Internet Access issue using OpenVPN and Multi-wan
-
I had this working in a simpler configuration under 1.x. Now I've rebuilt my firewall with 2.03 and have dropped another DSL connection in.
So I have two LAN segments - 192.168.1.x and 192.168.2.x. And two WAN connections.
I've configured OpenVPN following the Wizard and I am able to connect to it and reach both internal LAN segments.
What I can't do is hit the Internet once connected. I have OpenVPN configured to funnel all traffic through the VPN (which is what I want).
It resolves DNS just fine. But when I try to go anywhere or even ping an internet address it goes nowhere. I'm running AON and manually added the NAT statement on the WAN interface that OpenVPN is configured on for the VPN pool (192.168.3.x). But still nothing.
I'm assuming I'm missing a basic step. I've poured through the forums and haven't found anything.
Any help would be greatly appreciated.
Thanks,
Joshua
-
What is the IP of the local network you are VPNing in from?
If there is a firewall rule allowing VPN to any (same as the LAN) then the VPN clients should have access to everything same as guys on the LANs.
If you created a manual outbound nat rule for the subnet associated with openvpn that looks pretty much EXACTLY same as the one for the subnet that the LAN is on, then it should work.
Those are the firewall requirements.
Now, what does your VPN settings look like?
What kind of client are you using? (which os is the client)
-
Post your server1.conf.
-
Hopefully this will work:
[tab <pfsense><version>8.0</version> <lastchange><theme>pfsense_ng</theme> <sysctl><tunable>debug.pfftpproxy</tunable> <value>default</value> <tunable>vfs.read_max</tunable> <value>default</value> <tunable>net.inet.ip.portrange.first</tunable> <value>default</value> <tunable>net.inet.tcp.blackhole</tunable> <value>default</value> <tunable>net.inet.udp.blackhole</tunable> <value>default</value> <tunable>net.inet.ip.random_id</tunable> <value>default</value> <tunable>net.inet.tcp.drop_synfin</tunable> <value>default</value> <tunable>net.inet.ip.redirect</tunable> <value>default</value> <tunable>net.inet6.ip6.redirect</tunable> <value>default</value> <tunable>net.inet.tcp.syncookies</tunable> <value>default</value> <tunable>net.inet.tcp.recvspace</tunable> <value>default</value> <tunable>net.inet.tcp.sendspace</tunable> <value>default</value> <tunable>net.inet.ip.fastforwarding</tunable> <value>default</value> <tunable>net.inet.tcp.delayed_ack</tunable> <value>default</value> <tunable>net.inet.udp.maxdgram</tunable> <value>default</value> <tunable>net.link.bridge.pfil_onlyip</tunable> <value>default</value> <tunable>net.link.bridge.pfil_member</tunable> <value>default</value> <tunable>net.link.bridge.pfil_bridge</tunable> <value>default</value> <tunable>net.link.tap.user_open</tunable> <value>default</value> <tunable>kern.randompid</tunable> <value>default</value> <tunable>net.inet.ip.intr_queue_maxlen</tunable> <value>default</value> <tunable>hw.syscons.kbd_reboot</tunable> <value>default</value> <tunable>net.inet.tcp.inflight.enable</tunable> <value>default</value> <tunable>net.inet.tcp.log_debug</tunable> <value>default</value> <tunable>net.inet.icmp.icmplim</tunable> <value>default</value> <tunable>net.inet.tcp.tso</tunable> <value>default</value> <tunable>kern.ipc.maxsockbuf</tunable> <value>default</value></sysctl> <system><optimization>normal</optimization> <hostname>pfSense</hostname> <domain>pinkbunnyslippers.com</domain> <dnsserver>8.8.8.8</dnsserver> <dnsserver>8.8.4.4</dnsserver> <dnsallowoverride>on</dnsallowoverride> <group><name>all</name> <scope>system</scope> <gid>1998</gid></group> <group><name>admins</name> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv></group> <user><name>admin</name> <scope>system</scope> <groupname>admins</groupname> <password>$1$hQgyly2h$zN11Em5PetTPDuCB8EU9D.