OpenVPN partialy working… Please help

Claw22000

I have searched the forum for a Tutorial that is specific to 2.1.4 and have not been able to find anything. So if someone could point me the the correct direction that would be great. the following is a list of goals I'm looking to achieve.

1.) I need to be able to access some of the computers at the HOST site. I don't mind being able to have complete access but I do need to have access to at least 2 of the machines on that side.

2.)I need my internet activity routed to the HOSTs Connection. I have to be able to access a more secure connection when in the field as I transmit possible sensitive information about my clients to and from the home office.

What I do have going for me is an OpenVPN that does allow me to ping and connect to the PFSense box. I do not have access to any of the rest of the network or the internet. I have read much of the information out there and it seems to be sending me in circles.

The Client Machine is a Laptop with Windows 7 and the current OpenVPN software.

I have followed the only tutorial I could find that sounded like what I wanted to do, and was for PFSense 2.0 I have read about the roadwarrior setup but could not find anything on a version greater than 1.2.3

I really appreciate anyone taking the time to read this and assist me with the rest of the setup.

Thanks so much in advance.

Dr. Claw

marvosa

Post your server1.conf.

Claw22000

I hate to be to noobish but I don't know how to do that. I know how find some reports and have been playing around looking in to more all the time but I have no idea how to get my server1.conf.

Thanks

marvosa

If you're familiar with the shell, the openvpn config files are located in "/var/etc/openvpn".

Otherwise, you can also get it from the GUI:

Diagnostics -> Edit File
Click Browse
Navigate to the "/var/etc/openvpn" directory
Click on "server1.conf"

This will display the contents of your openvpn server config.

Claw22000

Thanks for the quick guide for that here is the info.

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 24.118.97.87
tls-server
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN 192.168.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 75.75.76.76"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 75.75.75.75"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

marvosa

Just so I don't make assumptions, can you tell me:

What is the LAN subnet on the remote end (Behind Pfsense)?
What is the LAN subnet where you're connecting from?
What are the IP's of the machines you trying to connect to?
How are you trying to access these machines? (e.g. RDP, HTTP/HTTPS, FTP, file shares, etc)
Are you trying to access these machines by IP or by name?

Claw22000

1. 192.168.1.0/24
2. If I understand you question it will vary on where I'm connected from. Many of the Starbucks and other coffee shops seem to use 10.0.0.0/24. many friends use the 192.168.1.0/24. I'm guessing as I travel it will be all over the place. if you mean the VIP of the VPN thats 192.168.2.0/24

3. 192.168.1.20 192.168.1.254 192.168.1.253
4. RDP Samba and I would like my information routed through my home internet so the packets can't be captured without encryption.

5. I could use either the names or ips. Names would be nice for future options but not necessary now if its hard to do

Thank you so much for your replys.

Dr Claw

marvosa

A few things:

You are using a routed solution, but you've chosen two of the most common SOHO subnets for both your tunnel network and LAN. This will break your routing if the coffee shop or wherever you're connecting from is on the same subnet as your LAN. Change your tunnel and LAN subnets to something that is not widely used.
You've stated you want all your traffic routed down the tunnel, but I'm not seeing that in your config, which means "Redirect Gateway" is not enabled. Go to your OpenVPN config, scroll down to the "Tunnel Settings" section and enable the following option:
In the domain field, you have an IP where a domain name should be. If you have a DC, enter your domain name in the "DNS Default Domain" field. If you don't have a domain, you shouldn't be using this option… disable it.
Pushing 4 DNS servers seems like overkill. Also, from what I've been reading, 75.75.75.75 and 75.75.76.76 are comcast dns servers which are not that great. I would pull them out and stick with google dns
In a routed solution, broadcasts do not traverse the tunnell, so you can only connect to internal resources via IP unless you:
- Have a local DNS server configured to push to your clients
- Configure a WINS server to push to your clients
- Manually edit the hosts file on every client
Last but not least, on Win 7 or 8, make sure you are running the openvpn client as administrator or the client will not have permissions to make changes to the routing table

Claw22000

Again Thanks so much for all your help!!!

I have tried to change the IP address as best I can. Both Manually and by using the setup wizard. However When I do I can no longer connect to the internet. I've tried 192.168.2.0/24 through 192.168.26.0/24 and have not been able to access the internet on anything except 192.168.1.1. In every instance I did reboot the router to make sure that the new config took. I have setup every thing except the numbered points. but just can't make the switch to a new IP. I was going to start with the numbered lists as soon as I get this issue solved.

I really appreciate your help.

Dr. Claw

marvosa

Clarify what you mean by tried to change the IP… Which IP and where? The tunnel network or the local network? Were you making changes in OpenVPN or on your LAN interface?

Lets go back to how you had it, get it working and then adjust:

LAN - 192.168.1.0/24
Tunnel Network - 192.168.2.0/24

Did you make the config change to force the traffic down the tunnel?

After reading more about "Redirect Gateway" on openvpn.net, it sounds like you either have to push an internal DNS server or push the server's IP for the tunnel for DNS, so i.e.:

Since your tunnel network is 192.168.2.0/24, remove the 4 DNS settings you have and only enter 192.168.2.1, click save and test (the openvpn service gets restarted after every save, so no need to reboot)

Make sure your testing from a separate network that is not using 192.168.1.0/24.

Claw22000

I changed the IP in the OpenVPN to 192.168.26.0/24 this should be rarely use I though.

I tried to change the IP in LAN to many differnet options none of which worked.

I did make the Config change to force traffic down the tunnel.

Erased all DNS server in OpenVPN and made it so there's just one entry at 192.168.26.1 (thought since I change to 26 that it was appropriate to adjust that here.

I have no way of testing this today and will give it a go at work tomorrow.

If you can think of a way to make the main IP change and keep working let me know as I think it would greatly increase the places where I would be able to use the VPN.

As always thanks so much for all your assistance.

Dr Claw

AMizil

I have the same issue here so I considered not to open another topic. I have been running pfSense for about 2 years and it's very stable.
I try to make OpenVPN work in 2.1.5-RELEASE (i386) , as in 2.0.3 i386 was working ok.

pfsense Box local interfaces

LAN 192.168.111.0/24 ; 192.168.111.1 pfsense box and gateway
DMZ 10.128.128.0/24; 10.128.128.1; pfsense box and gateway
VPN Tunneled network 192.168.11.0/24
WINS Server : 192.168.111.100

Remote LAN (at home behind wifi router 192.168.2.0/24)

Firewall rules : OpenVPN tab : allow any to any *

Server Setup info: Pfsense is the gateway, DHCP, DNS and also OpenVPN server for road warrior remote access (SSL/TLS)|UDP|TUN . Outbound:automatic outbound NAT; push default gateway
Client : Win7 64 bit with OpenVPN 2.3.4 I603.. latest release.

mention : PPTP works perfectly ! I can access any IP on LAN/DMZ.

Problem : After connecting successfully the remote LAN , I can ping the pfsense box and browse the Internet using remote public IP, but I can't access any remote device.

I have done the same setup on pfsense 2.0.3 and it work without a problem!
What has changed in routing in pfsense 2.1? What changes I have to do to pfsense config ?

When i traceroute from the win7 machine first hop is the default gateway of the pfsense box (? not pfsense box), supplied by the ISP, then another 2 routers of the ISP and then Destination unreachable.
If I using packet capture are ping LAN subnet from the remote client, the ICMP packets arrive on OpenVPN interface, but only pfsense box responds ( ex ping 192.168.111.1-10 but only 192.168.111.1 responds to ICMP request)

server1.conf

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local PUBLIC_IP_censored
tls-server
server 192.168.11.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.111.0 255.255.255.0"
push "route 10.128.128.0 255.255.255.0"
push "dhcp-option DOMAIN not-available.com"
push "dhcp-option DNS 192.168.111.1"
push "dhcp-option WINS 192.168.111.100"
push "redirect-gateway def1"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
mode server
client-config-dir /var/etc/openvpn-csc

route 192.168.2.0 255.255.255.0

Client Specific overrides in CCD

push "redirect-gateway def1"
ifconfig-push 192.168.11.1 192.168.11.2

Thank you in advance for any advice!

![status routing table openvpn.PNG](/public/imported_attachments/1/status routing table openvpn.PNG)
![status routing table openvpn.PNG_thumb](/public/imported_attachments/1/status routing table openvpn.PNG_thumb)

AMizil

I have found the problem. In the Firewall - OpenVPN tab I had the same rule: from any to any 2 times , because I use DUAL WAN setup.
The first rule was the one with DUAL WAN gateway instead of default gateway. See picture attached.

Regards,
Adrian

![pfsense openvpn firewall rules.PNG](/public/imported_attachments/1/pfsense openvpn firewall rules.PNG)
![pfsense openvpn firewall rules.PNG_thumb](/public/imported_attachments/1/pfsense openvpn firewall rules.PNG_thumb)