Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN partialy working… Please help

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Claw22000
      last edited by

      I hate to be to noobish but I don't know how to do that.  I know how find some reports and have been playing around looking in to more all the time but I have no idea how to get my server1.conf.

      Thanks

      DrClaw

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        If you're familiar with the shell, the openvpn config files are located in "/var/etc/openvpn".

        Otherwise, you can also get it from the GUI:

        • Diagnostics -> Edit File

        • Click Browse

        • Navigate to the "/var/etc/openvpn" directory

        • Click on "server1.conf"

        This will display the contents of your openvpn server config.

        1 Reply Last reply Reply Quote 0
        • C
          Claw22000
          last edited by

          Thanks for the quick guide for that here is the info.


          dev ovpns1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto tcp-server
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          client-connect /usr/local/sbin/openvpn.attributes.sh
          client-disconnect /usr/local/sbin/openvpn.attributes.sh
          local 24.118.97.87
          tls-server
          server 192.168.2.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc
          username-as-common-name
          auth-user-pass-verify /var/etc/openvpn/server1.php via-env
          tls-verify /var/etc/openvpn/server1.tls-verify.php
          lport 443
          management /var/etc/openvpn/server1.sock unix
          max-clients 2
          push "route 192.168.1.0 255.255.255.0"
          push "dhcp-option DOMAIN 192.168.1.1"
          push "dhcp-option DNS 8.8.8.8"
          push "dhcp-option DNS 75.75.76.76"
          push "dhcp-option DNS 8.8.4.4"
          push "dhcp-option DNS 75.75.75.75"
          client-to-client
          ca /var/etc/openvpn/server1.ca
          cert /var/etc/openvpn/server1.cert
          key /var/etc/openvpn/server1.key
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          persist-remote-ip
          float

          DrClaw

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Just so I don't make assumptions, can you tell me:

            • What is the LAN subnet on the remote end (Behind Pfsense)?

            • What is the LAN subnet where you're connecting from?

            • What are the IP's of the machines you trying to connect to?

            • How are you trying to access these machines? (e.g. RDP, HTTP/HTTPS, FTP, file shares, etc)

            • Are you trying to access these machines by IP or by name?

            1 Reply Last reply Reply Quote 0
            • C
              Claw22000
              last edited by

              1. 192.168.1.0/24
              2. If I understand you question it will vary on where I'm connected from.  Many of the Starbucks and other coffee shops seem to use 10.0.0.0/24. many friends use the 192.168.1.0/24.  I'm guessing as I travel it will be all over the place.  if you mean the VIP of the VPN thats 192.168.2.0/24

              3. 192.168.1.20 192.168.1.254 192.168.1.253
              4. RDP Samba and I would like my information routed through my home internet so the packets can't be captured without encryption.

              5. I could use either the names or ips.  Names would be nice for future options but not necessary now if its hard to do

              Thank you so much for your replys.

              Dr Claw

              DrClaw

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                A few things:

                • You are using a routed solution, but you've chosen two of the most common SOHO subnets for both your tunnel network and LAN.  This will break your routing if the coffee shop or wherever you're connecting from is on the same subnet as your LAN.  Change your tunnel and LAN subnets to something that is not widely used.

                • You've stated you want all your traffic routed down the tunnel, but I'm not seeing that in your config, which means "Redirect Gateway" is not enabled.  Go to your OpenVPN config, scroll down to the "Tunnel Settings" section and enable the following option:

                • In the domain field, you have an IP where a domain name should be.  If you have a DC, enter your domain name in the "DNS Default Domain" field.  If you don't have a domain, you shouldn't be using this option… disable it.

                • Pushing 4 DNS servers seems like overkill.  Also, from what I've been reading, 75.75.75.75 and 75.75.76.76 are comcast dns servers which are not that great.  I would pull them out and stick with google dns

                • In a routed solution, broadcasts do not traverse the tunnell, so you can only connect to internal resources via IP unless you:

                  • Have a local DNS server configured to push to your clients

                  • Configure a WINS server to push to your clients

                  • Manually edit the hosts file on every client

                • Last but not least, on Win 7 or 8, make sure you are running the openvpn client as administrator or the client will not have permissions to make changes to the routing table

                1 Reply Last reply Reply Quote 0
                • C
                  Claw22000
                  last edited by

                  Again Thanks so much for all your help!!!

                  I have tried to change the IP address as best I can.  Both Manually and by using the setup wizard.  However When I do I can no longer connect to the internet.  I've tried 192.168.2.0/24 through 192.168.26.0/24 and have not been able to access the internet on anything except 192.168.1.1.  In every instance I did reboot the router to make sure that the new config took.  I have setup every thing except the numbered points.  but just can't make the switch to a new IP.  I was going to start with the numbered lists as soon as I get this issue solved.

                  I really appreciate your help.

                  Dr. Claw

                  DrClaw

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    Clarify what you mean by tried to change the IP…  Which IP and where?  The tunnel network or the local network?  Were you making changes in OpenVPN or on your LAN interface?

                    Lets go back to how you had it, get it working and then adjust:

                    LAN - 192.168.1.0/24
                    Tunnel Network - 192.168.2.0/24

                    Did you make the config change to force the traffic down the tunnel?

