OpenVPN Cliet Cannot Access LAN OpenVPN

sullrich

That is strange.  You should have two tun devices (tun0 and tun1) from what I understand.

Let me speak with Fernando.

daddy2aleeya

sullrich

Ok..For your info, my pfsense running on version 1.0.1-SNAPSHOT-03-27-2007.

sullrich

Just for brevity sake, please upgrade to the latest and retest.

daddy2aleeya

sullrich

I've do add the command "route-method exe" and "route-delay 2" at the Client Configuration file. And u know what…The client can access the OpenVPN Server and also the LAN of it.

But it still appear some errors on it..

"
Tue May 15 09:03:45 2007 us=886389 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 09:03:45 2007 us=891004 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Tue May 15 09:03:47 2007 us=971039 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 09:03:47 2007 us=972576 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 09:03:50 2007 us=42204 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 09:03:50 2007 us=43927 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
Tue May 15 09:03:50 2007 us=657776 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
Tue May 15 09:03:50 2007 us=713620 Initialization Sequence Completed
"

What is actually the error…

Can i just ignoring it or i've to do something to fix it. The client now can ping the LAN after i adding the command....

One more...users actually can access the OpenVPN simultaneous? Like PPTP, the maximum concurrent connections is 16.....

jeroen234

upgrade to pfsense 1.2 there are a ziljun bugs been fixt between 1.0.1 and 1.2
also for openvpn

daddy2aleeya

Hi all,

Just now i got another errors…

"
Tue May 15 14:01:51 2007 us=771310 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Tue May 15 14:01:51 2007 us=772634 TAP-Win32 Driver Version 8.4
Tue May 15 14:01:51 2007 us=772659 TAP-Win32 MTU=1500
Tue May 15 14:01:51 2007 us=772692 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Tue May 15 14:01:51 2007 us=774597 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Tue May 15 14:01:54 2007 us=29738 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:54 2007 us=29987 Route: Waiting for TUN/TAP interface to come up…
Tue May 15 14:01:56 2007 us=264608 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue May 15 14:01:56 2007 us=264882 Route: Waiting for TUN/TAP interface to come up...
Tue May 15 14:01:57 2007 us=497527 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue May 15 14:01:57 2007 us=497788 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=561374 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
Tue May 15 14:01:57 2007 us=622633 Initialization Sequence Completed
"

jeroen234

I'll upgrade to pfsense 1.2 later. But what's actually they fix in the 1.2 version for OpenVPN?

fernandotcl

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

daddy2aleeya

@fernandotcl:

There's no limit imposed by the pfSense OpenVPN implementation. There might be a limit in OpenVPN or this could also be limited by the maximum number of tun interfaces at a given moment in FreeBSD. But this limit is certainly greater than 2.

This could be a broken client, perhaps. If you're confortable with Unix, log into the pfSense shell, kill the OpenVPN daemon (openvpn process), edit /var/etc/openvpn_server0.conf and change the line that says "daemon" to "verb 4". Then start OpenVPN daemon by running "openvpn –config /var/etc/openvpn_server0.conf". Then try to connect from the clients.

fernandotcl

How to kill OpenVPN daemon in pfsense..I'm not familiar with it..

I try to do edit /var/etc/openvpn_server0.conf configuration file without killing the OpenVPN daemon process.. but it appear some errors after i start running it back..

**"

openvpn –config /var/etc/openvpn_server0.conf

Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:15: lport (2.0.6)
Use --help for more information.
"**

daddy2aleeya

Hi all,

I had already upgrade to 1.2-BETA-1 version on Friday. And i already retest the OpenVPN. But the error is still the same…

"
Mon May 21 09:34:09 2007 us=379704 TAP-WIN32 device [vpn] opened: \.\Global{3890476B-0667-4DE4-832E-0FB996C0862A}.tap
Mon May 21 09:34:09 2007 us=379930 TAP-Win32 Driver Version 8.4
Mon May 21 09:34:09 2007 us=379950 TAP-Win32 MTU=1500
Mon May 21 09:34:09 2007 us=379980 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.20.2.10/255.255.255.252 on interface {3890476B-0667-4DE4-832E-0FB996C0862A} [DHCP-serv: 10.20.2.9, lease-time: 31536000]
Mon May 21 09:34:09 2007 us=663039 NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index. 
Mon May 21 09:34:11 2007 us=876367 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 21 09:34:11 2007 us=876411 Route: Waiting for TUN/TAP interface to come up…
Mon May 21 09:34:14 2007 us=46950 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon May 21 09:34:14 2007 us=47002 route ADD 10.20.20.0 MASK 255.255.255.0 10.20.2.9
The route addition failed: The parameter is incorrect.
Mon May 21 09:34:14 2007 us=110468 route ADD 10.20.2.1 MASK 255.255.255.255 10.20.2.9
The route addition failed: The parameter is incorrect.
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 10.10.30.31 p=0 i=65540 t=0 pr=3 a=0 h=0 m=20/20/20/10/3
10.10.0.0 255.255.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
10.10.100.19 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=20/20/20/1/1
10.20.2.10 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=30/30/30/1/1
10.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=0 pr=2 a=0 h=0 m=1/1/1/1/1
224.0.0.0 240.0.0.0 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=20/20/20/1/3
255.255.255.255 255.255.255.255 10.10.100.19 p=0 i=65540 t=0 pr=2 a=0 h=0 m=1/1/1/1/3
SYSTEM ADAPTER LIST
TAP-Win32 Adapter V8 - Virtual Machine Network Services Driver
  Index = 65539
  GUID = {3890476B-0667-4DE4-832E-0FB996C0862A}
  IP = 10.20.2.10/255.255.255.252
  MAC = 00:ff:38:90:47:6b
  GATEWAY = 
  DHCP SERV = 10.20.2.9
  DHCP LEASE OBTAINED = Mon May 21 09:34:12 2007
  DHCP LEASE EXPIRES  = Tue May 20 09:34:12 2008
Realtek RTL8139 Family PCI Fast Ethernet NIC - Virtual Machine Network Services Driver
  Index = 65540
  GUID = {091D56D5-0FAF-44D3-917A-CA2971FAD5EF}
  IP = 10.10.100.19/255.255.0.0
  MAC = 00:13:d4:62:34:f8
  GATEWAY = 10.10.30.31/0.0.0.0
  DHCP SERV = 10.10.10.11
  DHCP LEASE OBTAINED = Mon May 21 07:45:04 2007
  DHCP LEASE EXPIRES  = Tue May 22 07:45:04 2007
  PRI WINS = 10.10.10.11/0.0.0.0
  SEC WINS = 10.10.10.1/0.0.0.0
Mon May 21 09:34:14 2007 us=197036 Initialization Sequence Completed
"

daddy2aleeya

Hi all,

Just wanna update with the current issue…I'm currently running 1.2-BETA-1 version...

I just get the solution for this problem...I change the user configuration from "route-delay 2"  to "route-delay 10" and the OpenVPN can successfully accessing OpenVPN Server and also can ping the LAN.
float
port 81
dev-node vpn
proto udp
remote 10.10.100.223 81
ping 30
persist-tun
persist-key
tls-client
ca ca.crt
cert 21.crt
key 21.key
ns-cert-type server
cipher BF-CBC
route-method exe
route-delay 10
pull
verb 4

Any info regarding this issue why some client can connect successfully without any problem and some clients need to change the configuration as above. Need feedback from the expertise..

Thanks…