OpenVPN client connects to PFsense, does not route
-
This is my client config:
dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x 444
tls-remote "user"
auth-user-pass
pkcs12 satlink-udp-444.p12
tls-auth satlink-udp-444-tls.key 1
comp-lzoThat was exported from the export tab. On PF, it's configured for remote access SSL/TLS+auth, UDP, TUN
Tunnel network is set to 10.10.213.0/24
Local network is 192.168.1.0/24 (this is my LAN i'm trying to get to behind PF sense from the road)
Provide virtual IP is checked.My route print statement is as follows (I erased the "real" ones so they are not included):
Network Destination Netmask Gateway Interface Metric10.10.213.1 255.255.255.255 10.10.213.5 10.10.213.6 30
10.10.213.4 255.255.255.252 On-link 10.10.213.6 286
10.10.213.6 255.255.255.255 On-link 10.10.213.6 286
10.10.213.7 255.255.255.255 On-link 10.10.213.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306192.168.1.0 255.255.255.0 10.10.213.5 10.10.213.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link x.x.x.x. 266
224.0.0.0 240.0.0.0 On-link 10.10.213.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link x,x,x,x 266
255.255.255.255 255.255.255.255 On-link 10.10.213.6 286It's doesn't make sense which seems like I messed a config up somewhere.
Here are the PFsense routes of relevance:
10.10.213.1 link#12 UHS 0 0 16384 lo0 =>
10.10.213.1/32 link#12 U 0 0 1500 ovpns1
192.168.1.0/24 link#1 U 0 10158163 1500 vr0
192.168.1.1 link#1 UHS 0 172 16384 lo0So yes, I can see something's off, but I don't know how to fix it.
There should be a route on PF to 10.10.213.0/24 via ovpns1, but I don't see that
On the windows client side, there should only be a route to 192.168.1.0/24 via 10.10.213.5, not those other 3Anyhow. HELP! :'(
I am used to running TAP, but I gave up since no one uses that and could not help me. This seemed good because I got it to finally connect, but now it doesn't route anywhere.
thanks
-
Oh, I forgot to mention. I can't ping anything from anywhere. I can only ping my own assigned IP address from the VPN (10.10.213.6)
-
what version of pfsense are you running ?
please post screenshots of the configuration & firewall rules + screenshot of pfsense' routing table + screenshot of windows client routing tablealso note that if your remote clients lan subnet is the same as the lan behind pfsense, then routing will fail
-
Sorry, this one i had to recreate:
Windows
Network Destination Netmask Gateway Interface Metric
10.10.213.1 255.255.255.255 10.10.213.5 10.10.213.6 30
10.10.213.4 255.255.255.252 On-link 10.10.213.6 286
10.10.213.6 255.255.255.255 On-link 10.10.213.6 286
10.10.213.7 255.255.255.255 On-link 10.10.213.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306192.168.1.0 255.255.255.0 10.10.213.5 10.10.213.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link x.x.x.x. 266
224.0.0.0 240.0.0.0 On-link 10.10.213.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link x,x,x,x 266
255.255.255.255 255.255.255.255 On-link 10.10.213.6 286
–--------------------------------------------
Remote side is on a routeable address at work so not the same as my LAN.
PFsense 2.0.1 on Alix 2d13, 4gb CF card
-
i find it odd that your pfsense server address of the tunnel network = 10.10.213.5
in my experience, the pfsense server tunnel interface would allways try to bind to 10.10.213.1, being the first address available in the specified subnet.
could you check that the tunnel interface address is indeed 10.10.213.5 (status –> openvpn)did you perhaps assign an interface to the openvpn instance? if so, did you provide a static ip address there ? Is so, set type to 'none' and try again
-
Well, this is the weirdest thing. I go and try it today and it works like nothing was ever wrong. I did reboot PFsense a thousand times this weekend trying to get Dansguardian to work and also rebooted my work machine.
Anyhow, I'm still going to post what you asked because it is binding on a weird I{. This may or may not help someone else so what the heck: