No traffice across the VPN tunnel



  • Hello,

    I'm new to pfSense and learning as fast as I can but I'm stuck with openVPN.  I'm familiar with openVPN since I have it current working within another site but pfSense is not being used.

    I used the instructions here: http://www.apollon-domain.co.uk/?p=433,  to configure openVPN.  I've installed the client on a Win7 laptop and I am able to successful connect.  I see the VPN route added to my laptop but I can not connect to any system across the VPN connection.  I've read through a number of replies to this forum, specifically the reply about changing dev_mode to device_mode, but I still can not connect across the VPN.

    Any ideas would be greatly appreciated.

    Thanks,

    Lou.

    Version:
    2.0.1-RELEASE (i386)
    FreeBSD 8.1-RELEASE-p6

    openvpn.log:
    Dec 17 11:05:39    openvpn[38203]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Dec 17 11:05:39    openvpn[38203]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.11.1 192.168.11.2 init

    netstat -r:
    netstat -r
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default                10.1.10.1          UGS        0  8074680    dc2
    10.1.10.0            link#3            U          0  252606    dc2
    10.1.10.2            link#3            UHS        0        0    lo0
    localhost            link#6            UH          0      472    lo0
    192.168.1.0        link#4            U          0  7887464    vr0
    192.168.1.1        link#4            UHS        0      521    lo0
    192.168.3.0        192.168.1.20      UGS        0    39513    vr0
    192.168.10.0      link#1            U          0    40010    dc0
    192.168.10.1      link#1            UHS        0        0    lo0
    192.168.11.1      link#11            UHS        0        0    lo0 =>
    192.168.11.1/32    link#11            U          0        0 ovpns1

    server1.conf:
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.1.10.2
    tls-server
    server 192.168.11.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 6
    push "route 192.168.0.0 255.255.254.0"
    push "dhcp-option DNS 192.168.1.14"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float

    clients.ovpn:
    ev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 10.1.10.2 1194 udp
    lport 0
    verify-x509-name "OpenVPN-Server-Cert" name
    auth-user-pass
    pkcs12 xul-udp-1194-XXX.p12
    tls-auth xul-udp-1194-XXX-tls.key 1
    comp-lzo



  • Why are you still using 2.0.1? It will be more difficult for people to help with this, because who on the forum can remember what bugs/tricks their might have been in 2.0.1. Use the latest 2.1-RELEASE.
    I guess you are testing entirely internally, as the client connects to 10.1.10.2, not to some external DNS name or public IP, In that case, make sure your client is on the WAN side of the test pfSense, not coming from in the test LAN 192.168.0.0/23
    The config files look reasonable to me, and that "route add comand failed" message is always there, a "normal ERROR message".



  • I was given the environment (2.0.1) to support and I am trying to learn more about pfSense before I look into replacing it.

    10.1.10.2 is my WAN connection that is NAT to my ISP.  My client is on the WAN.  Since this LAN is NAT to the ISP is it possible that my firewall conf needs more adjustment?

    Firewall Rules:

    I have the WAN interface conf with TCP / SSH enabled to a IP address withing my LAN.
    I have the WAN interface conf with UDP / 1194 as enabled.

    I have the LAN interface  conf with ports 43260,80,433 enabled to a IP address withing my LAN,
    I have a second line on LAN interface that PASS  protocol (any), source (any) and dest (any)

    I have the OpenVPN interface conf with PASS  protocol (any), source (any) and dest (any)

    Why are you still using 2.0.1? It will be more difficult for people to help with this, because who on the forum can remember what bugs/tricks their might have been in 2.0.1. Use the latest 2.1-RELEASE.
    I guess you are testing entirely internally, as the client connects to 10.1.10.2, not to some external DNS name or public IP, In that case, make sure your client is on the WAN side of the test pfSense, not coming from in the test LAN 192.168.0.0/23
    The config files look reasonable to me, and that "route add comand failed" message is always there, a "normal ERROR message".



  • Well I'm lost for word today.  I opened up the laptop, fired up openvpn and I able to ping to the LAN on the other end of the tunnel.  No changes but the system was rebooted.  Is rebooting a requirement for VPN to work?



  • Normally a reboot is not required for any pfSense config changes, including setting up VPNs… But it is so long since I used 2.0.1 I can't be sure if there were some things that did not always work on-the-fly.
    Certainly in 2.1-RELEASE I setup and reconfigure OpenVPN servers and clients without needing to reboot - the system changes all the routes... on the fly.


Log in to reply