Problem with OpenVPN connecting
-
I've created my first VPN config using the recommended video tutorial. It all went well until I got to the point of installing a client. I exported the Windows client from pfSense and installed it but it won't run at all. I tried the process again with the same result.
Next I tried to download the OpenVPN client, installed it, imported the Config file and tried to connect. I entered the user name and password. Then I get a "Connecting" message and it hangs there, forever. Again, I removed the entire OpenVPN config from pfSense and re-did it all again. Same result!!!
Any suggestions? I will be happy to provide more info but didn't see how I could show the entire VPN config here.
Regards…
riversr54
-
Ok, I got the client to work and connect. I'm not sure why or how but a third attempt seemed to work just fine. I do, however have a couple other questions…
I'm a little confused about the correct network addresses to use for the Tunnel and Local networks on the VPN server configuration page. My pfSense box has a WAN NIC that gets its address from the ISP and one LAN whose NIC is addressed as 10.2.0.200. I assume that the Local Network Address should be 10.2.0.0/16 but I'm not sure what the Tunnel Network address should be.
I tried setting them both to 10.2.0.0/16 but that didn't work(didn't really expect it to).
Regards...
riversr54
-
Put the LAN subnet in "Local Network" - the client will get a route to whatever you put in "Local Network". You need to look at you LAN and see if you are using /24 or /16 subnet mask. Then put 10.2.0.0/24 or 10.2.0.0/16.
The tunnel network must be a separate subnet. It is used as a pseudo-link between client and server. It needs at least 4 addresses (/30 subnet) - but usually it is easy to give it a /24 subnet from somewhere in private address space that you do not use - e.g. 10.0.8.0/24 is in lots of examples.
Then your client will make a route to 10.2.0.0/n that points to the server end IP in the 10.0.8.0/24 tunnel. -
I guess I'm just VPN challenged…
I set the tunnel address to 10.0.8.0/24 and my Local Address is 10.2.0.0/16 (the 16 is correct, subnet mask is 255.255.0.0). After I make the VPN connection, I can see a network adapter on my client system that has an IP address of 10.0.8.6, so far so good.
My understanding of VPN is that now I should be able to communicate directly with my 10.2.0.0 network just as if I were physically connected to it, but I can't. I've tried pinging (which is enabled on target system), RDP connection to 10.2.0.203(one of my servers) and even an http connection to my web server (10.2.0.204), but none of it works. What am I doing wrong or mis-understanding?
Thanks for any help...
riversr54
-
pfSense is a firewall - it blocks everything by default. Add rules on the Firewall Rules, OpenVPN tab, to allow traffic to destination 10.2.0.0/16, then it should get through.
The OpenVPN client automagically adds a route to the remote network through the tunnel when the tunnel comes up, so routing should be OK.
If it doesn't work after this, use traceroute (Windows tracert) to see where the traffic is routed and what replies along the way. -
I do understand that pfSense is a firewall, although I'm beginning to think that I'm not a firewall manager.
The VPNWizard created several Firewall rules for me so I "assumed" that those would take care of what needed to be passed through. Since that is not working, I created a Rule with the Tunnel network (10.0.8.0/24) as the source and my local network (10.2.0.0/16) as the destination. That didn't work either. That rule make sense to me but it apparently does not solve the problem.
riversr54
-
Yes, the wizard should create some decent rules to let traffic through. Traffic from the Windoes client should have a source IP in the tunnel network, so your extra rule should be a good thing. Post a screenshot of the rules you have on OpenVPN now.