Exact same config not working today - was yesterday! - Resolved!



  • Hi all,

    Nothing has changed since yesterday in my setup and yet my open VPN client doesn't work properly.

    Before it would connect up and then I'd be able to access my lan and ALL traffic was directed through the VPN.

    However now I can only access my firewall and outside sites through the VPN.  
    Local LAN is not available as well as it was initially identified as an "unidentified network".

    Any thoughts?
    log from vpn client:

    Thu Jul 18 16:22:33 2013 OpenVPN 2.3.1 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
    Enter Management Password:
    Thu Jul 18 16:22:34 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Thu Jul 18 16:22:34 2013 Control Channel Authentication: using 'firewall1-udp-1194-VPNNAME-tls.key' as a OpenVPN static key file
    Thu Jul 18 16:22:34 2013 UDPv4 link local (bound): [undef]
    Thu Jul 18 16:22:34 2013 UDPv4 link remote: [AF_INET]MY IP:1194
    Thu Jul 18 16:22:35 2013 [VPNNAME] Peer Connection Initiated with [AF_INET]MY IP:1194
    Thu Jul 18 16:22:38 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Jul 18 16:22:38 2013 open_tun, tt->ipv6=0
    Thu Jul 18 16:22:38 2013 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{5DA1D1BB-518C-40AA-9C94-5AE35B7FA49B}.tap
    Thu Jul 18 16:22:38 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.100/255.255.255.0 on interface {5DA1D1BB-518C-40AA-9C94-5AE35B7FA49B} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
    Thu Jul 18 16:22:38 2013 Successful ARP Flush on interface [23] {5DA1D1BB-518C-40AA-9C94-5AE35B7FA49B}
    Thu Jul 18 16:22:43 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    OK!
    Thu Jul 18 16:22:43 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    OK!
    Thu Jul 18 16:22:43 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    OK!
    Thu Jul 18 16:22:43 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    OK!
    Thu Jul 18 16:22:43 2013 Initialization Sequence Completed
    Thu Jul 18 16:41:27 2013 [VPNNAME] Inactivity timeout (–ping-restart), restarting
    Thu Jul 18 16:41:27 2013 SIGUSR1[soft,ping-restart] received, process restarting
    Thu Jul 18 16:41:29 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Thu Jul 18 16:41:29 2013 UDPv4 link local (bound): [undef]
    Thu Jul 18 16:41:29 2013 UDPv4 link remote: [AF_INET]MY IP:1194
    Thu Jul 18 16:41:30 2013 [VPNNAME] Peer Connection Initiated with [AF_INET]MY IP:1194
    Thu Jul 18 16:41:32 2013 Preserving previous TUN/TAP instance: Local Area Connection 2
    Thu Jul 18 16:41:32 2013 Initialization Sequence Completed
    Thu Jul 18 16:43:07 2013 [VPNNAME] Inactivity timeout (–ping-restart), restarting
    Thu Jul 18 16:43:07 2013 SIGUSR1[soft,ping-restart] received, process restarting
    Thu Jul 18 16:43:09 2013 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Thu Jul 18 16:43:09 2013 UDPv4 link local (bound): [undef]
    Thu Jul 18 16:43:09 2013 UDPv4 link remote: [AF_INET]MY IP:1194
    Thu Jul 18 16:43:12 2013 [VPNNAME] Peer Connection Initiated with [AF_INET]MY IP:1194
    Thu Jul 18 16:43:14 2013 Preserving previous TUN/TAP instance: Local Area Connection 2
    Thu Jul 18 16:43:14 2013 Initialization Sequence Completed



  • Hmm I noticed that the VPN adapter is stating unidentified instead of "mydomain.com" which is odd.

    And I cannot ping any side of my lan - tracert doesn't give me any details.

    HOWEVER on the firewall logs I can see this:

    Jul 18 18:35:00 pf: 00:00:00.923827 rule 1/0(match): block in on pppoe0: (tos 0x78, ttl 105, id 18220, offset 0, flags [none], proto UDP (17), length 131)
    Jul 18 18:34:59 pf: 192.168.0.100.50969 > 173.194.34.79.80: Flags ~~, cksum 0x7f48 (correct), seq 2171270759, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0

    the 192 address is my laptop connected via VPN.

    And the 173 address is a google ip

    Now it's weird that it goes into my WAN interface rather than from the open vpn side.  so obviously this will get blocked due to the WAN interface not accepting private address spaces.

    Any logs you guys want to see to try and trouble shoot this?~~



  • I have resolved this now!

    I have my pfSsense running on an ESXI host.

    I was messing around with the vsphere switches last night and disabled promiscuous mode for the Firewall switch - this was causing it to not allow certain traffic through!