Trying to get LAN access, can only ping myself

myke

Hi,
Here my conf :

Client Config

dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 109.6.229.83 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzo

Server Settings :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
route 172.16.0.0 255.255.248.0

firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpn

IPv4 Table de routage

Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle  Adr. interface Métrique
          0.0.0.0          0.0.0.0    192.168.0.254    192.168.0.75    20
          0.0.0.0        128.0.0.0        10.0.8.1        10.0.8.2    30
        10.0.8.0  255.255.255.252        On-link          10.0.8.2    286
        10.0.8.2  255.255.255.255        On-link          10.0.8.2    286
        10.0.8.3  255.255.255.255        On-link          10.0.8.2    286
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        128.0.0.0        128.0.0.0        10.0.8.1        10.0.8.2    30
      172.16.0.0    255.255.248.0        10.0.8.1        10.0.8.2    30
      192.168.0.0    255.255.255.0        On-link      192.168.0.75    276
    192.168.0.75  255.255.255.255        On-link      192.168.0.75    276
    192.168.0.255  255.255.255.255        On-link      192.168.0.75    276
    192.168.56.0    255.255.255.0        On-link      192.168.56.1    276
    192.168.56.1  255.255.255.255        On-link      192.168.56.1    276
  192.168.56.255  255.255.255.255        On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0        On-link          10.0.8.2    286
        224.0.0.0        240.0.0.0        On-link      192.168.0.75    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255        On-link          10.0.8.2    286
  255.255.255.255  255.255.255.255        On-link      192.168.0.75    276

My Lan Office network is 192.168.0.0 , My pfsense Lan is 172.16.0.0/21 and The tunnel network 10.0.8.0/24

So what can i do now ?
Thanks.

phil.davis

push "route 172.16.0.0 255.255.248.0"
route 172.16.0.0 255.255.248.0

Your server config has both route and push route with the same address. As I understand it, the server is on the pfSense that has LAN 172.16.0.0/21 - so the server should have only:

push "route 172.16.0.0 255.255.248.0"

Then it will tell ("push a route to") clients that connect saying that it is the way to reach 172.16.0.0/21

The extra:

route 172.16.0.0 255.255.248.0

will confuse the routing - this tells pfSense that 172.16.0.0/21 can be reached by sending packets out this OpenVPN server - which is not correct.

myke

I remove the extra route and i'm still serching my issue.

myke

hello,
i try with server mode Peer to Peer in a other pfsense box.

With the same parameter i have internet but i can't ping the computer and AP on the Lan pfsense.

there's a problem when we use OpenVpn with multi wan,failover , and Captive Portal ?

i don't know where is blocking cause no rules blocked the traffic….

myke

I'm back.
I try with Ipsec but i've got the same issue…  :'(

phil.davis

local 192.168.1.1

This looks wrong in your server config. It should be the WAN IP that the server is on. I am guessing that the server is not on a private address like 192.168.1.1
I just noticed this issue on Redmine http://redmine.pfsense.org/issues/2582 and confirmed the problem. If you change your static IP on WAN, then pfSense does not update the OpenVPN conf files. If you go to each OpenVPN server and client and edit+save again, the conf files are generated again and have the new WAN IP in the "local n.n.n.n" line.

myke

Hi,

Thanks Davis but i have the same result, i can reach my pfsense Lan.

I try with an SDSL router with the Wan IP but exactly the same issues…..

Here my server1.conf :

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 81.252.136.49
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 8
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
comp-lzo

Thanks Phil Davis but

myke

Hi,
I just reboot my pfsense and my VPN works now….

Thanks for the help.