New OpenVPN setup for road-warriors - connected but no routing
-
I have a newly-setup pfSense firewall and need to set up the OpenVPN for users to connect their laptops.
I've managed to get the client connecting to the firewall okay, I see it connected at the client and also in the list on the firewall, I think the problem is either with routing or with rules.
I am running the OpenVPN client "as administrator", so it shouldn't have any problem with creating routes etc.
Part of the problem is that I'm not sure what sort of diagnostic steps to take next, i.e. what should be able to ping where, and so on. Apologies if I've not provided enough info, I just wasn't sure what to tell :)
The LAN subnet is 10.10.0.0/24
The VPN subnet is 172.29.0.0/24My home ip address is 172.29.14.100
The subnet at home is 172.29.14.0/24Here's my route table at home:
=========================================================================== Interface List 24…00 ff 88 de fc 9e ......TAP-Windows Adapter V9 12...f4 6d 04 97 b3 68 ......Intel(R) 82579V Gigabit Network Connection 17...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1 18...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8 1...........................Software Loopback Interface 1 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.29.14.1 172.29.14.100 10 10.10.0.0 255.255.255.0 172.29.0.5 172.29.0.6 30 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.29.0.1 255.255.255.255 172.29.0.5 172.29.0.6 30 172.29.0.4 255.255.255.252 On-link 172.29.0.6 286 172.29.0.6 255.255.255.255 On-link 172.29.0.6 286 172.29.0.7 255.255.255.255 On-link 172.29.0.6 286 172.29.14.0 255.255.255.0 On-link 172.29.14.100 266 172.29.14.100 255.255.255.255 On-link 172.29.14.100 266 172.29.14.255 255.255.255.255 On-link 172.29.14.100 266 192.168.64.0 255.255.255.0 On-link 192.168.64.1 276 192.168.64.1 255.255.255.255 On-link 192.168.64.1 276 192.168.64.255 255.255.255.255 On-link 192.168.64.1 276 192.168.233.0 255.255.255.0 On-link 192.168.233.1 276 192.168.233.1 255.255.255.255 On-link 192.168.233.1 276 192.168.233.255 255.255.255.255 On-link 192.168.233.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 172.29.0.6 286 224.0.0.0 240.0.0.0 On-link 192.168.233.1 276 224.0.0.0 240.0.0.0 On-link 192.168.64.1 276 224.0.0.0 240.0.0.0 On-link 172.29.14.100 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 172.29.0.6 286 255.255.255.255 255.255.255.255 On-link 192.168.233.1 276 255.255.255.255 255.255.255.255 On-link 192.168.64.1 276 255.255.255.255 255.255.255.255 On-link 172.29.14.100 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 24 286 fe80::/64 On-link 17 276 fe80::/64 On-link 18 276 fe80::/64 On-link 12 266 fe80::/64 On-link 18 276 fe80::21b3:c7b1:1154:b236/128 On-link 12 266 fe80::6d13:2082:832:51ff/128 On-link 17 276 fe80::ad39:9096:d008:a290/128 On-link 24 286 fe80::f13e:a604:2a0c:d944/128 On-link 1 306 ff00::/8 On-link 24 286 ff00::/8 On-link 17 276 ff00::/8 On-link 18 276 ff00::/8 On-link 12 266 ff00::/8 On-link =========================================================================== Persistent Routes: NoneAnd my IP config:
Windows IP Configuration Host Name . . . . . . . . . . . . : Megavec Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : myworkdomain.co.uk Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : myworkdomain.co.uk Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-88-DE-FC-9E DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::f13e:a604:2a0c:d944%24(Preferred) IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : 24 July 2013 16:43:50 Lease Expires . . . . . . . . . . : 24 July 2014 16:43:50 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 172.29.0.5 DHCPv6 IAID . . . . . . . . . . . : 553713544 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-CE-4B-ED-F4-6D-04-97-B3-68 DNS Servers . . . . . . . . . . . : 10.10.0.35 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection Physical Address. . . . . . . . . : F4-6D-04-97-B3-68 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::6d13:2082:832:51ff%12(Preferred) IPv4 Address. . . . . . . . . . . : 172.29.14.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 22 July 2013 13:39:42 Lease Expires . . . . . . . . . . : 29 July 2013 13:39:42 Default Gateway . . . . . . . . . : 172.29.14.1 DHCP Server . . . . . . . . . . . : 172.29.14.1 DHCPv6 IAID . . . . . . . . . . . : 267676932 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-CE-4B-ED-F4-6D-04-97-B3-68 DNS Servers . . . . . . . . . . . : 194.168.4.100 194.168.8.100 NetBIOS over Tcpip. . . . . . . . : Enabled -
The routes on the client look good - there is a route to 10.10.0.0/24 across the OpenVPN.
