Pfsense 2.1 Wan in DSL DMZ for OpenVPN server only



  • I have never had any issues with setting up Pfsense or OpenVPN once I got the hang of it but this is the first time that I have tried it like this. They want to keep the wirless N dsl modem until the contract runs out and we can switch to cable and the just have a WAP in the LAN and on the Opt for guests.

    Here is how things are setup ATM

    DSL Router (DMZ) to WAN of Pfsense (192.168.254.4)
    Lan of Pfsense (192.168.254.5)

    Gateway of DSL router is 192.168.254.254

    I'm using a tunnel network to try to reach some other clients in the 192.168.254.0/24

    Can connect using OpenVpn and get connected and I can ping the LAN interface 192.168.254.5 but can't ping any of the clients on the Lan.

    Client to Client is checked in the server config.



  • What is the client OS?



  • Linux Mint 15



  • I suspected as much…
    Willing to insert a line into your client config?

    For me, in my client config, near the bottom of all the commands, I inserted:

    route 192.168.30.0 255 255 255.0

    substitute in the SUBNET you are trying to reach.

    (I am using TUN not TAP and using a road warrior config with everything routed - and the android/IOS client export worked like a charm with just that 1 addition)



  • Sure will try but I have this in the advanced options in the bottom

    push "route 192.168.254.0 255.255.255.0";

    Doesn't that do the same thing?



  • Sure would if you were using a windows client…  But in LINUX (Ubuntu and Mint at least) you have to route in the client its self.

    (If you didn't know that, don't sweat it.  Neither did I till yesterday.  Seems no one does)

    If it works for you, you are sworn to secrecy.



  • This is the error message I just got

    Sun Sep 22 00:27:31 2013 [b2b.pf.trickhosting.biz] Peer Connection Initiated with [AF_INET]67.140.246.1:1194
    Sun Sep 22 00:27:33 2013 RESOLVE: Cannot parse IP address: 255
    Sun Sep 22 00:27:33 2013 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.254.0
    Sun Sep 22 00:27:33 2013 TUN/TAP device tun0 opened
    Sun Sep 22 00:27:33 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sun Sep 22 00:27:33 2013 /sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
    SIOCADDRT: File exists
    Sun Sep 22 00:27:33 2013 ERROR: Linux route add command failed: external program exited with error status: 7
    Sun Sep 22 00:27:33 2013 Initialization Sequence Completed



  • How are you running the openvpn script?

    Also, what EXACTLY did you put in the script?  Please show me.



  • sudo openvpn location to config

    Here is the kernel route when connected

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    default        pfs2.h.trickhos 0.0.0.0        UG    0      0        0 eth1
    10.0.0.0        *              255.255.255.0  U    0      0        0 tun0
    192.168.8.0    *              255.255.255.0  U    1      0        0 eth1
    192.168.254.0  10.0.0.1        255.255.255.0  UG    0      0        0 tun0

    Client Config

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 67.140.246.1 1194 udp
    route 192.168.254.0 255 255 255.0
    tls-remote b2b.pf.trickhosting.biz
    auth-user-pass
    pkcs12 /etc/openvpn/b2b.pf-udp-1194-mmidgett.p12
    tls-auth /etc/openvpn/b2b.pf-udp-1194-mmidgett-tls.key 1
    ns-cert-type server
    comp-lzo



  • I also don't run the client to client.

    I run remote access user auth    (This tunnel is only for ubuntu because its PITA)

    local DB

    UDP

    TUN

    WAN interface

    port (pick one)

    TLS authentication of TLS packets

    IPV4 Tunnel network 10.1.20/24  (pick one)

    redirect gateway - force all traffic

    compression checked

    type of service checked

    inter-client comms allowed checked
    Duplicate connects checked

    dynamic IP checked

    Address Pool Checked

    DNS Default Domain (I give it one like myvpntunnel)
    DNS Servers - use 8.8.8.8 if you like

    Then I export the OpenVPN Connect (iOS/Android)  inline config

    I insert the line I told you about earlier

    then I execute the file as sudo openvpn –config '/home/minimint/Downloads/udp1199client/1199udpclient.ovpn'

    Enter your own path to file.

