Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Issues with OpenVPN Configuration

    OpenVPN
    6
    73
    8541
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhendriksen last edited by

      I'm suddenly having issues with my OpenVPN connection, and I'm hoping that you can help me troubleshoot it.

      I can connect to the VPN just fine. The issue that once I'm remotely connected, I cannot see any of the devices on the network. IE: connecting via VPN and then trying to ping my NAS, or any local devices at the house.

      I have my gateway setup as 192.168.1.1, and that is the IP of PFSense. I had the VPN initially working in the range of 192.168.79.1/24, but have since change it to 192.168.1.0/24 in an attempt to get it to work. It connects…in fact I'm connected right now. I can see the connection in PFSense, and the device (in this case my Android phone) has an IP address of 192.168.1.6. However, it can't see any of the local devices.

      I set everything up using the OpenVPN plugin, and configured my laptops and phones using the ClientExport tool. If you could help me out, I'd much appreciate it. I'm a novice with this stuff, and leave the country on Saturday...I'd really like to get it setup before I go.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi last edited by

        "I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."

        This can be a big issue.  I'd make my pfsense ip be something not like you will see on standard home setups.  Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.

        1 Reply Last reply Reply Quote 0
        • D
          dhendriksen last edited by

          @kejianshi:

          "I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."

          This can be a big issue.  I'd make my pfsense ip be something not like you will see on standard home setups.  Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.

          Can you elaborate? This has worked great for years.

          I have some VLANs that are .2.x and .3.x.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi last edited by

            Lets say your pfsense lan is at 192.168.1.1

            and lets say 1000 miles from home someone is on a network who's lan ip is also 192.168.1.1  (super common)

            Now, lets say he joins your vpn and types in 192.168.1.1 in his browser.

            He will get the closest 192.168.1.1 - the frist one in his routes.

            So, in all likelihood, he will get his modem/router setup page and not the pfsense gui.

            so, basically, set up this way causes lots and lots of problems.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa last edited by

              • Post a network map with IP's

              • Post your openvpn config (server1.conf).

              • Verify the devices on your LAN are using PFsense as the default gateway

              • Verify the network the client is connecting from is not on the same subnet as your LAN.

              • If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box

              1 Reply Last reply Reply Quote 0
              • D
                dhendriksen last edited by

                @marvosa:

                • Post a network map with IP's

                • Post your openvpn config (server1.conf).

                • Verify the devices on your LAN are using PFsense as the default gateway

                • Verify the network the client is connecting from is not on the same subnet as your LAN.

                • If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box

                Thank you for the reply. I don't know how to post a "network map". Here's what I have.

                Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

                I have a guest network that is 192.168.2.1 that is captive portal.

                I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

                I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

                All devices are using 192.168.1.1 as the gateway.

                I don't need access to VLAN's from the VPN.

                I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

                1 Reply Last reply Reply Quote 0
                • D
                  dhendriksen last edited by

                  As of right now the tunnel network is 192.168.79.0/24.

                  I can see the device is connected, but I am not able to ping or communicate with any of the devices on the LAN. NONE OF THEM.

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis last edited by

                    I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

                    For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:

                    ipconfig
                    

                    They might have been given:

                    Wireless LAN adapter Wi-Fi:
                    
                       Connection-specific DNS Suffix  . : example.org
                       IPv4 Address. . . . . . . . . . . : 192.168.1.42
                       Subnet Mask . . . . . . . . . . . : 255.255.255.0
                       Default Gateway . . . . . . . . . : 192.168.1.1
                    

                    If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • T
                      tsolrm last edited by

                      Post the following details.

                      Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

                      Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dhendriksen last edited by

                        @phil.davis:

                        I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

                        For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:

                        ipconfig
                        

                        They might have been given:

                        Wireless LAN adapter Wi-Fi:
                        
                           Connection-specific DNS Suffix  . : example.org
                           IPv4 Address. . . . . . . . . . . : 192.168.1.42
                           Subnet Mask . . . . . . . . . . . : 255.255.255.0
                           Default Gateway . . . . . . . . . : 192.168.1.1
                        

                        If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.