Have you got rule/s on the OpenVPN tab of Firewall Rules at the pfSense server end?
You have to explicitly allow (pass) incoming traffic arriving on the OpenVPN heading for the LAN 10.10.0.0/24. For testing, put an allow any to any rule on the OpenVPN tab. If that works then you can make the rule more restrictive as needed.
From the Windows client end you can:tracert 10.10.0.1 (use an IP address of a device on the server-end LAN)
Then you can see where the packets are routed and what hops do/don't answer.
-
Okay, so I do have a rule on the OpenVPN tab (see attached vpn1.png and vpn2.png for VPN and LAN rules).
I ran a trace from the home machine (172.29.0.6) to my office machine (10.10.0.122), and it timed out on all hops. The same with the firewall's LAN address (```
-
-
- Request timed out."
-
I'm not sure if I should be able to ping LAN-to-VPN, but I tried that just in case :) That also times out, but the first hop does get to 10.10.0.3 (the pfSense LAN IP) okay, and times out after that.     -
-
At the TOP of your LAN interface firewalls, why don't you temporarily put in a pass all to anywhere rule just until your VPN is working correctly and then after that go back to being restrictive that way you won't be wondering if its a firewall rule breaking your setup.
Also, is there a reason you selected TAP vs. TUN? I always use TUN + Layer 3 with NAT to tunnel clients back to a particular subnet, and give them full internet Access + network access to resources on the LAN and each other as well.
-
Post your server1.conf and network map.
Also, have we tried the easy stuff like turning off the windows firewall?
-
Yep - The bubba list for windows installs.
1. Export a Windows package
2. Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
3. If you didn't install as admin, uninstall - Then install as admin.
4. If still blocked, turn off the Windows Firewall. Turn off all the firewalls during testing till it works. -
At the TOP of your LAN interface firewalls, why don't you temporarily put in a pass all to anywhere rule just until your VPN is working correctly and then after that go back to being restrictive that way you won't be wondering if its a firewall rule breaking your setup.
I've added that now
Also, is there a reason you selected TAP vs. TUN? I always use TUN + Layer 3 with NAT to tunnel clients back to a particular subnet, and give them full internet Access + network access to resources on the LAN and each other as well.
No particular reason - I can try changing that.
Post your server1.conf and network map.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local my.wan.ip.address tls-server server 172.29.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 10.10.0.0 255.255.255.0" push "dhcp-option DOMAIN myworkdomain.co.uk" push "dhcp-option DNS 10.10.0.35" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip floatAlso, have we tried the easy stuff like turning off the windows firewall?
Yep.
-
I hate to assume anything so I'm going to repeat this bit again.
Makes sure that when you run the install package on the windows machine, you right click it and run as admin.
If you don't right click and run as admin, it will install, and connect even… But will not route any packets to speak of.
(I also prefer TUN for your setup) -
That's fine, it's always likely that I've made a daft mistake :)
I did just uninstall and re-install as admin, just in case, and even run the client as admin to be sure, and it doesn't seem to make a difference.
Is there any change to moving to TUN apart from changing the server and client settings to the "tun" option?