</password> <uid>0</uid> <priv>user-shell-access</priv> <md5-hash>9a1e7b5af90e1cd3066176677e00753e</md5-hash> <nt-hash>e36162c2a620a4cff449ea80556c8d3c</nt-hash></user> <user><scope>user</scope> <password>$1$MhMC/D2M$TiVrL9gSkWNG8N2NcXgeg0</password> <md5-hash>9a1e7b5af90e1cd3066176677e00753e</md5-hash> <nt-hash>e36162c2a620a4cff449ea80556c8d3c</nt-hash> <name>jgottlieb</name> <expires><authorizedkeys><ipsecpsk><uid>2000</uid> <cert>51dd9de859ffa</cert></ipsecpsk></authorizedkeys></expires></user> <nextuid>2001</nextuid> <nextgid>2000</nextgid> <timezone>America/Los_Angeles</timezone> <time-update-interval>300</time-update-interval> <timeservers>0.pfsense.pool.ntp.org</timeservers> <webgui><protocol>https</protocol> <ssl-certref>51d5e7e7d7042</ssl-certref></webgui> <disablenatreflection>yes</disablenatreflection> <disablesegmentationoffloading><disablelargereceiveoffloading></disablelargereceiveoffloading></disablesegmentationoffloading></system> <interfaces><wan><enable><if>xl0</if> <blockpriv><blockbogons><ipaddr>dhcp</ipaddr> <dhcphostname><alias-address><alias-subnet>32</alias-subnet> <spoofmac></spoofmac></alias-address></dhcphostname></blockbogons></blockpriv></enable></wan> <lan><enable><if>em0</if> <spoofmac><ipaddr>192.168.2.1</ipaddr> <subnet>24</subnet></spoofmac></enable></lan> <opt1><if>em1</if> <enable><spoofmac><ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet></spoofmac></enable></opt1> <opt2><if>rl0</if> <enable><spoofmac><blockpriv><blockbogons><ipaddr>dhcp</ipaddr> <dhcphostname><alias-address><alias-subnet>32</alias-subnet></alias-address></dhcphostname></blockbogons></blockpriv></spoofmac></enable></opt2></interfaces> <staticroutes><dhcpd><lan><enable><range><from>192.168.2.100</from> <to>192.168.2.254</to></range> <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><domain><domainsearchlist><ddnsdomain><tftp><ldap><next-server><filename><rootpath><numberoptions><ddnsupdate></ddnsupdate></numberoptions></rootpath></filename></next-server></ldap></tftp></ddnsdomain></domainsearchlist></domain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan> <opt1><range><from>192.168.1.100</from> <to>192.168.1.254</to></range> <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><domain><domainsearchlist><enable><ddnsdomain><tftp><ldap><next-server><filename><rootpath><numberoptions><ddnsupdate></ddnsupdate></numberoptions></rootpath></filename></next-server></ldap></tftp></ddnsdomain></enable></domainsearchlist></domain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></opt1></dhcpd> <pptpd><mode><redir><localip></localip></redir></mode></pptpd> <dnsmasq><enable><regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq> <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> <diag><ipv6nat><ipaddr></ipaddr></ipv6nat></diag> <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru> <advancedoutbound><rule><source> <network>192.168.2.0/24</network> <dstport>500</dstport> <target><interface>wan</interface> <destination><any></any></destination> <staticnatport></staticnatport></target></rule> <rule><source> <network>192.168.2.0/24</network> <sourceport><target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <dstport><target><interface>wan</interface> <destination><any></any></destination> <natport>1024:65535</natport></target></dstport></rule> <rule><source> <network>192.168.2.0/24</network> <dstport>500</dstport> <target><interface>opt2</interface> <destination><any></any></destination> <staticnatport></staticnatport></target></rule> <rule><source> <network>192.168.2.0/24</network> <sourceport><target><interface>opt2</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <dstport><target><interface>opt2</interface> <destination><any></any></destination> <natport>1024:65535</natport></target></dstport></rule> <rule><source> <network>192.168.1.0/24</network> <dstport>500</dstport> <target><interface>wan</interface> <destination><any></any></destination> <staticnatport></staticnatport></target></rule> <rule><source> <network>192.168.1.0/24</network> <sourceport><target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <dstport><target><interface>wan</interface> <destination><any></any></destination> <natport>1024:65535</natport></target></dstport></rule> <rule><source> <network>192.168.1.0/24</network> <dstport>500</dstport> <target><interface>opt2</interface> <destination><any></any></destination> <staticnatport></staticnatport></target></rule> <rule><source> <network>192.168.1.0/24</network> <sourceport><target><interface>opt2</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <dstport><target><interface>opt2</interface> <destination><any></any></destination> <natport>1024:65535</natport></target></dstport></rule> <rule><source> <network>192.168.3.0/24</network> <sourceport><target><targetip><targetip_subnet>0</targetip_subnet> <interface>opt2</interface> <poolopts><destination><any></any></destination></poolopts></targetip></target></sourceport></rule> <enable></enable></advancedoutbound></nat> <filter><rule><id><type>pass</type> <interface>lan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <network>lan</network> <destination><any></any></destination> <gateway>WAN_OFFICE</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> <rule><source> <any><destination><any></any></destination> <interface>openvpn</interface> <type>pass</type> <enabled>on</enabled></any></rule> <rule><id><type>pass</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <network>opt1</network> <destination><any></any></destination> <gateway>WAN_HOME</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> <rule><id><type>pass</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>192.168.3.0/24</address> <destination><any></any></destination> <gateway>WAN_HOME</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> <rule><direction>in</direction> <source> <any><destination><network>opt2ip</network> <port>443</port></destination> <interface>opt2</interface> <protocol>tcp</protocol> <type>pass</type> <enabled>on</enabled></any></rule></filter> <shaper><ipsec><preferoldsa></preferoldsa></ipsec> <aliases><proxyarp><cron><minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>30</minute> <hour>12</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron> <wol><rrd><enable></enable></rrd> <load_balancer><monitor_type><name>ICMP</name> <type>icmp</type></monitor_type> <monitor_type><name>TCP</name> <type>tcp</type></monitor_type> <monitor_type><name>HTTP</name> <type>http</type> <options><path>/</path> <host>`200`</host></options></monitor_type> <monitor_type><name>HTTPS</name> <type>https</type> <options><path>/</path> <host>`200`</host></options></monitor_type> <monitor_type><name>SMTP</name> <type>send</type> <options><send><expect>220 *</expect></send></options></monitor_type></load_balancer> <widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets> <revision><time>1373483408</time> <username>admin@192.168.1.238</username></revision> <openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls_user</mode> <authmode>Local Database</authmode> <protocol>TCP</protocol> <dev_mode>tap</dev_mode> <ipaddr></ipaddr> <interface>opt2</interface> <local_port>443</local_port> <custom_options><tls>**SNIP**</tls> <caref>51dd9a832bc88</caref> <certref>51dd9a8641c17</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <crypto>AES-256-CBC</crypto> <engine>none</engine> <tunnel_network>192.168.3.0/24</tunnel_network> <remote_network><gwredir>yes</gwredir> <local_network>192.168.0.0/16</local_network> <maxclients>50</maxclients> <compression>yes</compression> <passtos></passtos> <client2client>yes</client2client> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <dns_domain>pinkbunnyslippers.com</dns_domain> <dns_server1>192.168.3.1</dns_server1> <dns_server2>8.8.8.8</dns_server2> <dns_server3>8.8.4.4</dns_server3> <dns_server4><ntp_server1>192.168.3.1</ntp_server1> <ntp_server2><netbios_enable>yes</netbios_enable> <netbios_ntype>5</netbios_ntype> <netbios_scope><wins_server1>192.168.3.1</wins_server1></netbios_scope></ntp_server2></dns_server4></remote_network></custom_options></openvpn-server></openvpn> <l7shaper><container></container></l7shaper> <dnshaper><cert><refid>51d5e7e7d7042</refid> **SNIP**</cert> <cert><refid>51dd9a8641c17</refid> <caref>51dd9a832bc88</caref> **SNIP** <type>server</type></cert> <cert><refid>51dd9de859ffa</refid> <caref>51dd9a832bc88</caref> **SNIP** <type>user</type></cert> <ppps><gateways><installedpackages><miniupnpd><config><enable>on</enable> <enable_upnp>on</enable_upnp> <enable_natpmp>on</enable_natpmp> <iface_array>lan,opt1</iface_array> <download><upload><overridewanip><upnpqueue><logpackets><sysuptime><permdefault></permdefault></sysuptime></logpackets></upnpqueue></overridewanip></upload></download></config></miniupnpd> <package><name>OpenVPN