Pfsense as client using static key to openvpn server on vps



  • Hi all,

    I am really a newbie on this topic. I will try to make my story straight so that you may be able to help pin point the cause of problem.

    I live in China, as you may know, due to the Great Fire Wall set in between me and the world of internet, I have to fight hard to squeeze myself out of the jail like "national LAN". So I bought myself a vps outside the country, and successfully setup an openvpn server on the vps which is running centos 5.5.

    At home, I have a pfsense 2.0 as the router and firewall. I have successfully connected to my openvpn server from windows openvpn client using static key behind pfsense. With the help from option "–route  net_gateway", I can even have the openvpn automatically choose whether to use openvpn tunnel based on ip network geo-locations. So all my traffic to outside asia network will use the openvpn tunnel.
    (The reason I am using static key is because the GFW drops packets when it detects TLS negotiation, and one ISP even totally block IP addresses.)

    Based on this success windows openvpn client experience, I thought I could use the openvpn client function on pfsense to directly link all my network traffic. However, when I actually tried the openvpn client in pfsense, I could only get the tunnel up but no traffic at all!?(I could see the openvpn status is up)

    Below is my configurations,
    Server Conf

    port 80
    dev tun
    secret key.txt
    ifconfig 10.10.10.1 10.10.10.2
    float
    cipher AES-256-CBC
    comp-lzo
    log-append /var/log/openvpn.log
    verb 3

    And I have the iptables on the server configured with nat:

    iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o venet0 -j MASQUERADE

    I can use the below config file to successfully connect to my openvpn server and establish a secure tunnel for breaking through the GFW,

    remote openvpn.server.onvps 80
    dev tun
    ifconfig 10.10.10.2 10.10.10.1
    secret key.txt
    cipher AES-256-CBC
    comp-lzo
    route-delay 2
    route-method exe
    redirect-gateway def1
    dhcp-option DNS 8.8.8.8
    float
    verb 3

    route 1.0.0.0 255.0.0.0 net_gateway 5
    route 14.0.0.0 255.0.0.0 net_gateway 5
    route 27.0.0.0 255.0.0.0 net_gateway 5
    ….

    When there are several configurations I am not sure about, one particular area is the "remote network", what is supposed to put in there? I don't have a local network on my vps server, by ifconfig on the vps server, I see the ip address assigned by the vps company with a network mask of 255.255.255.255 on this venet interface. Where should I start looking for errors? As the server can take the windows client with no problem, I assume there must be something I missed?

    Thanks in advance


Locked