                        I did verify this. One example is just using my cell phone over an LTE connection. It has a crazy IP address, and not anything in this range.

                        Furthermore, the VPN is now set to 192.168.79.0/24.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dhendriksen last edited by

                          @tsolrm:

                          Post the following details.

                          Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

                          Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

                          Thank you for pointing out where I can find those things. I'm at my office right now, but as soon as I get home I'll give it a look and post back.

                          Dan

                          1 Reply Last reply Reply Quote 0
                          • M
                            marvosa last edited by

                            Thank you for the reply. I don't know how to post a "network map". Here's what I have.

                            An example would be…..  "Internet -> PFsense -> Switch -> LAN".  We need to know how things are physically connected

                            Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

                            I have a guest network that is 192.168.2.1 that is captive portal.

                            I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

                            So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24?  Or is your scope wider than that?
                            Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?

                            I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

                            • Diagnostics -> Edit file

                            • Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"

                            I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

                            I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN.  i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dhendriksen last edited by

                              @tsolrm:

                              Post the following details.

                              Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab

                              Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.

                              My LAN SUBNET is: 192.168.1.0

                              RE: the OpenVPN server details, The "Device Mode" is "tun". The IPV4 tunnel network is: 192.168.79.0/24. The local network/s is: 192.168.1.0/24, 192.168.79.0/24

                              I didn't have the 192.168.79.0/24 listed there, but I added in hopes that it would make a difference. It has not.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dhendriksen last edited by

                                @marvosa:

                                Thank you for the reply. I don't know how to post a "network map". Here's what I have.

                                An example would be…..  "Internet -> PFsense -> Switch -> LAN".  We need to know how things are physically connected

                                Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.

                                I have a guest network that is 192.168.2.1 that is captive portal.

                                I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.

                                So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24?  Or is your scope wider than that?
                                Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?

                                I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?

                                • Diagnostics -> Edit file

                                • Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"

                                I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.

                                I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN.  i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.

                                You are correct in that it's INTERNET -> PFSENSE -> SWITCH/LAN <- Ubiquiti UniFi.

                                The 2.x and 3.x VLAN's are actual VLAN's. They are configured in PFSense, and there are different SSID's that are broadcast and tagged by the Ubiquiti. The Dell Powerconnect switch tags the ports that are connected to the PFSense and Ubiquiti with VLAN's 1, 2 and 3. I don't really understand the rest of your questions except those VLAN's are 192.168.2.1/24 and 192.168.3.1/24. One has a captive portal and the other not. They just have web access. Those are working exactly as I'd like them to.

                                When you talk about the scope of my PFSense LAN, it looks like you've got it exactly correct.

                                Here are the contents of the "server1.conf" document:

                                
                                dev ovpns1
                                verb 1
                                dev-type tun
                                tun-ipv6
                                dev-node /dev/tun1
                                writepid /var/run/openvpn_server1.pid
                                #user nobody
                                #group nobody
                                script-security 3
                                daemon
                                keepalive 10 60
                                ping-timer-rem
                                persist-tun
                                persist-key
                                proto udp
                                cipher AES-256-CBC
                                auth SHA1
                                up /usr/local/sbin/ovpn-linkup
                                down /usr/local/sbin/ovpn-linkdown
                                client-connect /usr/local/sbin/openvpn.attributes.sh
                                client-disconnect /usr/local/sbin/openvpn.attributes.sh
                                local 76.23.10.226
                                tls-server
                                server 192.168.79.0 255.255.255.0
                                client-config-dir /var/etc/openvpn-csc
                                username-as-common-name
                                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
                                tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'HendriksenHomeVPN' 1"
                                lport 1194
                                management /var/etc/openvpn/server1.sock unix
                                max-clients 2
                                push "route 192.168.1.0 255.255.255.0"
                                push "route 192.168.79.0 255.255.255.0"
                                push "dhcp-option DNS 75.75.76.76"
                                push "dhcp-option DNS 75.75.75.75"
                                ca /var/etc/openvpn/server1.ca 
                                cert /var/etc/openvpn/server1.cert 
                                key /var/etc/openvpn/server1.key 
                                dh /etc/dh-parameters.2048
                                tls-auth /var/etc/openvpn/server1.tls-auth 0
                                persist-remote-ip
                                float
                                
