[SOLVED] Help with very basic OpenVPN setup – can't find route to LAN (naturall
-
Hello All:
I feel kind of dumb because I can't find the solution to what seems like a simple setup. I've been through the forums and while there are lots of people remarking on OpenVPN setups that can't route to LAN, every one seems to have a different solution (that doesn't seem to apply to me).
I'm a prodigal pfSense user. It was my router years ago, got replaced by an appliance, and now I'm looking to bring it back. I have a clean very basic install of pfSense. LAN, WAN and that's all. No VLAN. No firewall rules outside of default. There is an Opt1 interface that is not yet assigned. It will be DMZ once the VPN is set up.
pfSense is NOT the DHCP server, this is handled by an Active Directory computer on the LAN. No VMs, everything is physical.I'm looking for a road warrior type setup. No need to connect from the LAN to the remote clients and the remote clients do not need to connect to each other. Remote clients are Windows PCs.
psSense 2.1.5
LAN: 192.168.10.10/23
WAN: 207.128.128.226/27
OPT1: not assigned
Tunnel: 10.0.8.0/24OpenVPN set up according to wizard. Remote Access (SSL/TLS + User Auth)
dev ovpns1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 207.128.128.226 tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 push "route 192.168.10.0 255.255.254.0" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float
The firewall rule to allow UDP connections via WAN on port 1194 is in place. The OpenVPN firewall rule to allow all traffic is in place.
Client (remote user) can connect successfully. Client can ping WAN IP addresses (though no DNS, which is fine for now). Client can ping the pfSense LAN interface (192.168.10.10). Client can not ping and other LAN addresses nor connect via TCP (e.g. RDP, SSH).
**There has to be something simple I'm missing here. Can anyone point me in the right direction? Once I can make use of the OpenVPN connection to access the LAN, I can start setting up my firewall rules and configuring pfSense properly.
Thanks.**
Client route table:
=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.149 25 10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 1 10.0.8.4 255.255.255.252 10.0.8.6 10.0.8.6 30 10.0.8.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.0.0 255.255.0.0 169.254.140.101 169.254.140.101 20 169.254.140.101 255.255.255.255 127.0.0.1 127.0.0.1 40 169.254.255.255 255.255.255.255 169.254.140.101 169.254.140.101 40 192.168.10.0 255.255.254.0 10.0.8.5 10.0.8.6 1 192.168.43.0 255.255.255.0 192.168.43.149 192.168.43.149 25 192.168.43.149 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.43.255 255.255.255.255 192.168.43.149 192.168.43.149 25 224.0.0.0 240.0.0.0 10.0.8.6 10.0.8.6 30 224.0.0.0 240.0.0.0 169.254.140.101 169.254.140.101 40 224.0.0.0 240.0.0.0 192.168.43.149 192.168.43.149 25 255.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 1 255.255.255.255 255.255.255.255 169.254.140.101 169.254.140.101 1 255.255.255.255 255.255.255.255 192.168.43.149 192.168.43.149 1 255.255.255.255 255.255.255.255 192.168.43.149 4 1 Default Gateway: 192.168.43.1 =========================================================================== Persistent Routes: None
pfSense routes:
IPv4 Destination Gateway Flags Refs Use Mtu Netif Expire default 207.128.128.225 UGS 0 34567 1500 re0 10.0.8.0/24 10.0.8.2 UGS 0 5 1500 ovpns1 10.0.8.1 link#9 UHS 0 0 16384 lo0 10.0.8.2 link#9 UH 0 0 1500 ovpns1 127.0.0.1 link#7 UH 0 182 16384 lo0 192.168.10.0/23 link#2 U 0 31879 1500 re1 192.168.10.10 link#2 UHS 0 0 16384 lo0 207.128.128.224/27 link#1 U 0 0 1500 re0 207.128.128.226 link#1 UHS 0 0 16384 lo0
-
From what I can tell, your config looks ok, but here's what I see:
According to your client's routing table, you are either on the network you're trying to connect to or the client's network is on the same LAN as yours. Neither of those situations are going to work. Where are you testing from? You have to test from outside of your network… e.g. friend's house, coffe shop, work, etc. If you're actually testing from a client site and their LAN subnet is the same as yours, one of you will need to change subnets.
-
Yes. It looks like it's being tested from the host on 192.168.11.167 from behind the LAN interface. You need to find a way to test from the outside. You could also configure OPT1 like a WAN interface and tell OpenVPN to listen there and test from a computer on OPT1.
-
Sorry for the delay. Lots happening around here today.
I don't know how I messed that part up. I was conducting testing by tethering the client PC through a mobile phone. I have fixed the client route table above. The client IP address is 192.168.43.149 (behind a NAT of course) and its tunnel address is 10.0.8.6.
While the client does appear to have a route to the LAN (192.168.10.0/23) I'm not able to access or ping any LAN IP Addresses. What piece am I missing?
Corrected route table.
