Issues with OpenVPN Configuration
-
I'm suddenly having issues with my OpenVPN connection, and I'm hoping that you can help me troubleshoot it.
I can connect to the VPN just fine. The issue that once I'm remotely connected, I cannot see any of the devices on the network. IE: connecting via VPN and then trying to ping my NAS, or any local devices at the house.
I have my gateway setup as 192.168.1.1, and that is the IP of PFSense. I had the VPN initially working in the range of 192.168.79.1/24, but have since change it to 192.168.1.0/24 in an attempt to get it to work. It connects…in fact I'm connected right now. I can see the connection in PFSense, and the device (in this case my Android phone) has an IP address of 192.168.1.6. However, it can't see any of the local devices.
I set everything up using the OpenVPN plugin, and configured my laptops and phones using the ClientExport tool. If you could help me out, I'd much appreciate it. I'm a novice with this stuff, and leave the country on Saturday...I'd really like to get it setup before I go.
Thanks in advance.
-
"I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."
This can be a big issue. I'd make my pfsense ip be something not like you will see on standard home setups. Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.
-
"I have my gateway setup as 192.168.1.1, and that is the IP of PFSense."
This can be a big issue. I'd make my pfsense ip be something not like you will see on standard home setups. Pick IPs 192.168.x.1 where x isn't 0, 1 or 254.
Can you elaborate? This has worked great for years.
I have some VLANs that are .2.x and .3.x.
-
Lets say your pfsense lan is at 192.168.1.1
and lets say 1000 miles from home someone is on a network who's lan ip is also 192.168.1.1 (super common)
Now, lets say he joins your vpn and types in 192.168.1.1 in his browser.
He will get the closest 192.168.1.1 - the frist one in his routes.
So, in all likelihood, he will get his modem/router setup page and not the pfsense gui.
so, basically, set up this way causes lots and lots of problems.
-
-
Post a network map with IP's
-
Post your openvpn config (server1.conf).
-
Verify the devices on your LAN are using PFsense as the default gateway
-
Verify the network the client is connecting from is not on the same subnet as your LAN.
-
If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box
-
-
-
Post a network map with IP's
-
Post your openvpn config (server1.conf).
-
Verify the devices on your LAN are using PFsense as the default gateway
-
Verify the network the client is connecting from is not on the same subnet as your LAN.
-
If you need access to other VLANs, add those subnets along with your LAN subnet to the "IPv4 Local Network/s" box
Thank you for the reply. I don't know how to post a "network map". Here's what I have.
Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.
I have a guest network that is 192.168.2.1 that is captive portal.
I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.
I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?
All devices are using 192.168.1.1 as the gateway.
I don't need access to VLAN's from the VPN.
I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.
-
-
As of right now the tunnel network is 192.168.79.0/24.
I can see the device is connected, but I am not able to ping or communicate with any of the devices on the LAN. NONE OF THEM.
-
I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.
For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:
ipconfig
They might have been given:
Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : example.org IPv4 Address. . . . . . . . . . . : 192.168.1.42 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.
-
Post the following details.
Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab
Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.
-
I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.
For example, someone on a laptop is sitting in a cafe connected to the cafe WiFi. Get them to check the IP address that the cafe WiFi gave them. On Windows:
ipconfig
They might have been given:
Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : example.org IPv4 Address. . . . . . . . . . . : 192.168.1.42 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
If the cafe is using 192.168.1.* then there will be trouble for them to also reach 192.168.1.* across the OpenVPN that they start.
I did verify this. One example is just using my cell phone over an LTE connection. It has a crazy IP address, and not anything in this range.
Furthermore, the VPN is now set to 192.168.79.0/24.
-
Post the following details.
Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab
Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.
Thank you for pointing out where I can find those things. I'm at my office right now, but as soon as I get home I'll give it a look and post back.
Dan
-
Thank you for the reply. I don't know how to post a "network map". Here's what I have.
An example would be….. "Internet -> PFsense -> Switch -> LAN". We need to know how things are physically connected
Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.
I have a guest network that is 192.168.2.1 that is captive portal.
I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.
So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24? Or is your scope wider than that?
Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?
-
Diagnostics -> Edit file
-
Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"
I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.
I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN. i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.
-
-
Post the following details.
Your LAN SUBNET (not dhcp). This can be found Services -> DHCP server -> LAN tab
Your OpenVPN server details. In particular is it operating in 'tap' or 'tun' and what tunnel network you have selected and which local network.
