Openvpn client connects but can only see 3 clients out of 50



  • I managed to configure openvpn on Pfsense and was able to connect but I can only see (ping) 3 clients out of 50 in the office network! also I'm unable to connect to the internet ?

    Here's my config file.

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote 95.0.x.x 1194
    tls-remote vpnnew.mydomain.com
    pkcs12 pfsens-udp-1194.p12
    tls-auth pfsens-udp-1194-tls.key 1
    comp-lzo

    any help is much appreciated.



  • probably the other 47 have windows firewall enabled ;)



  • @heper:

    probably the other 47 have windows firewall enabled ;)

    Not really, I have all their firewalls disabled. Just one thing I would like to mention is that I also have openvpn on Untangle firewall and the same issue happens but the 3 IPs that I have access to are different from the ones with Pfsense. the config file is different as well.

    #AUTOGENERATED BY UNTANGLE DO NOT MODIFY

    OpenVPN(v2.0) configuration script

    client
    proto udp
    resolv-retry 20
    keepalive 10 120
    cipher AES-128-CBC
    nobind
    mute-replay-warnings
    ns-cert-type server
    comp-lzo
    verb 2
    persist-key
    persist-tun
    verb 1
    tls-exit
    dev tun0
    cert untangle-vpn/mycert.crt
    key untangle-vpn/mykey.key
    ca untangle-vpn/myca.crt
    remote 212.x.x.x 1194

    The remote network and my network subnet are the same but after I connected with 3G i also had the same issue! so it has to do with something else ?

    I tried connecting using Guizmo Openvpn on iPhone and ping IPs on the network using the app "Net Master" but also had the same results!

    This is very frustrating! anyone has any idea why is this happening ?

    thanx



  • it can not work if remote and local network are the same unless you go for a bridge setup.
    most people just try to change the subnets.



  • @heper:

    it can not work if remote and local network are the same unless you go for a bridge setup.
    most people just try to change the subnets.

    what about 3G, I also mentioned that I tried it on 3G network which has a different subnet and the exact same issue happens so it must be something else ?



  • Did you set the correct firewall rules on OpenVPN tab so that all clients have access from their own "subnet" to the other clients ?
    Did you enable on OpenVPN server that the clients are allowed to communicate with each other ?
    Did you setup enough IP address space for all clients to connect to the server ? 50 clients mean at least 200 IP addresses if all should be able to connect at the same time.
    can you ping all OpenVPN clients from pfsense router GUI ?
    Can all clients ping pfsense router ?
    Did you run OpenVPN client as administrator on Windows Vista/7 machines so they can set the routes ?



  • @Nachtfalke:

    1- Did you set the correct firewall rules on OpenVPN tab so that all clients have access from their own "subnet" to the other clients ?
    What are the correct rules needs to be set there? I have just enabled one rule to allow all traffic from source to destination in Openvpn.

    2- Did you enable on OpenVPN server that the clients are allowed to communicate with each other ?
    Yes I did, Same result

    3- Did you setup enough IP address space for all clients to connect to the server ? 50 clients mean at least 200 IP addresses if all should be able to connect at the same time.
    I'm assuming you're speaking about this option "Specify the maximum number of clients allowed to concurrently connect to this server" I setup 200 concurrent connections at the moment !

    4- can you ping all OpenVPN clients from pfsense router GUI ?
    I didn't catch you? What do you mean all openvpn clients ? this is an office network that I'm trying to connect to! It's not openvpn clients. please could you explain more ?

    5- Can all clients ping pfsense router ?
    Yes, all of them can ping.

    6- Did you run OpenVPN client as administrator on Windows Vista/7 machines so they can set the routes ?

    Yes it's run as Administrator, and btw it's just one openvpn client that i'm using at the moment but I'm unable to connect tall computers in my office's LAN. only 3 as I mentioned.

    Hi Nachtfalke.



  • Ok I noticed something now! The 3 IPs which I can connect two 2 machines that have 1:1 static NAT rule and the third IP is the local IP of the Pfsense Firewall in my office network..

    What would that mean ? Do I have to add all the IPs in my office network to the 1:1 list ?



  • you don't need any 1:1  … something is probably really wrong somewhere
    nobody can find out without screenshots of firewall rules on relevant interface, routing tables, traceroutes, ....

    the more info you supply, the easier it is for the other forum members to find out what's going wrong



  • @moh10ly
    Perhaps I misunderstood something.

    Do you have a site-to-site VPN between two pfsense routers and behind both pfsense routers there is a different subnet with many clients which should talk to each other ?
    Or do you only have one pfsense router with OpenVPN Server running and many clients want to connect to this one OpenVPN server ?

    What I mean with ping from pfsense GUI is:
    Go to pfsense GUI Diagnostics and then ping your clients.

    The option "Specify the maximum number of clients allowed to concurrently connect to this server" is just important if you have many clients which should be able to connect to the OpenVPN server but is not important if you have a site-to-site VPN. Site-to-site needs just a value of "1".

    But what I talked about is the IP address space for all the OpenVPN clients. For site-to-site VPN the tunnel network justr needs a subnet with /30 but if many clients connect to the server every client needs a subnet of /30.
    A /30 subnet contains 4 IP addresses so assuming you have 50 clients which should connect to the server you need 50*4 IP addresses so that every client can connect.

    So best thing would be you explain exactly what you want to realize and then post a screenshot of your OpenVPN server config (GUI), your firewall rules on OpenVPN tab. :)



  • @Nachtfalke. :d
    I figured it out, basically I have one Pfsense at work with OPENVPN setup and in the office network there are 50 virtual servers! I wanna be able to connect to these servers as if I'm there in the office. so it's client to VPN not site to site.

    After I changed one of the Virtual server's gateway to Pfsene's local IP, the VPN client could see that virtual server and ping it and connect to it..

    I would like to know if I have to change all the other virtual servers Gateway IP to point to pfsense in order for Openvpn client to see those virtual servers ?

    Please Advise?
    Thanks



  • Second update on the issue, I have added to those machines the following route command and it seems to solve the issue! I don't need to change the gateway of the machine for the openvpn client to see it anymore..

    netsh interface ipv4 add route 192.168.0.0/24 "Local Area Connection" 192.168.1.40
    netsh interface ipv4 add route 172.16.0.0/16 "Local Area Connection" 192.168.1.40

    Still I have only this one particular IP "Device" that I need which is actually a VoIP gateway but it wouldn't work! I have added a static route to this GW but still wouldn't be able to connect to it.



  • for normal operation it is customary to set it as gateway on you lan clients (unless you have a good reason not to)
    the problem you experienced is because there was no route out for them lan-clients. adding a static route does work, but you might get other similar problems in the future with other subnets.



  • Yes Heper, you're right however some servers have different routers for certain purpose. but anyway now I got this working but the only and main purpose which I wanted to have VPN for is to register SIP clients on iPhone using (Bria) app to our VoIP gateway (UX1000).

    Now after setting an IP routing on the gateway, I can ping and connect to it and browse to the web configuration page but SIP registering is not working not even on VPN client machine using X-Lite or 3CX application.

    I tried to telnet the port 5060 (SIP register port) and I was able to connect to it. so i'm not sure why wouldn't not connect?

    Please could any one advise where to look ?
    Thanks



  • I found it… the problem is with the iphone app "Bria" it has an option for using with VPN and by default this was disabled. After enabling it .. everything works like magic :D


Locked