Client Export Utility</name> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>p7zip-9.20.1.tbz</depends_on_package> <depends_on_package>zip-3.0.tbz</depends_on_package> <depends_on_package_pbi>zip-3.0-i386.pbi p7zip-9.20.1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> <version>1.0.7</version> <status>RELEASE</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> <configurationfile>openvpn-client-export.xml</configurationfile></package> <tab><name>Client Export</name> <tabgroup>OpenVPN</tabgroup> <url>/vpn_openvpn_export.php</url></tab> <tab><name>Shared Key Export</name> <tabgroup>OpenVPN</tabgroup> <url>/vpn_openvpn_export_shared.php</url></tab></installedpackages> <ovpnserver><step1><type>local</type></step1> <step6><certca>pinkbunnyslippers.com</certca> <keylength>2048</keylength> <lifetime>3650</lifetime> <country>US</country> <state>WA</state> <city>Blah</city> <organization>BlahBlah</organization> <email>joe@email.com</email> <uselist>on</uselist></step6> <step9><certname>blah</certname> <keylength>2048</keylength> <lifetime>3650</lifetime> <country>US</country> <state>WA</state> <city>Blah</city> <organization>BlahBlah</organization> <email>joe@email.com</email> <uselist>on</uselist></step9> <step10><interface>opt2</interface> <protocol>TCP</protocol> <localport>443</localport> <tlsauth>on</tlsauth> <gentlskey>on</gentlskey> <dhkey>1024</dhkey> <crypto>AES-256-CBC</crypto> <engine>none</engine> <tunnelnet>192.168.3.0/24</tunnelnet> <rdrgw>on</rdrgw> <localnet>192.168.0.0/16</localnet> <concurrentcon>50</concurrentcon> <compression>on</compression> <interclient>on</interclient> <dynip>on</dynip> <addrpool>on</addrpool> <defaultdomain>pinkbunnyslippers.com</defaultdomain> <dns1>192.168.3.1</dns1> <dns2>8.8.8.8</dns2> <dns3>8.8.4.4</dns3> <ntp1>192.168.3.1</ntp1> <nbtenable>on</nbtenable> <nbttype>5</nbttype> <wins1>192.168.3.1</wins1></step10> <step11><ovpnrule>on</ovpnrule> <ovpnallow>on</ovpnallow></step11></ovpnserver> <ca><refid>51dd9a832bc88</refid> **SNIP** <serial>2</serial></ca></gateways></ppps></dnshaper></wol></proxyarp></aliases></shaper></syslog></bridge></staticroutes></lastchange></pfsense> le][quote][/quote] -
I'm not even sure what that is… lol!
log into the shell and post the contents of: /var/etc/openvpn/server1.conf
-
And kindly use the CODE tags in future to spare my poor 10yrs old mouse wheel.
-
Ok, here is the server1.conf. The previous file was the xml backup. I figured that would be helpful as it contains all the NAT and firewall rules etc. Sorry about not using the code tag… I was looking for it and missed it.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 74.50.197.63 tls-server server 192.168.3.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 443 management /var/etc/openvpn/server1.sock unix max-clients 50 push "route 192.168.0.0 255.255.0.0" push "dhcp-option DOMAIN pinkbunnyslippers.com" push "dhcp-option DNS 192.168.3.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option NTP 192.168.3.1" push "dhcp-option WINS 192.168.3.1" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float -
What is the lan subnet on the client-side?
-
The two local LAN segments are 192.168.1.x and 192.168.2.x. The OpenVPN subnet is 192.168.3.x.
-
Yes, 192.168.1.x and 192.168.2.x are two LAN segments on the server-side and connecting clients get a 192.168.3.x address when they connect… I get that.... the question is... what is the LAN segment on the client-side... not their virtual IP when they connect.
-
Ah… well it varies. It's whatever network I'm on when I'm traveling. Sometimes that's a 192.168.1.x sometimes it's 192.168.0.x, sometimes it's a 10.x.x.x...
-
So for what it's worth, I just tried from a local lan segment of 10.x.x.x. The VPN connects like it did before. I can reach both my LAN segments (192.168.1.x and 192.168.2.x), but I just can't traverse the firewall and get out to the internet. DNS resolves ok, but I can't get a ping out to the Internet or pull up a web page. My previous attempts were from a 192.168.1.x and 192.168.0.x. The local client segment doesn't seem to make an impact as far as I can tell. I just can't seem to route out to the Internet.