My LAN SUBNET is: 192.168.1.0
RE: the OpenVPN server details, The "Device Mode" is "tun". The IPV4 tunnel network is: 192.168.79.0/24. The local network/s is: 192.168.1.0/24, 192.168.79.0/24
I didn't have the 192.168.79.0/24 listed there, but I added in hopes that it would make a difference. It has not.
-
Thank you for the reply. I don't know how to post a "network map". Here's what I have.
An example would be….. "Internet -> PFsense -> Switch -> LAN". We need to know how things are physically connected
Main network is 192.168.1.2 - 192.168.1.199 for DHCP. Gateway is 192.168.1.1. I have a bunch of devices with DHCP reservations in between 192.168.1.200 and .254. All that works perfect.
I have a guest network that is 192.168.2.1 that is captive portal.
I have a kids network that is 192.168.3.1 that is for the kids devices and only have access to the web, and a white list of sites at that.
So, your PFsense LAN IP is 192.168.1.1 and your scope is 192.168.1.0/24? Or is your scope wider than that?
Also, just out of curiosity, are the 2.x and 3.x ranges actual VLANs, subnets on different physical interfaces, subnets that communicate via an IP alias or just reserved ranges within a /22?I'm happy to post that OpenVPN file, but I have no idea where to find it. Can you instruct me where I can download that from, please?
-
Diagnostics -> Edit file
-
Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"
I don't know what this means or how to do this: Verify the network the client is connecting from is not on the same subnet as your LAN.
I believe this has already been mentioned, but if you're using a routed tunnel, the client's LAN can not be in the same subnet as your LAN. i.e. check the client's IP and make sure it's not in 192.168.1.0/24 or you will have to change it on one side or the other.
You are correct in that it's INTERNET -> PFSENSE -> SWITCH/LAN <- Ubiquiti UniFi.
The 2.x and 3.x VLAN's are actual VLAN's. They are configured in PFSense, and there are different SSID's that are broadcast and tagged by the Ubiquiti. The Dell Powerconnect switch tags the ports that are connected to the PFSense and Ubiquiti with VLAN's 1, 2 and 3. I don't really understand the rest of your questions except those VLAN's are 192.168.2.1/24 and 192.168.3.1/24. One has a captive portal and the other not. They just have web access. Those are working exactly as I'd like them to.
When you talk about the scope of my PFSense LAN, it looks like you've got it exactly correct.
Here are the contents of the "server1.conf" document:
dev ovpns1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 76.23.10.226 tls-server server 192.168.79.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'HendriksenHomeVPN' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 2 push "route 192.168.1.0 255.255.255.0" push "route 192.168.79.0 255.255.255.0" push "dhcp-option DNS 75.75.76.76" push "dhcp-option DNS 75.75.75.75" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float
I appreciate each of you taking a few minutes to help me resolve this. I'm sure it's something simple, but I really need to get it worked out tonight and working. Like I said, I'm leaving the country and need things functioning properly while I'm gone so I can access things. I'm home all night tonight and will watch this thread.
-
-
I checked the "redirect gateway" box (Force all client generated traffic through the tunnel.) and it appears to be working…but I need to do more testing.
-
Still not quite working as it should. I'm going to reboot everything and see if that makes a difference.
-
No difference guys. I need all the help I can get here.
-
did you change your pfsense IP from 192.168.1.1 yet?
I usually don't like wasting time on people who won't make basic changes to improve things.
-
did you change your pfsense IP from 192.168.1.1 yet?
I usually don't like wasting time on people who won't make basic changes to improve things.
Will that require me to reset every DHCP reservation and reboot every single device? That's an awful lot of work, and I can certainly do it but I'd rather not go through all that work the day before I leave the country for two weeks.
-
Well - If you like it broken, leave it as is.
Probably what will happen if you modify pfsense set up and reboot it is all your clients will re-start their connections automatically and all will be fine.
-
I have my gateway setup as 192.168.1.1, and that is the IP of PFSense. I had the VPN initially working in the range of 192.168.79.1/24, but have since change it to 192.168.1.0/24 in an attempt to get it to work. It connects…in fact I'm connected right now. I can see the connection in PFSense, and the device (in this case my Android phone) has an IP address of 192.168.1.6. However, it can't see any of the local devices.