=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.149 25 10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 1 10.0.8.4 255.255.255.252 10.0.8.6 10.0.8.6 30 10.0.8.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.0.0 255.255.0.0 169.254.140.101 169.254.140.101 20 169.254.140.101 255.255.255.255 127.0.0.1 127.0.0.1 40 169.254.255.255 255.255.255.255 169.254.140.101 169.254.140.101 40 192.168.10.0 255.255.254.0 10.0.8.5 10.0.8.6 1 192.168.43.0 255.255.255.0 192.168.43.149 192.168.43.149 25 192.168.43.149 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.43.255 255.255.255.255 192.168.43.149 192.168.43.149 25 224.0.0.0 240.0.0.0 10.0.8.6 10.0.8.6 30 224.0.0.0 240.0.0.0 169.254.140.101 169.254.140.101 40 224.0.0.0 240.0.0.0 192.168.43.149 192.168.43.149 25 255.255.255.255 255.255.255.255 10.0.8.6 10.0.8.6 1 255.255.255.255 255.255.255.255 169.254.140.101 169.254.140.101 1 255.255.255.255 255.255.255.255 192.168.43.149 192.168.43.149 1 255.255.255.255 255.255.255.255 192.168.43.149 4 1 Default Gateway: 192.168.43.1 =========================================================================== Persistent Routes: None
-
I should note that I cannot make a connection to LAN whether "Force all client generated traffic through the tunnel" is checked or not. And all local firewalls are disabled.
-
Am I the only one who would rather see the openvpn config page than all this text?
-
Ok, so software firewalls are turned off? Client appears to get getting the right route, but just in case… verify the client is run as administrator.
Check your firewall logs for blocks. Try to make connections to your local machines and watch your logs live. Assuming the routing is correct, you're looking at firewall rules.
make sure there's an any/any rule on your openvpn tab.
-
kejianshi, nah… I'd rather see the raw config... but that's just me.
It's easier to compare to my own working config and identify mistakes
-
This stuff is SIMPLE - I think a screen shot of the config would help me to see if something is weird anyway…
BTW - There is a pass rule on the openvpn firewall tab?
If so, it would help to see that rule also.
-
kejianshi, I am happy to oblige with screenshots. This stupidly simple configuration has been vexing me for a week now and I don't have many hairs left.
Here are the firewall config screens and the OpenVPN setup screen.
-
I'm not certain what I should (or shouldn't) be seeing in the firewall log. I cleared the log then attempted to connect from the client to two different LAN IP addresses. All I saw in the logs is the attached. It doesn't seem to shed any light.
The OpenVPN log shows:
Oct 22 20:31:32 openvpn: user 'vpnuser' authenticated
Oct 22 20:31:32 openvpn[37365]: 198.91.178.106:65342 [vpnuser] Peer Connection Initiated with [AF_INET]198.91.178.106:65342
Oct 22 20:31:32 openvpn[37365]: MULTI_sva: pool returned IPv4=10.0.8.6, IPv6=(Not enabled)
Oct 22 20:31:34 openvpn[37365]: vpnuser/198.91.178.106:65342 send_push_reply(): safe_cap=940
-
Switch to dynamic view and try to connect to your machines. See if there are blocks coming from your tunnel IP range.
Post your firewall rule from the openvpn tab.
** Sorry… just saw you already posted the pic of your rules **
-
Whats the private IP of the computer you are using to connect to openvpn?
Is it OUTSIDE the network that pfsense is in?
-
Okay, back to this with fresh eyes.
kejianshi, the client computer I'm connecting to OpenVPN with is tethered through a mobile phone.
IP addresses:
Client computer: 192.168.43.149 (behind a NAT, of course. It appears to route out through 192.168.43.149–>192.168.43.1-->172.25.83.33)
LAN: 192.168.10.10/23
WAN: 207.128.128.226/27
OPT1: not assigned
Tunnel: 10.0.8.0/24marvosa, here's a screenshot of the dynamic view while the VPN tunnel was established and ping and RDP connections attempted. Nothing was being blocked on the OpenVPN interface.
-
perhaps I'm asking another silly question.
Is the client a windows machine?
If so, when you installed, did you run the installer as admin?
After you installed, are you running the client as admin?
Why is the local network 192.168.10.0/23 instead of /24?
-
Yes, on a Windows machine (currently XP, but I have been trying Windows 7 as well). I have to admit, I don't always remember to run to run OpenVPN GUI as administrator but I did so on installation and first run and have done so again just now to confirm. No difference when running as local administrator.
-
and why /23 instead of a /24?
-
Ooops, sorry. Missed that part. When our LAN was set up many years ago, we anticipated the possibility for needing more than 255 IP addresses. Our IP range runs from 192.168.10.1 - 192.168.11.255. We use the 192.168.10.1-192.168.10.255 range for machines with static IPs and/or DHCP reservations and the 192.168.11.1-192.168.11.255 range for dynamic IPs. Workstations, laptops, BYOD, etc.
I can ping 192.168.10.10, which is the LAN IP of the pfSense box, but I cannot ping 192.168.10.6 which is the Active Directory & DNS server.
-
The "why" doesn't really matter. It's a routed tunnel. As long as he follows the "rules" and knows his LAN network range is 192.168.10.1 - 192.168.11.254 and doesn't overlap he's fine.
Have you tried a simple reboot of PFsense? Sometimes that fixes things believe it or not.
One last thing I thought of, in the case that everything looks correct in your config, etc, make sure the machines/devices on your LAN are using PFsense as the default gateway or you won't be able to communicate with them. i.e…. verify your dhcp server is configured to hand out PFsense as the gateway... of which you've stated is 192.168.10.10.
-
bbrooking, I'm guessing it was a typo, but you know that 192.168.11.255 is the broadcast and is not usable right?