Cannot reach LAN network via OpenVPN tun

doktornotor

Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.

esink

@doktornotor:

Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.

I already did. It didn't work

doktornotor

@esink:

I already did. It didn't work

On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.

esink

@doktornotor:

@esink:

I already did. It didn't work

On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.

okay, but this doesn't solve that I can't PING THE GATEWAY.

My tests include

1. attempt to reach a windows share by IP - Server 2012 definitely has this and hosts on the LAN are definitely able to reach it
2. RDP to the machines - RDP is DEFINITELY allowed. if I port forward over WAN I can RDP to the machines
3. ping the LAN gateway - hosts on the LAN are able to do this.
4. ping the machines - hosts on LAN are able to do this.

kejianshi

And you are re-exporting and reinstalling the client config after you make changes to openvpn server?

doktornotor

As said above. And in addition:

Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)

esink

@doktornotor:

As said above. And in addition:

Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)

I feel like I should really worry about being able to ping the LAN gateway before worrying about anything else, but fine firewalls are off.

I have a win 7 client too. same deal.

phil.davis

I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.4950.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
I can ping 10.50.80.1 but NOT 10.50.80.5
So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.

esink

@phil.davis:

I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.49.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
I can ping 10.50.80.1 but NOT 10.50.80.5
So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.

I cannot ping 172.16.1.1

phil.davis

I cannot ping 172.16.1.1

It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
Post some actual screenshots of rules when you are feeling really stuck.

esink

@phil.davis:

I cannot ping 172.16.1.1

It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
Post some actual screenshots of rules when you are feeling really stuck.

I already have posted my firewall rules. The openvpn tab of rules just has 1 any any rule.

esink

Well there has to be a firewall rule messed up somewhere. I just tried to ping my LAN network from the PfSense box's OpenVPN interface and it can only hit the gateway, not any other host on the LAN.

What firewall rules are necessary for this to work? I already ahve a rule on the OpenVPN tab that says allow allow anything to LAN


esink

so this is really starting to piss me off. I just said fuck it and deleted the VON server and all the certs and firewall rules that were associated with it, and went through the wizard to set up the new OpenVPN instance, and I followed a youtube vid to the T.

http://www.youtube.com/watch?v=VdAHVSTl1ys

the wizard created the firewall rules for me so I KNOW they're right….

STILL I cannot ping the other end of the tunnel, nor the LAN gateway, nor anything on the LAN. I am now testing on a different PC (win 7) on a completely different network than the original PC (to rule out anything inbetween me and the PfSense box.)

doktornotor

Maybe you should just try different test than "ping". Seriously, this whole thing works out of the box in five minutes, no need to waste days. If you screwed so much that it's not fixable, go reinstall from scratch, incl. all you rules.

esink

@doktornotor:

Maybe you should just try different test than "ping". Seriously, this whole thing works out of the box in five minutes, no need to waste days. If you screwed so much that it's not fixable, go reinstall from scratch, incl. all you rules.

yeah I agree. I have spare NetGate boxes here at work. I'm going to make one from scratch with all the rules I need, and import the xml to my box at home after a factory reset. I will report back with results.

Derelict

I am having exactly this same problem trying to replace an ipsec site to site with OpenVPN (PKI) site to site.  The tunnel comes up as expected but traffic is not passing between LANs.

(Sort of solved - see bottom of post)

I am following the "Site to Site Example Configuration (SSL/TLS)" section in the 2.1 book draft.

The routing tables look like the proper routes are being pushed.

Interestingly, I would expect to be able to ping the remote tunnel addresses but I can't.

Home (192.168.223.0/24) <–-> pfSense 2.1 (client) <---> Internet <---> pfSense 2.1 (server) <---> 172.22.81.0/24 (Work)

Tunnel network on server set to 172.22.83.0/24

I've tried to find firewall block log entries and have come up empty.

In the server config I have the following:

IPv4 Tunnel Network: 172.22.83.0/24

IPv4 Local Network(s): 172.22.81.0/24

Advanced:
route 192.168.223.0 255.255.255.0;
push "route 192.168.223.0 255.255.255.0";

I have the following routes in the server's route table:
172.22.83.0/24    172.22.83.2        UGS        0        5 ovpns2
172.22.83.1        link#15            UHS        0        0    lo0
172.22.83.2        link#15            UH          0        0 ovpns2
192.168.223.0/24  172.22.83.2        UGS        0      66 ovpns2

In the client-specific overrides for the client CN I have:
iroute 192.168.223.0 255.255.255.0;

I have the following routes in the client's route table:
172.22.81.0/24    172.22.83.5        UGS        0      19 ovpnc1
172.22.83.1/32    172.22.83.5        UGS        0        8 ovpnc1
172.22.83.5        link#13            UH          0        0 ovpnc1

I have any any firewall rules in both sites' OpenVPN firewall rules.

WAIT HOLD EVERYTHING:

I had a custom Multi-WAN WANGROUP gateway (since I have Cable and DSL modems at home) that redirected all traffic from the client's LAN to Gateway WANGROUP.  I changed that to the default gateway and traffic started passing.  Posting everything since it might help someone else.

Any pointers to the proper config for this instance?

abidkhanhk

@kejianshi:

Yeah - But for windows8 there is an extra hitch sometimes:

Look at very bottom of this page.

http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

I am having similar issue, even though CMAK is on and the route method exe added to the config file but unable to get IP from Server.

did anyone have any luck on this? maybe can their config example. thanks

kejianshi

I don't know what to say except that openvpn works and is REALLY easy to set up.  I can't guarantee how it will interact with existing firewall rules (meaning you can easily have firewall rule errors).

Derelict

Wow.  That post is really n00b.  Thanks for bumping this necrothread. :/

kejianshi

haha - Don't mention it.  Anything for you buddy (-;

(No seriously - Don't mention it…  To anyone)