RE: Open VPN No Routes



  • A quick question,

    I have PfSense setup and working, however it seems as though open vpn isn't doing the correct routing. Clients can connect from the wan and get issued a 10.10.8.0 addresss as they should be. However they can't get on the lan (192.168.10.0/24) or ping the DHCP lease issuer. I think that a route just needs to be pushed, but shouldn't it do this automatically.



  • did you fill in the field: "Local network"
    doing so add's a push route to your local network.



  • yes, there is a field for the local network. Is there routes that need to be added to the other machines to make this work?



  • Show your log from openvpn created while connecting…



  • I am having the same issue. Can connect via WAN but the local network (192.168.2.0) is not accessible.

    I have tried setting the local network field to "192.168.2.0/24" and have also tried the custom option push "route 192.168.2.0 255.255.255.0". Neither work.

    Ideas?



  • Ech
    Again…
    Show your log from openvpn client created while connecting...



  • Thu May 31 09:22:33 2007 us=96692 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Thu May 31 09:22:33 2007 us=96822 WARNING: –ping should normally be used with --ping-restart or --ping-exit
    Thu May 31 09:22:33 2007 us=98080 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Thu May 31 09:22:33 2007 us=99407 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
    Thu May 31 09:22:33 2007 us=99456 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Thu May 31 09:22:33 2007 us=115754 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Thu May 31 09:22:33 2007 us=115811 Local Options hash (VER=V4): 'db02a8f8'
    Thu May 31 09:22:33 2007 us=115834 Expected Remote Options hash (VER=V4): '7e068940'
    Thu May 31 09:22:33 2007 us=115877 Attempting to establish TCP connection with [BLANKED OUT IP]:1194
    Thu May 31 09:22:33 2007 us=158952 TCP connection established with [BLANKED OUT IP]:1194
    Thu May 31 09:22:33 2007 us=159002 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu May 31 09:22:33 2007 us=159024 TCPv4_CLIENT link local: [undef]
    Thu May 31 09:22:33 2007 us=159037 TCPv4_CLIENT link remote: [BLANKED OUT IP]:1194
    Thu May 31 09:22:33 2007 us=202881 TLS: Initial packet from [BLANKED OUT IP]:1194, sid=61e532cb 4ad6370b
    Thu May 31 09:22:33 2007 us=740111 VERIFY OK: depth=1, /CN=[BLANKED OUT IP]
    Thu May 31 09:22:33 2007 us=740659 VERIFY OK: nsCertType=SERVER
    Thu May 31 09:22:33 2007 us=740673 VERIFY OK: depth=0, /CN=server
    Thu May 31 09:22:34 2007 us=957708 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu May 31 09:22:34 2007 us=957747 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu May 31 09:22:34 2007 us=957804 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu May 31 09:22:34 2007 us=957822 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu May 31 09:22:34 2007 us=963233 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu May 31 09:22:34 2007 us=963279 [server] Peer Connection Initiated with [BLANKED OUT IP]:1194
    Thu May 31 09:22:36 2007 us=23934 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Thu May 31 09:22:36 2007 us=271259 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 192.168.202.1,ping 10,ping-restart 60,ifconfig 192.168.202.6 192.168.202.5'
    Thu May 31 09:22:36 2007 us=271342 OPTIONS IMPORT: timers and/or timeouts modified
    Thu May 31 09:22:36 2007 us=271356 OPTIONS IMPORT: –ifconfig/up options modified
    Thu May 31 09:22:36 2007 us=271367 OPTIONS IMPORT: route options modified
    Thu May 31 09:22:36 2007 us=283378 TAP-WIN32 device [ovpn] opened: \.\Global{37770301-DA97-4ADC-9EE4-957D639CFFF2}.tap
    Thu May 31 09:22:36 2007 us=284748 TAP-Win32 Driver Version 8.4
    Thu May 31 09:22:36 2007 us=285849 TAP-Win32 MTU=1500
    Thu May 31 09:22:36 2007 us=286940 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.202.6/255.255.255.252 on interface {37770301-DA97-4ADC-9EE4-957D639CFFF2} [DHCP-serv: 192.168.202.5, lease-time: 31536000]
    Thu May 31 09:22:36 2007 us=289345 Successful ARP Flush on interface [3] {37770301-DA97-4ADC-9EE4-957D639CFFF2}
    Thu May 31 09:22:38 2007 us=353122 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Thu May 31 09:22:38 2007 us=353152 Route: Waiting for TUN/TAP interface to come up…
    Thu May 31 09:22:40 2007 us=431489 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Thu May 31 09:22:40 2007 us=431519 Route: Waiting for TUN/TAP interface to come up...
    Thu May 31 09:22:41 2007 us=494085 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Thu May 31 09:22:41 2007 us=494122 route ADD 192.168.2.0 MASK 255.255.255.0 192.168.202.5
    Thu May 31 09:22:41 2007 us=572620 route ADD 192.168.202.1 MASK 255.255.255.255 192.168.202.5
    Thu May 31 09:22:41 2007 us=638049 Initialization Sequence Completed



  • I should note that clients can ping the pfsense machine (in 192.168.2.0 subnet) but nothing else in it. I am new to this but I find it odd…



  • i was having the same problem with my setup.
    what i found what wrong was that i had the remote subnet too close to the Local subnet.
    try to set a extremely different subnet like remote 10.3.2.1 and what ever you local is (example 10.1.0.0)
    that did the trick for me and also do not insert a subnet in the local net work field
    just use the
    dhcp-option DNS x.x.x.x

    that is what i did and it works good for me.
    Chase



  • It is still not working.

    The x.x.x.x in your post, is that my lan, i.e. 192.168.2.0?

    My clients have their gateway set to my pfsense machine.

    Any other ideas?



  • @fumes87:

    It is still not working.

    The x.x.x.x in your post, is that my lan, i.e. 192.168.2.0?

    My clients have their gateway set to my pfsense machine.

    Any other ideas?

    i think you should use the lan ip of your PFSENSE if that does your DHCP liscensing.
    otherwise it should be the DNS server on your local network. not for sure



  • I got it to work without using the dhcp-option setting (just the push). To test, I was pinging a Vista machine on my LAN and well it isn't working. The XP machines are fine.

    Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine?



  • @fumes87:

    Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine?

    Appropriate routing configured on whatever device is their default gateway.


Log in to reply