OpenVPN in 2.1RC1 not working as advertised



  • Hi All,

    I am not a specialist but do have some experience using openvpn with pfSense.

    Installed 2.1-RC1  (i386)
    built on Wed Sep 4 01:46:12 EDT 2013
    FreeBSD 8.3-RELEASE-p10

    My Windows7 client does connect, I can access my pfSense webpage, but cannot get to any other node in the network…
    Opened up the rules - re-did the whole server setup not using the wizard (I usually use it)

    Nothing in the firewall logs for ovpn1 that jumps out.

    Server Config:

    /var/etc/openvpn(4): vi server1.conf

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.10.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 5
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DOMAIN xxx.int"
    push "dhcp-option DNS 192.168.1.1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    comp-lzo
    persist-remote-ip
    float

    Am I missing something obvious or is there a bug?

    WAN rule
    IPv4 UDP  *  *  WAN address  1194 (OpenVPN)  *  none      OpenVPN vpnServer wizard

    OPENVPN rule
    IPv4 *  *  *  *  *  *  none      OpenVPN vpnServer wizard

    Nothing else I can think of...

    Thx

    Peter



  • I've been using OpenVPN on 2.1 RC1 with no issues. Let's see if we can track down what's going on…

    • Does "any other node in the network." mean on your 192.168.1.x network?

    • 192.168.1 is a very common subnet. Perhaps that's also the subnet where your Windows 7 client is located.

    • How are you trying to access those nodes? IP, hostname? What protocol/methods? HTTP? RDP?

    • Are you running the OpenVPN client as Administrator so it can add that route? (or are you using OpenVPNManager?)



  • Does "any other node in the network." mean on your 192.168.1.x network?

    Yes anything but 192.168.1.1 - I can connect and visit pfSense via https.
    but there is also a http (80) on 192.168.1.2 that stalls…

    • 192.168.1 is a very common subnet. Perhaps that's also the subnet where your Windows 7 client is located.
      I am very aware of that. Used my phone to tether a laptop so it was something random.
      Tried it from another place with 192.168.210.0/24 same result...

    • How are you trying to access those nodes? IP, hostname? What protocol/methods? HTTP? RDP?
      both name and IP. I actually tried ping-ing from client and the internal name resolved to the right internal IP address...
      (PFsense is setup to do DNS resolving) so that part worked
      No pings came back and nothing in the firewall logs about it either.
      Tried file browsing/ping/http nothing goes beyond 192.168.1.1 = the firewall
      but again no traces of it in the logs
      I actually took out the (wide open) default VPN rule, then I saw blocked traffic in the logs
      made custom rules to allow it back in... no luck

    • Are you running the OpenVPN client as Administrator so it can add that route? (or are you using OpenVPNManager?)

    run it as administrator

    Had this issue yrs ago but cannot recall how to fix it.
    Tried he route-method exe & route-delay stuff no luck.
    Connected from a Linux client same thing - up to the firewall, no further...

    I to have 2 other RC1 setups that work great - it is very weird & frustrating.
    Thinking of blowing it all away and start again.

    Thx for the help.

    Peter



  • Thought… maybe traffic is getting in... but not back out...
    How could I 'see' that in the logs (where?)

    Peter



  • arg, that sounds pretty frustrating.

    your config looks pretty much like mine….i dont see anything that looks like it would cause a problem

    what's the netmask on the pfsense interface for your 192.168.1.x network? is it the same as what you push in your openvpn route (255.255.255.0)



  • @peterlinuxgeek:

    server 10.10.2.0 255.255.255.0

    Are you blocking private networks on the interface this server is bound to?

    What does the route table on your client say?



  • We had very strange routing / firewall problems because of too less memory.

    First I would check if the routes are set correctly in Diagnostics->Routes
    And then connect with a serial cable to your box if possible and see if the boot process does not stop somewhere in between.



  • This sounds exactly like what openvpn will do if its not installed with right-click, run as admin…


Log in to reply