Unable to access the whole remote network only the firewall

  • Hello, I've encountered a problem that I'm not able to fix
    I've created an openvpn server following this howto:
    http://www.packetwatch.net/documents/guides/2012050801.php is the virtual network is the remote network

    everything seems to be correct, the tunnel goes up nicely but I can connect only to, which is the pfsense address on the remote side, if fo example try to ping or connect to a linux machine at it goes in timeout.

    I use viscosity as my openvpn client on OSX 10.8 with the connection esported from pfsense, here is the configuration

    #– Config Auto Generated By Viscosity --#

    #viscosity startonopen false
    #viscosity dhcp true
    #viscosity dnssupport false
    #viscosity name AssindustriaMS
    remote REMOTEADDRESS 1194 udp
    tls-auth ta.key 1
    ca ca.crt
    dev tun
    cert cert.crt
    comp-lzo adaptive
    key key.key
    dhcp-option DNS
    dhcp-option DOMAIN assindustriams.lan
    cipher BF-CBC
    tls-remote lucac81
    resolv-retry infinite

    the strange thing is the routing table on my mac here is a snippet of it:

    buffy:~ lucac81$ netstat -f inet -nr
    Routing tables

    Destination        Gateway            Flags        Refs      Use  Netif Expire
    default        UGSc          127        0    en1          UGSc            0        0    tun0          UH              4      47    tun0
    192.168.129          UGSc            1        5    tun0

    What should I look at to solve this problem?

  • The routes look correct, I am guessing you have firewall rules blocking the traffic from getting to the machine behind the firewall.

  • The pfsense wizard generates the rules needed to make the traffic pass I think, I'll check them better, in the OpenVPN rules section there is one roule that allows everything from the openvpn interface

    The routing table sounds strange to me only because my previous experience was with pfsense 1.2.3 and a shared key approach, in which the route appears like this (is tun1)

    default        UGSc          122        0    en1          UH              2        1    tun1          UGSc            0        0    tun0          UH              3      17    tun0
    192.168.99          UGSc            0        0    tun1
    192.168.129          UGSc            1        0    tun0

    so a point to point to the pfsense end point and a static route to the remote network passing thru the endpoint

    maybe with user auth+tls is different but I don't completely understand it, if is the pfsense virtual address, and is my endpoint address, what is

  • I'm not exactly sure why get's used, but that is how my routing tables look on my openvpn configs, and they all work fine.

    One way to see if it is indeed a route problem or a firewall problem, is by doing a traceroute. You should see as the first hop, and then it should try to get to 192.168.129.x.

  • traceroute gets starred out even if I trace to the firewall so I can't see anything…
    I don't really know where to look ??? ??? ???

    EDIT traceroute using ICMP ECHO indeed shows that it passes on to when trying to reach a remote lan ip, but then it stops there, so maybe is a firewall rule, the problem is which one, on openvpn there is one rule that says pass everything to every interface, on the wan side there are nat rules, and on the lan side there is one rule that blocks only port 25 outgoing and disabling it doesn't affect the vpn

  • Post network map, server1.conf and firewall rules on the openvpn tab.

  • I've solved it, it was a stupid mistake…. on the machine I was trying to reach!!!!  >:( it's the linux machine that I was trying to reach, it has a second eth interface with address and (wrong!!!!) netmask of
    So I was reaching the machine, but packets got forwarded to the wrong interface instead of going back, hence the timeout!!
    Putting the right netmask solved the problem, now everything works fine.
    Lesson learned!

Log in to reply