09:34:11 2007 us=876411 Route: Waiting for TUN/TAP interface to come up…
Mon May 21 09:34:14 2007 us=46950 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon May 21 09:34:14 2007 us=47002 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Mon May 21 09:34:14 2007 us=110468 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 10.10.30.31 p=0 i=65540 t=0 pr=3 a=0 h=0 m=20/20/20/10/3
10.10.0.0 255.255.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
10.10.100.19 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=20/20/20/1/1
10.20.2.10 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=30/30/30/1/1
10.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
224.0.0.0 240.0.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
255.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=1/1/1/1/3
SYSTEM ADAPTER LIST
TAP-Win32 Adapter V8 - Virtual Machine Network Services Driver
Index = 65539
GUID = {3890476B-0667-4DE4-832E-0FB996C0862A}
IP = 10.20.2.10/255.255.255.252
MAC = 00:ff:38:90:47:6b
GATEWAY =
DHCP SERV = 10.20.2.9
DHCP LEASE OBTAINED = Mon May 21 09:34:12 2007
DHCP LEASE EXPIRES = Tue May 20 09:34:12 2008
Realtek RTL8139 Family PCI Fast Ethernet NIC - Virtual Machine Network Services Driver
Index = 65540
GUID = {091D56D5-0FAF-44D3-917A-CA2971FAD5EF}
IP = 10.10.100.19/255.255.0.0
MAC = 00:13:d4:62:34:f8
GATEWAY = 10.10.30.31/0.0.0.0
DHCP SERV = 10.10.10.11
DHCP LEASE OBTAINED = Mon May 21 07:45:04 2007
DHCP LEASE EXPIRES = Tue May 22 07:45:04 2007
PRI WINS = 10.10.10.11/0.0.0.0
SEC WINS = 10.10.10.1/0.0.0.0
Mon May 21 09:34:14 2007 us=197036 Initialization Sequence Completed
"

daddy2aleeya · May 28, 2007, 1:32 AM

Hi all,

Just wanna update with the current issue…I'm currently running 1.2-BETA-1 version...

I just get the solution for this problem...I change the user configuration from "route-delay 2" to "route-delay 10" and the OpenVPN can successfully accessing OpenVPN Server and also can ping the LAN.
float
port 81
dev-node vpn
proto udp
remote 10.10.100.223 81
ping 30
persist-tun
persist-key
tls-client
ca ca.crt
cert 21.crt
key 21.key
ns-cert-type server
cipher BF-CBC
route-method exe
route-delay 10
pull
verb 4

Any info regarding this issue why some client can connect successfully without any problem and some clients need to change the configuration as above. Need feedback from the expertise..

Thanks…