                                

                                I appreciate each of you taking a few minutes to help me resolve this. I'm sure it's something simple, but I really need to get it worked out tonight and working. Like I said, I'm leaving the country and need things functioning properly while I'm gone so I can access things. I'm home all night tonight and will watch this thread.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dhendriksen last edited by

                                  I checked the "redirect gateway" box (Force all client generated traffic through the tunnel.) and it appears to be working…but I need to do more testing.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dhendriksen last edited by

                                    Still not quite working as it should. I'm going to reboot everything and see if that makes a difference.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      dhendriksen last edited by

                                      No difference guys. I need all the help I can get here.

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kejianshi last edited by

                                        did you change your pfsense IP from 192.168.1.1 yet?

                                        I usually don't like wasting time on people who won't make basic changes to improve things.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          dhendriksen last edited by

                                          @kejianshi:

                                          did you change your pfsense IP from 192.168.1.1 yet?

                                          I usually don't like wasting time on people who won't make basic changes to improve things.

                                          Will that require me to reset every DHCP reservation and reboot every single device? That's an awful lot of work, and I can certainly do it but I'd rather not go through all that work the day before I leave the country for two weeks.

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kejianshi last edited by

                                            Well - If you like it broken, leave it as is.

                                            Probably what will happen if you modify pfsense set up and reboot it is all your clients will re-start their connections automatically and all will be fine.

                                            1 Reply Last reply Reply Quote 0
                                            • P
                                              phil.davis last edited by

                                              I have my gateway setup as 192.168.1.1, and that is the IP of PFSense. I had the VPN initially working in the range of 192.168.79.1/24, but have since change it to 192.168.1.0/24 in an attempt to get it to work. It connects…in fact I'm connected right now. I can see the connection in PFSense, and the device (in this case my Android phone) has an IP address of 192.168.1.6. However, it can't see any of the local devices.

                                              This is your initial issue. I do not understand how your Android phone had 192.168.1.6 IP address. When doing that testing it should (must) be disconnected from your home WiFi and connect to some 3G/4G/LTE whatever mobile phone data service it has. Otherwise it is not a real test, and probably the OpenVPN is connecting through the local home WiFi to pfSense and then pfSense tries to loop back that comms into the local home LAN, where you already are.

                                              Then later you say:

                                              One example is just using my cell phone over an LTE connection. It has a crazy IP address, and not anything in this range.

                                              That is a good thing, and should work to connect VPN back to home pfSense and LAN.

                                              You definitely do not need 192.168.79.0/24 in LOcal Netowrk/s box in the OpenVPN Server GUI settings page, as you have noticed.

                                              Can you connect to home LAN devices by IP address, like "ping 192.168.1.2" or whatever is the IP address of a LAN client?

                                              push "dhcp-option DNS 75.75.76.76"
                                              push "dhcp-option DNS 75.75.75.75"
                                              

                                              That is a bit odd that the OpenVPN server is providing those public DNS servers. That means that the client will not be able to resolve names of devices in your home LAN network. It needs to have the pfSense LAN IP there, so it can ask pfSense about names. Look in the OpenVPN Sevrer GUI settings page for "Provide a DNS server list to clients".
                                              If it is just access by name that is a problem, then fixing up the DNS server will help a lot.

                                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                              1 Reply Last reply Reply Quote 0
                                              • D
                                                dhendriksen last edited by

                                                phil.davis, thanks so much!

                                                So, to clarify, I'm doing testing using my Android phone over LTE connection. As of right now the settings are as follows. In the IPV4 Tunnel Network I have 192.168.79.0/24.

                                                In the IPV4 Local Network/s I have 192.168.1.0/24.

                                                I UNCHECKED the "DNS Servers - Provide a DNS server list to clients" box. That was checked, and is now unchecked.