-
One thing I did notice is in the client connection logs, I'm not seeing the push of the redirect-gateway. In the older version 1.x I had to put the push redirect-gateway in the openvpn config to get it to work. In the 2.0 version there was a checkbox which I checked, but it doesn't seem to be pushing it. Additionally, I manually added the push redirect-gateway into the openvpn config and it still isn't pushing that down. Could this be the issue?
-
So here is something strange. I was looking in the Firewall logs and saw this:
Jul 15 13:58:36 WAN_HOME xxx.xxx.165.137:50487 xx.xx.197.63:3060
They are listed as blocked attempts in the log. The source address is the public IP address of where I am remoting in from. The destination address is the interface address of the WAN_HOME interface which is where my OpenVPN is configured. I can only imagine that I am missing some type of firewall rule to allow that traffic. Any ideas?
-
1. Stay away from LAN segments that are in use by typical home routers… e.g. 192.168.1.x, 192.168.2.x, 192.168.3.x. If the client tries to connect from a LAN that is already on one of those subnets it will break your routing.
2. You are pushing 192.168.0.0/16 through the tunnel, that is way too wide when I assume your LAN is made up of 192.168.1.0/24 and 192.168.2.0/24. Keep it simple, i.e. if you're going to stay with your current LAN addressing, add 192.168.1.0/24 to the "Local Network" section and add push "route 192.168.2.0 255.255.255.0" to the Advanced configuration section
3. Your tunnel network is 192.168.3.0/24, which means there's no way you have a DNS server on 192.168.3.1. In your VPN config, in the Client Settings section under DNS servers, if you're using the "Provide a DNS server list to clients" option, this needs to be the same IP your LAN clients are using for DNS. Also, as currently configured, you need to change your tunnel network anyway. Keep everything away from the ranges of typical home routers.
4. You won't see "redirect-gateway" in the client logs… that option adds a new default gateway behind the scenes which pushes all traffic through the tunnel.
-
I made the change to make the local network more specific and manually push the 192.168.2.x network out. Unfortunately that didn't resolve the issue. Same as before. Can connect into all the local networks fine. Can't hit the internet at all once connected.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.xxx.197.63 tls-server server 192.168.3.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 443 management /var/etc/openvpn/server1.sock unix max-clients 50 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DOMAIN pinkbunnyslippers.com" push "dhcp-option DNS 192.168.1.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option NTP 192.168.1.1" push "dhcp-option WINS 192.168.1.1" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float push "route 192.168.2.0 255.255.255.0" -
At this point, it's most likely either a firewall or DNS issue.
1. Make sure you're testing from an outside network where the LAN is not 192.168.1.x, 192.168.2.x or 192.168.3.x.
2. What are the firewall rules on the OpenVPN tab?
3. While connected, ping known IP's like 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220, etc and see if you get a response.
4. Do nslookups on google.com, yahoo.com, msn.com, etc and make sure your DNS is resolving.
-
I agree, at this point I think it's a FW rules or NAT issue. DNS is resolving fine. But I am having no luck getting to any IP's.
This is my OpenVPN interface rule. Basically any any. It was automatically added by the wizard.
-
-
-
-
-
- none OpenVPN OpenVPN Remote Access wizard
-
-
-
-
My biggest concern is it's a NAT issue. I've switched over to AON and I've added a rule on the same wan interface (WAN_HOME) that the OpenVPN is setup on to NAT the 192.168.3.0/24. But it's not working or I've set it up wrong. Should I ask this in the NAT forum?
-
-
Stop using Automatic outbound NAT for a couple of seconds.
Try creating Manual Outbound NAT Entries.Also, when you pull up the Manual Outbound NAT and set it up, try posting screenshot of your firewall rules, outbound NAT rules and Openvpn server setup page. Makes it easier to see whats going on.
It has to be something simple, because what you are doing is simple. Some tiny little setting.
-
I'm using AON (Advanced Outbound NAT) not automatic outbound NAT. The naming is way to close and confusing. Anyway, it's the manual one.
Here are the NAT settings (attached)
