OpenVPN client connects to PFsense, does not route



  • This is my client config:
    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x 444
    tls-remote "user"
    auth-user-pass
    pkcs12 satlink-udp-444.p12
    tls-auth satlink-udp-444-tls.key 1
    comp-lzo

    That was exported from the export tab. On PF, it's configured for remote access SSL/TLS+auth, UDP, TUN
    Tunnel network is set to 10.10.213.0/24
    Local network is 192.168.1.0/24 (this is my LAN i'm trying to get to behind PF sense from the road)
    Provide virtual IP is checked.

    My route print statement is as follows (I erased the "real" ones so they are not included):
    Network Destination        Netmask          Gateway       Interface  Metric

    10.10.213.1  255.255.255.255      10.10.213.5      10.10.213.6     30
         10.10.213.4  255.255.255.252         On-link       10.10.213.6    286
         10.10.213.6  255.255.255.255         On-link       10.10.213.6    286
         10.10.213.7  255.255.255.255         On-link       10.10.213.6    286
           127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
           127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
     127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

    192.168.1.0    255.255.255.0      10.10.213.5      10.10.213.6     30
           224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
           224.0.0.0        240.0.0.0         On-link     x.x.x.x.    266
           224.0.0.0        240.0.0.0         On-link       10.10.213.6    286
     255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     255.255.255.255  255.255.255.255         On-link     x,x,x,x    266
     255.255.255.255  255.255.255.255         On-link       10.10.213.6    286

    It's doesn't make sense which seems like I messed a config up somewhere.

    Here are the PFsense routes of relevance:
    10.10.213.1 link#12 UHS 0 0 16384 lo0 =>
    10.10.213.1/32 link#12 U 0 0 1500 ovpns1
    192.168.1.0/24 link#1 U 0 10158163 1500 vr0
    192.168.1.1 link#1 UHS 0 172 16384 lo0

    So yes, I can see something's off, but I don't know how to fix it.

    There should be a route on PF to 10.10.213.0/24 via ovpns1, but I don't see that
    On the windows client side, there should only be a route to 192.168.1.0/24 via 10.10.213.5, not those other 3

    Anyhow. HELP!  :'(

    I am used to running TAP, but I gave up since no one uses that and could not help me. This seemed good because I got it to finally connect, but now it doesn't route anywhere.

    thanks



  • Oh, I forgot to mention. I can't ping anything from anywhere. I can only ping my own assigned IP address from the VPN (10.10.213.6)



  • what version of pfsense are you running ?
    please post screenshots of the configuration & firewall rules + screenshot of pfsense' routing table + screenshot of windows client routing table

    also note that if your remote clients lan subnet is the same as the lan behind pfsense, then routing will fail



  • Sorry, this one i had to recreate:

    Windows

    Network Destination        Netmask            Gateway      Interface      Metric

    10.10.213.1  255.255.255.255      10.10.213.5      10.10.213.6    30
    10.10.213.4  255.255.255.252        On-link          10.10.213.6    286
    10.10.213.6  255.255.255.255        On-link          10.10.213.6    286
    10.10.213.7  255.255.255.255        On-link          10.10.213.6    286
    127.0.0.0          255.0.0.0                  On-link            127.0.0.1    306
    127.0.0.1          255.255.255.255        On-link            127.0.0.1    306
    127.255.255.255         255.255.255.255        On-link            127.0.0.1    306

    192.168.1.0    255.255.255.0      10.10.213.5  10.10.213.6    30
    224.0.0.0                        240.0.0.0      On-link        127.0.0.1      306
    224.0.0.0                        240.0.0.0        On-link      x.x.x.x.        266
    224.0.0.0                        240.0.0.0        On-link          10.10.213.6  286
    255.255.255.255  255.255.255.255        On-link          127.0.0.1      306
    255.255.255.255  255.255.255.255        On-link            x,x,x,x    266
    255.255.255.255  255.255.255.255        On-link          10.10.213.6  286
    –--------------------------------------------
    Remote side is on a routeable address at work so not the same as my LAN.
    PFsense 2.0.1 on Alix 2d13, 4gb CF card












  • i find it odd that your pfsense server address of the tunnel network = 10.10.213.5

    in my experience, the pfsense server tunnel interface would allways try to bind to 10.10.213.1, being the first address available in the specified subnet.
    could you check that the tunnel interface address is indeed 10.10.213.5 (status –> openvpn)

    did you perhaps assign an interface to the openvpn instance? if so, did you provide a static ip address there ? Is so, set type to 'none' and try again



  • Well, this is the weirdest thing. I go and try it today and it works like nothing was ever wrong. I did reboot PFsense a thousand times this weekend trying to get Dansguardian to work and also rebooted my work machine.

    Anyhow, I'm still going to post what you asked because it is binding on a weird I{. This may or may not help someone else so what the heck:







Locked