                                                When I go to OpenVPN status, I can see the Android phone connected. It has a virtual address of 192.168.79.6. The REAL Address is listed as 172.56.xx.9:53825.

                                                Here's what is weird (to me). From my phone, while connected via VPN, I can browse to SOME of my devices. In fact, every single one that I've tried, with the exception of PFSense. I cannot browse to 192.168.1.1.

                                                Here's the real head scratcher, to me. I have a Control4 control system. The main controller has an IP address of 192.168.1.206. I can ping it just fine. But, the app(s) that I have on my phone that need to connect to it, cannot see it. They can't find the system. But if I hit that IP address in the web browser, I get the Control4 splash screen (which is exactly what I get while on the LAN). So the real head scratcher for me is, why can't these apps on my phone connect to devices on the LAN?

                                                I'm going to grab a laptop, hotspot my phone, and connect the laptop to the VPN via the phone hotspot. I'll see what that yields.

                                                I'm all ears on any suggestions.

                                                1 Reply Last reply Reply Quote 0
                                                • D
                                                  dhendriksen last edited by

                                                  So, I created a hotspot from my phone, and connected a Windows 8 laptop to it (Asus Transformer Book T100).

                                                  It connected to the VPN just fine…but it cannot ping ANY devices on the LAN.

                                                  I ran an IPCONFIG on the laptop, and this is interesting to me.

                                                  Ethernet adapter Ethernet 2:

                                                  IPv4 Address: 192.168.79.6
                                                  Subnet Mask: 255.255.255.252
                                                  Default Gateway: (there is nothing here - blank)

                                                  Bluetooth is disconneted
                                                  Local Area Connection* 3 is disconnected

                                                  Wireless Lan adapter Wi-Fi:
                                                  IPv4 address: 192.168.43.51
                                                  Subnet Mask: 255.255.255.0
                                                  Default Gateway: 192.168.43.1

                                                  Then it lists a couple for tunnel interfaces and they are all showing media state: Disconnected.

                                                  1 Reply Last reply Reply Quote 0
                                                  • D
                                                    dhendriksen last edited by

                                                    Here's some info from the OpenVPN GUI on my laptop:

                                                    
                                                    Thu Feb 19 22:48:32 2015 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
                                                    Thu Feb 19 22:48:32 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
                                                    Thu Feb 19 22:48:38 2015 Control Channel Authentication: using 'pfSense-udp-1194-Dan-tls.key' as a OpenVPN static key file
                                                    Thu Feb 19 22:48:38 2015 UDPv4 link local (bound): [undef]
                                                    Thu Feb 19 22:48:38 2015 UDPv4 link remote: [AF_INET]76.23.10.226:1194
                                                    Thu Feb 19 22:48:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
                                                    Thu Feb 19 22:48:44 2015 [HendriksenHomeVPN] Peer Connection Initiated with [AF_INET]76.23.10.226:1194
                                                    Thu Feb 19 22:48:46 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                                                    Thu Feb 19 22:48:46 2015 open_tun, tt->ipv6=0
                                                    Thu Feb 19 22:48:46 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{65809704-ADCD-462F-824C-BD9558079D1F}.tap
                                                    Thu Feb 19 22:48:46 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.79.6/255.255.255.252 on interface {65809704-ADCD-462F-824C-BD9558079D1F} [DHCP-serv: 192.168.79.5, lease-time: 31536000]
                                                    Thu Feb 19 22:48:51 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=13]
                                                    Thu Feb 19 22:48:51 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
                                                    Thu Feb 19 22:48:51 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
                                                    Thu Feb 19 22:48:51 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=13]
                                                    Thu Feb 19 22:48:51 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
                                                    Thu Feb 19 22:48:51 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
                                                    Thu Feb 19 22:48:51 2015 Initialization Sequence Completed
                                                    
                                                    
                                                    1 Reply Last reply Reply Quote 0
                                                    • D
                                                      dhendriksen last edited by

                                                      @kejianshi:

                                                      Well - If you like it broken, leave it as is.

                                                      Probably what will happen if you modify pfsense set up and reboot it is all your clients will re-start their connections automatically and all will be fine.