                    After reading more about "Redirect Gateway" on openvpn.net, it sounds like you either have to push an internal DNS server or push the server's IP for the tunnel for DNS, so i.e.:

                    Since your tunnel network is 192.168.2.0/24, remove the 4 DNS settings you have and only enter 192.168.2.1, click save and test (the openvpn service gets restarted after every save, so no need to reboot)

                    Make sure your testing from a separate network that is not using 192.168.1.0/24.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Claw22000
                      last edited by

                      I changed the IP in the OpenVPN to 192.168.26.0/24 this should be rarely use I though.

                      I tried to change the IP in LAN to many differnet options none of which worked.

                      I did make the Config change to force traffic down the tunnel.

                      Erased all DNS server in OpenVPN and made it so there's just one entry at 192.168.26.1 (thought since I change to 26 that it was appropriate to adjust that here.

                      I have no way of testing this today and will give it a go at work tomorrow.

                      If you can think of a way to make the main IP change and keep working let me know as I think it would greatly increase the places where I would be able to use the VPN.

                      As always thanks so much for all your assistance.

                      Dr Claw

                      DrClaw

                      1 Reply Last reply Reply Quote 0
                      • A
                        AMizil
                        last edited by

                        I have the same issue here so I considered not to open another topic. I have been running pfSense for about 2 years and it's very stable.
                        I try  to make OpenVPN work in 2.1.5-RELEASE (i386) , as in 2.0.3 i386 was working ok.

                        pfsense Box local interfaces

                        • LAN 192.168.111.0/24 ; 192.168.111.1 pfsense box and gateway
                        • DMZ 10.128.128.0/24; 10.128.128.1;  pfsense box and gateway
                        • VPN Tunneled network 192.168.11.0/24
                          WINS Server : 192.168.111.100

                        Remote LAN (at home behind wifi router 192.168.2.0/24)

                        Firewall rules : OpenVPN tab : allow any to any *

                        Server Setup info: Pfsense is the gateway, DHCP, DNS  and also OpenVPN server for road warrior remote access (SSL/TLS)|UDP|TUN . Outbound:automatic  outbound NAT; push default gateway
                        Client : Win7 64 bit with OpenVPN 2.3.4 I603.. latest release.

                        mention : PPTP works perfectly ! I can access any IP on LAN/DMZ.

                        Problem : After connecting  successfully  the remote LAN , I can ping the pfsense box and browse the Internet using remote public IP, but I can't access any remote device.

                        I have done the same setup on pfsense 2.0.3  and it work without a problem!
                        What has changed in routing in pfsense 2.1? What changes I have to do to pfsense config ?

                        When i traceroute from the win7 machine first hop is the default gateway of the pfsense box (? not pfsense box), supplied by the ISP, then another 2 routers of the ISP and then Destination unreachable.
                        If I using packet capture are ping LAN subnet from the remote client, the ICMP packets arrive on OpenVPN interface, but only pfsense box responds ( ex ping 192.168.111.1-10 but only 192.168.111.1 responds to ICMP request)

                        server1.conf


                        dev ovpns1
                        dev-type tun
                        tun-ipv6
                        dev-node /dev/tun1
                        writepid /var/run/openvpn_server1.pid
                        #user nobody
                        #group nobody
                        script-security 3
                        daemon
                        keepalive 10 60
                        ping-timer-rem
                        persist-tun
                        persist-key
                        proto udp
                        cipher AES-256-CBC
                        up /usr/local/sbin/ovpn-linkup
                        down /usr/local/sbin/ovpn-linkdown
                        local PUBLIC_IP_censored
                        tls-server
                        server 192.168.11.0 255.255.255.0
                        client-config-dir /var/etc/openvpn-csc
                        tls-verify /var/etc/openvpn/server1.tls-verify.php
                        lport 1194
                        management /var/etc/openvpn/server1.sock unix
                        max-clients 10
                        push "route 192.168.111.0 255.255.255.0"
                        push "route 10.128.128.0 255.255.255.0"
                        push "dhcp-option DOMAIN not-available.com"
                        push "dhcp-option DNS 192.168.111.1"
                        push "dhcp-option WINS 192.168.111.100"
                        push "redirect-gateway def1"
                        client-to-client
                        duplicate-cn
                        ca /var/etc/openvpn/server1.ca
                        cert /var/etc/openvpn/server1.cert
                        key /var/etc/openvpn/server1.key
                        dh /etc/dh-parameters.2048
                        tls-auth /var/etc/openvpn/server1.tls-auth 0
                        comp-lzo
                        persist-remote-ip
                        float
                        mode server
                        client-config-dir /var/etc/openvpn-csc

                        route 192.168.2.0 255.255.255.0


                        Client Specific overrides  in CCD

                        push "redirect-gateway def1"
                        ifconfig-push 192.168.11.1 192.168.11.2


                        Thank you in advance for any advice!

                        ![status routing table openvpn.PNG](/public/imported_attachments/1/status routing table openvpn.PNG)
                        ![status routing table openvpn.PNG_thumb](/public/imported_attachments/1/status routing table openvpn.PNG_thumb)

                        1 Reply Last reply Reply Quote 0
                        • A
                          AMizil
                          last edited by

                          I have found the problem. In the Firewall - OpenVPN tab  I had the same rule:  from any to any  2 times , because I use DUAL WAN setup.
                          The first rule was the one with DUAL WAN  gateway  instead of default gateway.  See picture attached.

                          Regards,
                          Adrian

                          ![pfsense openvpn firewall rules.PNG](/public/imported_attachments/1/pfsense openvpn firewall rules.PNG)
                          ![pfsense openvpn firewall rules.PNG_thumb](/public/imported_attachments/1/pfsense openvpn firewall rules.PNG_thumb)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.