RE: Open VPN No Routes
-
A quick question,
I have PfSense setup and working, however it seems as though open vpn isn't doing the correct routing. Clients can connect from the wan and get issued a 10.10.8.0 addresss as they should be. However they can't get on the lan (192.168.10.0/24) or ping the DHCP lease issuer. I think that a route just needs to be pushed, but shouldn't it do this automatically.
-
did you fill in the field: "Local network"
doing so add's a push route to your local network. -
yes, there is a field for the local network. Is there routes that need to be added to the other machines to make this work?
-
Show your log from openvpn created while connecting…
-
I am having the same issue. Can connect via WAN but the local network (192.168.2.0) is not accessible.
I have tried setting the local network field to "192.168.2.0/24" and have also tried the custom option push "route 192.168.2.0 255.255.255.0". Neither work.
Ideas?
-
Ech
Again…
Show your log from openvpn client created while connecting... -
Thu May 31 09:22:33 2007 us=96692 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Thu May 31 09:22:33 2007 us=96822 WARNING: –ping should normally be used with --ping-restart or --ping-exit
Thu May 31 09:22:33 2007 us=98080 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu May 31 09:22:33 2007 us=99407 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Thu May 31 09:22:33 2007 us=99456 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu May 31 09:22:33 2007 us=115754 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu May 31 09:22:33 2007 us=115811 Local Options hash (VER=V4): 'db02a8f8'
Thu May 31 09:22:33 2007 us=115834 Expected Remote Options hash (VER=V4): '7e068940'
Thu May 31 09:22:33 2007 us=115877 Attempting to establish TCP connection with [BLANKED OUT IP]:1194
Thu May 31 09:22:33 2007 us=158952 TCP connection established with [BLANKED OUT IP]:1194
Thu May 31 09:22:33 2007 us=159002 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu May 31 09:22:33 2007 us=159024 TCPv4_CLIENT link local: [undef]
Thu May 31 09:22:33 2007 us=159037 TCPv4_CLIENT link remote: [BLANKED OUT IP]:1194
Thu May 31 09:22:33 2007 us=202881 TLS: Initial packet from [BLANKED OUT IP]:1194, sid=61e532cb 4ad6370b
Thu May 31 09:22:33 2007 us=740111 VERIFY OK: depth=1, /CN=[BLANKED OUT IP]
Thu May 31 09:22:33 2007 us=740659 VERIFY OK: nsCertType=SERVER
Thu May 31 09:22:33 2007 us=740673 VERIFY OK: depth=0, /CN=server
Thu May 31 09:22:34 2007 us=957708 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 31 09:22:34 2007 us=957747 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 31 09:22:34 2007 us=957804 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 31 09:22:34 2007 us=957822 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 31 09:22:34 2007 us=963233 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu May 31 09:22:34 2007 us=963279 [server] Peer Connection Initiated with [BLANKED OUT IP]:1194
Thu May 31 09:22:36 2007 us=23934 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu May 31 09:22:36 2007 us=271259 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 192.168.202.1,ping 10,ping-restart 60,ifconfig 192.168.202.6 192.168.202.5'
Thu May 31 09:22:36 2007 us=271342 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 31 09:22:36 2007 us=271356 OPTIONS IMPORT: –ifconfig/up options modified
Thu May 31 09:22:36 2007 us=271367 OPTIONS IMPORT: route options modified
Thu May 31 09:22:36 2007 us=283378 TAP-WIN32 device [ovpn] opened: \.\Global{37770301-DA97-4ADC-9EE4-957D639CFFF2}.tap
Thu May 31 09:22:36 2007 us=284748 TAP-Win32 Driver Version 8.4
Thu May 31 09:22:36 2007 us=285849 TAP-Win32 MTU=1500
Thu May 31 09:22:36 2007 us=286940 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.202.6/255.255.255.252 on interface {37770301-DA97-4ADC-9EE4-957D639CFFF2} [DHCP-serv: 192.168.202.5, lease-time: 31536000]
Thu May 31 09:22:36 2007 us=289345 Successful ARP Flush on interface [3] {37770301-DA97-4ADC-9EE4-957D639CFFF2}
Thu May 31 09:22:38 2007 us=353122 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Thu May 31 09:22:38 2007 us=353152 Route: Waiting for TUN/TAP interface to come up…
Thu May 31 09:22:40 2007 us=431489 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Thu May 31 09:22:40 2007 us=431519 Route: Waiting for TUN/TAP interface to come up...
Thu May 31 09:22:41 2007 us=494085 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu May 31 09:22:41 2007 us=494122 route ADD 192.168.2.0 MASK 255.255.255.0 192.168.202.5
Thu May 31 09:22:41 2007 us=572620 route ADD 192.168.202.1 MASK 255.255.255.255 192.168.202.5
Thu May 31 09:22:41 2007 us=638049 Initialization Sequence Completed -
I should note that clients can ping the pfsense machine (in 192.168.2.0 subnet) but nothing else in it. I am new to this but I find it odd…
-
i was having the same problem with my setup.
what i found what wrong was that i had the remote subnet too close to the Local subnet.
try to set a extremely different subnet like remote 10.3.2.1 and what ever you local is (example 10.1.0.0)
that did the trick for me and also do not insert a subnet in the local net work field
just use the
dhcp-option DNS x.x.x.xthat is what i did and it works good for me.
Chase -
It is still not working.
The x.x.x.x in your post, is that my lan, i.e. 192.168.2.0?
My clients have their gateway set to my pfsense machine.
Any other ideas?
-
It is still not working.
The x.x.x.x in your post, is that my lan, i.e. 192.168.2.0?
My clients have their gateway set to my pfsense machine.
Any other ideas?
i think you should use the lan ip of your PFSENSE if that does your DHCP liscensing.
otherwise it should be the DNS server on your local network. not for sure -
I got it to work without using the dhcp-option setting (just the push). To test, I was pinging a Vista machine on my LAN and well it isn't working. The XP machines are fine.
Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine?
-
Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine?
Appropriate routing configured on whatever device is their default gateway.