    (If that doesn't do it, you have bigger problems than I had)



  • Still doesn't work….Even as last resort I tried windows vista....

    Both systems connect and I can reach the lan ip of the Pfsense but no any of the clients

    Remeber that the WAN and the LAN are on the same subnet with the WAN being in the DMZ of the DSL modem

    Something is funky



  • Do you have an allow RULE on openvpn?  Have any blocking rules?



  • No blocking rules and the OpenVpn rules are all allow.



  • Well…  I felt really useful for a few minutes...  Then not so much  ;D



  • As as last resort I can leave the WAN in the DMZ of the DSL router. Change the LAN subnet to something else, move all wired devices inside LAN. I can then just do an allow rule of the 3 wireless clients from the WAN to LAN and or I could use OpenVPN the way that its supposed tool from those wireless clients to reach the LAN

    All this seems like a big hassle….I have done this once with openvpn+linux+bridge ports with a single nic while my wife was in labor.. Heck I did it remotly using logmein to get a winbows desktop inside to setup the port Forwarding for openvpn on port 80 since the hostpital block everything but std web traffic.



  • BTW - Why did you put WAN and the LAN are on the same subnet? 
    Since I'd never do that, I feel this must be the issue - I'm not sure what the WAN in DMZ and the LAN are on the same subnet will do to a network as far as openvpn is concerned.  So far, it seems like nothing good.



  • @kejianshi:

    Well…  I felt really useful for a few minutes...  Then not so much  ;D

    It was worth a try!! I've enjoyed the help.

    I'm tyring to avoid driving to the clients location to change IP's and rewire things. I can do this with a default linux install and I just had this PF server sitting there waiting for the DSL contract to expire so they can switch to cable and do things the right way. Modem > Wan Pfsense | Lan > switch …...WAPS and clients....



  • I like the plan you mentioned earlier of simplifying thing.  I think as far as the openvpn setup goes, you are doing it right.



  • What about this

    Put the VPNserver on the LAN interface….block all but ports 1194 and 22

    REmove the DMZ and just port forward the 1194 from the modem to the IP of the Lan IP?

    I can put bogus IP on wan since it doesn't need to so any thing



  • I say try it…



  • I just ended up blocking my self…..it didn't work.

    I just moved the LAN to subnet 192.168.253.0/24 and I will go there on tomorrow and rewire the switches and add default openvpn for the wireless clients and have OpenVPN just run at startup for them to give them access to the LAN

    From what should have taken 1 hour to complete I have been messing with this for 3 days to save a 10min drive and a couple of onsite hours.



  • Sounds painful.  Sorry you got locked out.



  • I've got pfsense running with openvpn and various devices like ubuntu laptops & android phones vpn'ing in no problem at all with all subsequent client traffic routed through pfsense which is what I want.

    I used this guide.
    http://www.apollon-domain.co.uk/?p=433

    In ubuntu (12.04) I've added the client info as per the pfsense zip file, but in ubuntu there is an option to add a private key password which I found did nothing but you do have to enter something otherwise you cant save the settings in the network vpn gui.

    Maybe you'll get some mileage with the link?



  • I wouldn't use gopenvpn.  Issuing the command works best when you want to be able to start and stop on demand.

    If you wanted an auto-start service, just putting the config in the /etc/openvpn folder and issuing command to start service handles things fine.

    His problem isn't starting openvpn - Thats fine.  His issue is the way the network is configured.



  • Yes I was using a system designed to be a firewall for something that its not supposed to be doing. I'm fully up on how to use, launch openvpn. I have many other systems from Site to Site and Road Warrior setups that works just fine.

    I just moved the LAN to subnet 192.168.253.0/24 and I will go there on tomorrow and rewire the switches and add default openvpn for the wireless clients and have OpenVPN just run at startup for them to give them access to the LAN

    Boom working like supposed to be.

    Topic can be closed



  • Boom - Glad to hear it  8)


Log in to reply