                                                      kejianshi, are you saying that you think if I resetup all my DHCP reservations and change the IP of PFSense to something other than 192.168.1.1 that it will solve the VPN issue I'm having?

                                                      Or it simply a best practice that I should do, but likely doesn't have anything to do with my VPN issue? If it's a best practice, I'll absolutely do it…when I get back in town. If you are telling me it will likely solve my VPN issue, I'll do it right now. I just know it's going to be very time consuming.

                                                      1 Reply Last reply Reply Quote 0
                                                      • K
                                                        kejianshi last edited by

                                                        Can you do something?  Post a few pics here.

                                                        First post a pic of the pfsense Status: Dashboard  (the main page) - Id love to see the private adresses in use.

                                                        Then show the openvpn server setup page  - The one where you configured openvpn

                                                        Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.

                                                        I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.

                                                        1 Reply Last reply Reply Quote 0
                                                        • K
                                                          kejianshi last edited by

                                                          Yes - Both.

                                                          I think your current IPs you are using are very possibly breaking everything for you AND I also think its best practice and will save you tons of trouble in the future.

                                                          1 Reply Last reply Reply Quote 0
                                                          • D
                                                            dhendriksen last edited by

                                                            OK - new evolution. So…I ran the OpenVPN GUI as an administrator, and it connects just fine. Works as it should...just as if I'm on the local LAN.

                                                            To reiterate, I've created a hotspot on an LTE network using my mobile phone, and connected to it with a Windows8 laptop. It connects and works just fine. I can even browse the PFSense Web GUI.

                                                            So...I guess at this point I just need to figure out why my mobile phone connects, but with a seemingly limited connection.

                                                            1 Reply Last reply Reply Quote 0
                                                            • D
                                                              dhendriksen last edited by

                                                              @kejianshi:

                                                              Can you do something?  Post a few pics here.

                                                              First post a pic of the pfsense Status: Dashboard  (the main page) - Id love to see the private adresses in use.

                                                              Then show the openvpn server setup page  - The one where you configured openvpn

                                                              Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.

                                                              I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.

                                                              I appreciate your help…I really do. So, the Windows laptop connects and works wonderfully.

                                                              The problem I need to trouble shoot now is why my phone connects, but has a seemingly limited connection. It can't browse to 192.168.1.1 and the apps on my phone do not connect to the devices on the LAN as they should. It may be worth noting, this used to work great before the HDD in my PFSense died and I had to rebuild everything (without a backup).

                                                              1 Reply Last reply Reply Quote 0
                                                              • D
                                                                dhendriksen last edited by

                                                                @kejianshi:

                                                                Can you do something?  Post a few pics here.

                                                                First post a pic of the pfsense Status: Dashboard  (the main page) - Id love to see the private adresses in use.

                                                                Then show the openvpn server setup page  - The one where you configured openvpn

                                                                Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.

                                                                I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.

                                                                Here are the pictures. I blocked out my IP address. Don't know why, just seemed like the right thing to do.


                                                                ![VPN Server Settings 1.jpg](/public/imported_attachments/1/VPN Server Settings 1.jpg)
                                                                ![VPN Server Settings 2.jpg](/public/imported_attachments/1/VPN Server Settings 2.jpg)
                                                                ![VPN Server Settings 3.jpg](/public/imported_attachments/1/VPN Server Settings 3.jpg)

                                                                ![VPN Server Settings 1.jpg_thumb](/public/imported_attachments/1/VPN Server Settings 1.jpg_thumb)
                                                                ![VPN Server Settings 2.jpg_thumb](/public/imported_attachments/1/VPN Server Settings 2.jpg_thumb)
                                                                ![VPN Server Settings 3.jpg_thumb](/public/imported_attachments/1/VPN Server Settings 3.jpg_thumb)

                                                                1 Reply Last reply Reply Quote 0
                                                                • K
                                                                  kejianshi last edited by

                                                                  Damn - Blacked out - Now I can't magically hack you…

                                                                  OK - Now, what is the IP of the machine that is trying to connect to your server?