-
Yes - You have to export your client config again and reinstall it on windows.
So, uninstal the old one then reinstall the new one.
Also make sure your firewall rules in pfsense on the openvpn tab pass to anywhere, just like your LAN rule.(I'm all IPV4 here, so if this is a IPV6 glitch, all bets are off)
-
No idea what I'm missing now. I have some images of my current setup.
I'll try a full removal of the client from the PC and clean up whatever I can see, and try again. As it's connecting but not routing, it smells like the problem of not installing as admin, even though I definitely did.
I assume that if the correct routes are created and visible in "route print", then admin isn't the problem?
-
Still using the TAP adapter? Seriously want you to reconsider using TUN for you own sanity.
Openvpn Should come with a warning that says "Don't use TAP unless you absolutely intend to bridge to your server network or absolutely require layer2".
As a mater of fact, Some openvpn tools do say something like that. To get TAP to work, you will need IPs assigned, so DHCP start and end range. Probably want bridging. Probably want LZO compression on no matter what you use. Probably want type-of-service checked…But, unless you can tell me why you need TAP, probably need to dump it and use TUN for this.
-
Ah, sorry my bad - I had tried both, so think I must've changed it back before screenies. I'll set it to TUN now and test again just to be sure! I also found the "Management Interface" option for the client download, and the newer version of OpenVPN, so I'll get through those…
-
Something just occured to me. What versions of openvpn client export package are you on? If you go to your packages, is there an update available for it? Its a one button push to update that. Basically you just press the little pkg button out to the right. Before you export a new TUN adapter (You have to export a new config each time you make a server change to be safe), please make sure client export package is latest one.
-
Doesn't appear to be, I only installed it a few days ago too - I'm on 1.0.11
-
If its not offering an update there, you version is current. We are on the same thing.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
Tue Jul 30 16:07:21 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013 Enter Management Password: Tue Jul 30 16:07:27 2013 Control Channel Authentication: using 'firewall-udp-1194-mark-tls.key' as a OpenVPN static key file Tue Jul 30 16:07:27 2013 UDPv4 link local (bound): [undef] Tue Jul 30 16:07:27 2013 UDPv4 link remote: [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:27 2013 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this Tue Jul 30 16:07:29 2013 [MyVPN_Server] Peer Connection Initiated with [AF_INET]88.215.3.70:1194 Tue Jul 30 16:07:31 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 30 16:07:31 2013 open_tun, tt->ipv6=0 Tue Jul 30 16:07:31 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{27851D99-6A01-467F-965E-44884FAA8B29}.tap Tue Jul 30 16:07:31 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.29.0.6/255.255.255.252 on interface {27851D99-6A01-467F-965E-44884FAA8B29} [DHCP-serv: 172.29.0.5, lease-time: 31536000] Tue Jul 30 16:07:31 2013 Successful ARP Flush on interface [22] {27851D99-6A01-467F-965E-44884FAA8B29} Tue Jul 30 16:07:36 2013 Initialization Sequence Completed -
All firewalls off on the windows box?
-
Still no joy, even with both server and client set to "TUN". With or without the Management part. With 2.2 or 2.3-x86.
I don't understand what are you trying to do there.
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2 IPv4 Address. . . . . . . . . . . : 172.29.0.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252This for sure again looks like /30.
-
Sorry to nit-pick but just checking. When you stipulate your tunnel IP make sure that subnet isn't used on the client side or the server side. Give the openvpn tunnel a seperate range.
So if client is on a 192.168.1.0/24 and server is on a 178.x.x.x make the tunnlel network something like 10.122.20.0/24 (or whatever)
No need to push routes or any other madness.
I do provide DNS servers and NTP servers though. Get two online for NTP servers in your timezone and use 8.8.8.8 and 8.8.4.4 if you want google DNS
I also provide a default domain NAME. Just pick a name like tunnel1194 if you only use one server.
