Windows 7 OpenVPN client can't reach the LAN



  • Hi,

    I've been reading around this issue all day long, but finally I have to admit I'm stumped.

    The VPN client is correctly configured by DHCP - e.g. client IP 10.12.43.2; gateway IP 10.12.43.1.

       IPv4 Address. . . . . . . . . . . : 10.12.43.2
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
    

    The default gateway is being configured (correctly, I think) as 10.12.43.1, for 10.12.0.0/16:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0  192.168.254.254  192.168.254.241     20
              0.0.0.0        128.0.0.0       10.12.43.1       10.12.43.2     31
            10.12.0.0      255.255.0.0       10.12.43.1       10.12.43.2     31
           10.12.43.0    255.255.255.0         On-link        10.12.43.2    286
           10.12.43.2  255.255.255.255         On-link        10.12.43.2    286
         10.12.43.255  255.255.255.255         On-link        10.12.43.2    286
    

    (192.x is obviously the client's normal LAN prior to the VPN connection)

    pfSense and the client can ping each other on the 10.12.43.1/10.12.43.2 addresses.  The firewall rules look okay on pfSense (very permissive OpenVPN and LAN networks).

    I've stuffed everything I can find in the client config:  ;)

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote vpn.mycompany.co.uk 1194 udp
    verify-x509-name "My Gateway" name
    auth-user-pass
    ca my-gateway-udp-1194-ca.crt
    tls-auth my-gateway-udp-1194-tls.key 1
    ns-cert-type server
    comp-lzo
    redirect-gateway
    pull
    verb 3
    
    # dont terminate service process on wrong password, ask again
    auth-retry interact
    # open management channel
    management 127.0.0.1 166
    # wait for management to explicitly start connection
    management-hold
    # query management channel for user/pass
    management-query-passwords
    # disconnect VPN when managment program connection is closed
    management-signal
    # forget password when management disconnects
    management-forget-disconnect
    
    route-method exe
    route-delay 2
    
    

    I cannot ping anything else on the LAN from the OpenVPN client.  There's a bit in the server log, but I'm not sure whether it's relevant:

    Nov 19 16:51:12	openvpn[12663]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.12.43.1 255.255.255.0 init
    Nov 19 16:51:13	openvpn[12663]: SIGTERM[hard,] received, process exiting
    Nov 19 16:51:13	openvpn[34950]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
    Nov 19 16:51:13	openvpn[34950]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    Nov 19 16:51:13	openvpn[34950]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 19 16:51:13	openvpn[34950]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
    Nov 19 16:51:13	openvpn[34950]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Nov 19 16:51:13	openvpn[34950]: TUN/TAP device ovpns1 exists previously, keep at program end
    Nov 19 16:51:13	openvpn[34950]: TUN/TAP device /dev/tun1 opened
    Nov 19 16:51:13	openvpn[34950]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Nov 19 16:51:13	openvpn[34950]: /sbin/ifconfig ovpns1 10.12.43.1 10.12.43.1 mtu 1500 netmask 255.255.255.0 up
    Nov 19 16:51:13	openvpn[34950]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.12.43.1 255.255.255.0 init
    Nov 19 16:51:14	openvpn[36283]: UDPv4 link local (bound): [AF_INET]a.b.c.d:1194
    Nov 19 16:51:14	openvpn[36283]: UDPv4 link remote: [undef]
    Nov 19 16:51:14	openvpn[36283]: Initialization Sequence Completed
    Nov 19 16:52:08	openvpn: user 'rob.pomeroy' authenticated
    Nov 19 16:52:08	openvpn[36283]: e.f.g.h:49386 [rob.pomeroy] Peer Connection Initiated with [AF_INET]e.f.g.h:49386
    Nov 19 16:52:08	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 MULTI_sva: pool returned IPv4=10.12.43.2, IPv6=(Not enabled)
    Nov 19 16:52:11	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 send_push_reply(): safe_cap=940
    

    Clients are authenticating against Active Directory.

    Sorry this is such a mammoth first post - but any ideas?

    Thanks,

    Rob



  • Did you run the OpenVPN client as administrator on Windows 7? (right-click, run as administrator). Otherwise the route won't get added properly (although on the screenshot it looks fine)



  • @georgeman:

    Did you run the OpenVPN client as administrator on Windows 7?

    I sure did.



  • All you posted looks fine for me.

    Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface



  • @georgeman:

    All you posted looks fine for me.

    Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface

    Automatic outbound NAT is switched on. No other mappings.



  • Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

    And is this firewall rule on the OpenVPN interface sufficient?

    Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule	Description	
    IPv4   *       *     *            *     *        *      none      OpenVPN My company VPN wizard
    


  • @Rob:

    Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

    Switched the VPN tunnel net to 192.168.20.0/24.  Still nothing travels into the LAN.  :-\  I've temporarily disabled the firewall on the client.  Doesn't help though.



  • Does this entry in the log shed any light on the problem?

    Nov 20 10:30:08	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #95045 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    


  • Post your server1.conf.



  • Okay:

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local a.b.c.d
    tls-server
    server 192.168.20.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    client-cert-not-required
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 50
    push "route 10.12.0.0 255.255.0.0"
    push "route 192.168.3.0 255.255.255.0"
    push "dhcp-option DOMAIN mycompany.local"
    push "dhcp-option DNS 10.12.20.6"
    push "dhcp-option DNS 10.12.20.7"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    push "dhcp-option NTP 10.12.20.6"
    push "dhcp-option NTP 10.12.20.7"
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    topology subnet
    
    


  • Do the clients on the LAN allow pings from the OpenVPN network? Try to turn off firewall on the clients temporarily.



  • Export a new config and install it on the client-side.

    Post new exported client config.

    Post Pfsense routing table.

    Post client routing table once connected with new config.



  • Thanks for your input.

    The quantity of issues I'm having with pfSense is rising,  Now I'm getting failures on attempting to log in:

    Warning: session_start(): open(/var/tmp//sess_1e36ef0d17d9b13cdeb3d59c25e8e0ab, O_RDWR) failed: No space left on device (28) in /etc/inc/auth.inc on line 1357
    

    There's plenty of space, so I'm going to guess there's some filesystem-level corruption of some kind, in which case all bets are off.  sigh  Time to reinstall.



  • Completely reinstalled pfSense and what do you know?  It's working.

    Hypotheses:

    • Corruption of original installation and/or

    • Using older version of OpenVPN Client Export pacakge and/or

    • Some other installed package caused a problem (have installed this fairly lean on this occasion).

    Thanks to all for your help.  I'm going to snapshot this virtual machine while it's working!!!