                                                                  I need to know its PRIVATE address.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    dhendriksen last edited by

                                                                    @kejianshi:

                                                                    Damn - Blacked out - Now I can't magically hack you…

                                                                    OK - Now, what is the IP of the machine that is trying to connect to your server?

                                                                    I need to know its PRIVATE address.

                                                                    The private IP address of my cell phone? When I go in to Status while connected to the LTE network, the IP address has two listed.

                                                                    2607:fb90:480:dc2e:45a6:fe5f:b457:5b55
                                                                    192.0.0.4

                                                                    Is that what you needed? And like I said it connects…it just seems to be on a limited basis.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • K
                                                                      kejianshi last edited by

                                                                      Do you want to tunnel everything?  Or just connections to 192.168.1.0/24?

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • D
                                                                        dhendriksen last edited by

                                                                        @kejianshi:

                                                                        Do you want to tunnel everything?  Or just connections to 192.168.1.0/24?

                                                                        I'm sorry, but I don't know what it means to "tunnel everything". When I'm connected to the VPN, I want to be able to access all the devices on the local LAN. I want all "internet" or "IP" traffic from the phone to through the VPN. From within the web browser or otherwise (IE: My Control4 app needs to connect to the Control4 controller on the LAN/VPN).

                                                                        Does that answer your question? Sorry I'm such a novice at this. I truly appreciate your help.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • Derelict
                                                                          Derelict LAYER 8 Netgate last edited by

                                                                          Tunnel everything means that the client gets a default route that sends all traffic through the tunnel and nothing should egress the client's WAN natively while connected to the OpenVPN server.

                                                                          Alternately, the client can get routes for just the remote networks, usually private networks (Remote LAN, etc).  Only traffic for those networks will be sent to OpenVPN.  All other traffic will be given to the client host's routing table and be routed accordingly.

                                                                          Chattanooga, Tennessee, USA
                                                                          The pfSense Book is free of charge!
                                                                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • K
                                                                            kejianshi last edited by

                                                                            OK - Baby steps…

                                                                            I want you to change a few things if thats ok?

                                                                            Force all client generated traffic through the tunnel.

                                                                            Also, provide DNS Servers.

                                                                            192.168.1.1
                                                                            8.8.8.8

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • D
                                                                              dhendriksen last edited by

                                                                              So, this is my cell phone we're talking about. While the cell phone is connected to the VPN, I think I want all internet/IP based traffic to go through the VPN.

                                                                              What do I need to do for that to happen, because it doesn't appear to be happening now.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • D
                                                                                dhendriksen last edited by

                                                                                @kejianshi:

                                                                                OK - Baby steps…

                                                                                I want you to change a few things if thats ok?

                                                                                Force all client generated traffic through the tunnel.

                                                                                Also, provide DNS Servers.

                                                                                192.168.1.1
                                                                                8.8.8.8

                                                                                I'm down with the baby steps, but let me make sure I understand. You want me to recheck the DNS servers box in the VPN config, and add those 2 DNS servers?

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • K
                                                                                  kejianshi last edited by

                                                                                  Please make the initial changes to the openvpn server that I suggested.  Then test it.

                                                                                  BTW - How are you seeing your server config if you are away and your VPN isn't working?

                                                                                  "You want me to recheck the DNS servers box in the VPN config, and add those 2 DNS servers?" - Yes

                                                                                  I want you to use your pfsense LAN as DNS server (192,168.1.1) and if something on your local network interferes with that, like the subnet in use, 8.8.8.8, just in case.

                                                                                  Just temporary to ensure you have DNS.

                                                                                  BTW - What kind of phone?  What is the openvpn client software being used?

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • D
                                                                                    dhendriksen last edited by

                                                                                    @kejianshi:

                                                                                    Please make the initial changes to the openvpn server that I suggested.  Then test it.

                                                                                    BTW - How are you seeing your server config if you are away and your VPN isn't working?

                                                                                    I'm not away. I'm at home. I've got computers that are hard wired on the LAN here. I'm testing it from mobile phones and hotspots.

                                                                                    I think I made those changes correctly. I'm going to test it now.


                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post