Nitpick away - whatever it takes :)
My remote test PC is on a 172.29.14.0 subnet with a mask 255.255.255.0, at the moment the IP is 172.29.14.100
My pfSense LAN subnet is 10.10.0.0 with mask 255.255.255.0, and the IP is 10.10.0.3
The server "Tunnel Network" is 172.29.0.0/24
The sever "Local Network" is 10.10.0.0/24The client "Tunnel Network" is 172.29.0.0/24
The client "Local Network" is 10.10.0.0/24The firewall is now disabled on the PC. Not sure what the Virgin SuperHub might be doing though - although as the tunnel is established and I can see that in the pfSense status, I assume any intermediary firewalls just see "traffic", not anything specific.
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
-
This for sure again looks like /30
I can only assume this is coming from the config in pfSense, I'm not setting that mask anywhere. I have /24 in all configs.
Please, tick the proper checkbox so that this net30 topology is NOT used.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
-
Please, tick the proper checkbox so that this net30 topology is NOT used.
What screen are you seeing that on? I just get the attached.
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
-
As already posted elsewhere. This ONLY is available if you set up the interface as TUN. Not with TAP.
I am on TUN now.
-
Well, then it's not available in 2.0.3. Time to upgrade. :P
-
2.0.3 is the latest I could find. You folks running the 2.1 RC?
-
You can go to 2.1RC
http://snapshots.pfsense.org/
But honestly, this should work fine on 2.03. It should be a 5 minute setup from start to finish.
Some basic little thing is broken and its possible its not even anything to do with pfsense.
I'll read you config again.
-
Thanks. Tomorrow I'll probably delete all the settings and start from scratch - I made some wrong turns at the start that may be lingering.
-
OK - This is broken. Why is it set up as peer to peer now?
Server mode (I suggest Remote Access. SSL/TLS)
protocol UDP
device mode TUN
-
You don't need 2.1 to make it work… Problem is peer to peer. You don't want that.
-
This is a bit odd. The server is set to "Remote Access (SSL/TLS + User Auth)", but the client is now set to Peer-to-peer, and the only options available are the two "peer to peer" ones.
-
Recommendation - Delete the server and the client.
Use the wizard and set it up again using TUN from the very beginning.
It sounds big deal but should be a few minutes.
I'm sure 2.1 works fine but 2.3 isn't broken either.
You just got a bit twisted around. Thats all.
-
I'll try it again tomorrow - getting frazzled now :)
Just deleted both configs, used the wizard to setup the server bit (seemed to create a tun setup anyway) but a new client still only allows server mode Peer to Peer.
-
Did you try shooting it with a 12 gauge shotgun? (Teasing)
Thats odd. I've never seen anything like that before. It should allow you to configure remote access. Thats very basic.
I wonder… Do you have user accounts and certs set up on your pfsense other than Admin? Because you need too. It required.
If pfsense thinks there are no users and no user certs it might not present you remote access options.
I had assumed these road warriors of yours had limited user accounts installed on pfsense.
You can get away with creating just 1 user and one user cert and allowing multiple concurrent connections by that user, but its better to set up one user account per "road warrior". You just go into system > user manager and add users, passwords and user certs.
Then you might have much better luck.
-
I do have a user I set up that I've been using for testing, and that's the one I've been using in the OpenVPN client downloader
-
Hang on, do I even need the "client" tab on the OpenVPN config? Going to try a manual approach as per: http://forum.pfsense.org/index.php?topic=22115.0
-
Getting the shotgun ready now. Just recreated everything manually, and no difference. VPN client connects fine, lights go green, routes are created, but nothing is passed.
-
When you want to connect a windows machine to a pfsense for the purposes of tunneling, its a server client relationship. Not peer to peer. I think just a straight up simple TUN tunnel is the way and those are made with wizard.
-
TUN is what I've been trying :(
I'm going to try it on a different remote computer, in case it's something wonky installed on my PC. Hopefully that's it, although it'll be annoying :)