Issues with OpenVPN Configuration

dhendriksen · Feb 19, 2015, 12:40 AM

I'm suddenly having issues with my OpenVPN connection, and I'm hoping that you can help me troubleshoot it.

I can connect to the VPN just fine. The issue that once I'm remotely connected, I cannot see any of the devices on the network. IE: connecting via VPN and then trying to ping my NAS, or any local devices at the house.

I have my gateway setup as 192.168.1.1, and that is the IP of PFSense. I had the VPN initially working in the range of 192.168.79.1/24, but have since change it to 192.168.1.0/24 in an attempt to get it to work. It connects…in fact I'm connected right now. I can see the connection in PFSense, and the device (in this case my Android phone) has an IP address of 192.168.1.6. However, it can't see any of the local devices.

I set everything up using the OpenVPN plugin, and configured my laptops and phones using the ClientExport tool. If you could help me out, I'd much appreciate it. I'm a novice with this stuff, and leave the country on Saturday...I'd really like to get it setup before I go.

Thanks in advance.

kejianshi · Feb 19, 2015, 1:07 AM

"I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."

This can be a big issue. I'd make my pfsense ip be something not like you will see on standard home setups. Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.

dhendriksen · Feb 19, 2015, 1:28 AM

@kejianshi:

"I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."

This can be a big issue. I'd make my pfsense ip be something not like you will see on standard home setups. Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.

Can you elaborate? This has worked great for years.

I have some VLANs that are .2.x and .3.x.

kejianshi · Feb 19, 2015, 2:33 AM

Lets say your pfsense lan is at 192.168.1.1

and lets say 1000 miles from home someone is on a network who's lan ip is also 192.168.1.1 (super common)

Now, lets say he joins your vpn and types in 192.168.1.1 in his browser.

He will get the closest 192.168.1.1 - the frist one in his routes.

So, in all likelihood, he will get his modem/router setup page and not the pfsense gui.

so, basically, set up this way causes lots and lots of problems.

marvosa · Feb 19, 2015, 2:54 AM

Post a network map with IP's
Post your openvpn config (server1.conf).
Verify the devices on your LAN are using PFsense as the default gateway
Verify the network the client is connecting from is not on the same subnet as your LAN.
If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box

dhendriksen · Feb 19, 2015, 3:30 AM

@marvosa:

Post a network map with IP's

Post your openvpn config (server1.conf).

Verify the devices on your LAN are using PFsense as the default gateway

Verify the network the client is connecting from is not on the same subnet as your LAN.

If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box

Thank you for the reply. I don't know how to post a "network map". Here's what I have.

Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

I have a guest network that is 192.168.2.1 that is captive portal.

I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

All devices are using 192.168.1.1 as the gateway.

I don't need access to VLAN's from the VPN.

I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

dhendriksen · Feb 19, 2015, 3:55 AM

As of right now the tunnel network is 192.168.79.0/24.

I can see the device is connected, but I am not able to ping or communicate with any of the devices on the LAN. NONE OF THEM.

phil.davis · Feb 19, 2015, 4:15 AM

I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:

ipconfig

They might have been given:

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : example.org
   IPv4 Address. . . . . . . . . . . : 192.168.1.42
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.

tsolrm · Feb 19, 2015, 8:35 AM

Post the following details.

Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

dhendriksen · Feb 19, 2015, 6:18 PM

@phil.davis:

I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:
ipconfig
They might have been given:
Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : example.org
   IPv4 Address. . . . . . . . . . . : 192.168.1.42
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.

I did verify this. One example is just using my cell phone over an LTE connection. It has a crazy IP address, and not anything in this range.

Furthermore, the VPN is now set to 192.168.79.0/24.

dhendriksen · Feb 19, 2015, 6:20 PM

@tsolrm:

Post the following details.

Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

Thank you for pointing out where I can find those things. I'm at my office right now, but as soon as I get home I'll give it a look and post back.

Dan

marvosa · Feb 19, 2015, 9:50 PM

Thank you for the reply. I don't know how to post a "network map". Here's what I have.

An example would be….. "Internet -> PFsense -> Switch -> LAN". We need to know how things are physically connected

Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

I have a guest network that is 192.168.2.1 that is captive portal.

I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24? Or is your scope wider than that?
Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?

I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

Diagnostics -> Edit file
Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"

I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN. i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.

dhendriksen · Feb 19, 2015, 11:03 PM

@tsolrm:

Post the following details.

Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

My LAN SUBNET is: 192.168.1.0

RE: the OpenVPN server details, The "Device Mode" is "tun". The IPV4 tunnel network is: 192.168.79.0/24. The local network/s is: 192.168.1.0/24, 192.168.79.0/24

I didn't have the 192.168.79.0/24 listed there, but I added in hopes that it would make a difference. It has not.

dhendriksen · Feb 19, 2015, 11:15 PM

@marvosa:

Thank you for the reply. I don't know how to post a "network map". Here's what I have.

An example would be….. "Internet -> PFsense -> Switch -> LAN". We need to know how things are physically connected

Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

I have a guest network that is 192.168.2.1 that is captive portal.

I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24? Or is your scope wider than that?
Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?

I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

Diagnostics -> Edit file

Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"

I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN. i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.

You are correct in that it's INTERNET -> PFSENSE -> SWITCH/LAN <- Ubiquiti UniFi.

The 2.x and 3.x VLAN's are actual VLAN's. They are configured in PFSense, and there are different SSID's that are broadcast and tagged by the Ubiquiti. The Dell Powerconnect switch tags the ports that are connected to the PFSense and Ubiquiti with VLAN's 1, 2 and 3. I don't really understand the rest of your questions except those VLAN's are 192.168.2.1/24 and 192.168.3.1/24. One has a captive portal and the other not. They just have web access. Those are working exactly as I'd like them to.

When you talk about the scope of my PFSense LAN, it looks like you've got it exactly correct.

Here are the contents of the "server1.conf" document:


dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 76.23.10.226
tls-server
server 192.168.79.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'HendriksenHomeVPN' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.79.0 255.255.255.0"
push "dhcp-option DNS 75.75.76.76"
push "dhcp-option DNS 75.75.75.75"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

I appreciate each of you taking a few minutes to help me resolve this. I'm sure it's something simple, but I really need to get it worked out tonight and working. Like I said, I'm leaving the country and need things functioning properly while I'm gone so I can access things. I'm home all night tonight and will watch this thread.

dhendriksen · Feb 19, 2015, 11:48 PM

I checked the "redirect gateway" box (Force all client generated traffic through the tunnel.) and it appears to be working…but I need to do more testing.

dhendriksen · Feb 20, 2015, 12:29 AM

Still not quite working as it should. I'm going to reboot everything and see if that makes a difference.

dhendriksen · Feb 20, 2015, 1:16 AM

No difference guys. I need all the help I can get here.

kejianshi · Feb 20, 2015, 1:21 AM

did you change your pfsense IP from 192.168.1.1 yet?

I usually don't like wasting time on people who won't make basic changes to improve things.

dhendriksen · Feb 20, 2015, 2:57 AM

@kejianshi:

did you change your pfsense IP from 192.168.1.1 yet?

I usually don't like wasting time on people who won't make basic changes to improve things.

Will that require me to reset every DHCP reservation and reboot every single device? That's an awful lot of work, and I can certainly do it but I'd rather not go through all that work the day before I leave the country for two weeks.

kejianshi · Feb 20, 2015, 3:32 AM

Well - If you like it broken, leave it as is.

Probably what will happen if you modify pfsense set up and reboot it is all your clients will re-start their connections automatically and all will be fine.