This is your initial issue. I do not understand how your Android phone had 192.168.1.6 IP address. When doing that testing it should (must) be disconnected from your home WiFi and connect to some 3G/4G/LTE whatever mobile phone data service it has. Otherwise it is not a real test, and probably the OpenVPN is connecting through the local home WiFi to pfSense and then pfSense tries to loop back that comms into the local home LAN, where you already are.
Then later you say:
One example is just using my cell phone over an LTE connection. It has a crazy IP address, and not anything in this range.
That is a good thing, and should work to connect VPN back to home pfSense and LAN.
You definitely do not need 192.168.79.0/24 in LOcal Netowrk/s box in the OpenVPN Server GUI settings page, as you have noticed.
Can you connect to home LAN devices by IP address, like "ping 192.168.1.2" or whatever is the IP address of a LAN client?
push "dhcp-option DNS 75.75.76.76" push "dhcp-option DNS 75.75.75.75"
That is a bit odd that the OpenVPN server is providing those public DNS servers. That means that the client will not be able to resolve names of devices in your home LAN network. It needs to have the pfSense LAN IP there, so it can ask pfSense about names. Look in the OpenVPN Sevrer GUI settings page for "Provide a DNS server list to clients".
If it is just access by name that is a problem, then fixing up the DNS server will help a lot. -
phil.davis, thanks so much!
So, to clarify, I'm doing testing using my Android phone over LTE connection. As of right now the settings are as follows. In the IPV4 Tunnel Network I have 192.168.79.0/24.
In the IPV4 Local Network/s I have 192.168.1.0/24.
I UNCHECKED the "DNS Servers - Provide a DNS server list to clients" box. That was checked, and is now unchecked.
When I go to OpenVPN status, I can see the Android phone connected. It has a virtual address of 192.168.79.6. The REAL Address is listed as 172.56.xx.9:53825.
Here's what is weird (to me). From my phone, while connected via VPN, I can browse to SOME of my devices. In fact, every single one that I've tried, with the exception of PFSense. I cannot browse to 192.168.1.1.
Here's the real head scratcher, to me. I have a Control4 control system. The main controller has an IP address of 192.168.1.206. I can ping it just fine. But, the app(s) that I have on my phone that need to connect to it, cannot see it. They can't find the system. But if I hit that IP address in the web browser, I get the Control4 splash screen (which is exactly what I get while on the LAN). So the real head scratcher for me is, why can't these apps on my phone connect to devices on the LAN?
I'm going to grab a laptop, hotspot my phone, and connect the laptop to the VPN via the phone hotspot. I'll see what that yields.
I'm all ears on any suggestions.
-
So, I created a hotspot from my phone, and connected a Windows 8 laptop to it (Asus Transformer Book T100).
It connected to the VPN just fine…but it cannot ping ANY devices on the LAN.
I ran an IPCONFIG on the laptop, and this is interesting to me.
Ethernet adapter Ethernet 2:
IPv4 Address: 192.168.79.6
Subnet Mask: 255.255.255.252
Default Gateway: (there is nothing here - blank)Bluetooth is disconneted
Local Area Connection* 3 is disconnectedWireless Lan adapter Wi-Fi:
IPv4 address: 192.168.43.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.43.1Then it lists a couple for tunnel interfaces and they are all showing media state: Disconnected.
-
Here's some info from the OpenVPN GUI on my laptop:
Thu Feb 19 22:48:32 2015 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 1 2014 Thu Feb 19 22:48:32 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 Thu Feb 19 22:48:38 2015 Control Channel Authentication: using 'pfSense-udp-1194-Dan-tls.key' as a OpenVPN static key file Thu Feb 19 22:48:38 2015 UDPv4 link local (bound): [undef] Thu Feb 19 22:48:38 2015 UDPv4 link remote: [AF_INET]76.23.10.226:1194 Thu Feb 19 22:48:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Feb 19 22:48:44 2015 [HendriksenHomeVPN] Peer Connection Initiated with [AF_INET]76.23.10.226:1194 Thu Feb 19 22:48:46 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Feb 19 22:48:46 2015 open_tun, tt->ipv6=0 Thu Feb 19 22:48:46 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{65809704-ADCD-462F-824C-BD9558079D1F}.tap Thu Feb 19 22:48:46 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.79.6/255.255.255.252 on interface {65809704-ADCD-462F-824C-BD9558079D1F} [DHCP-serv: 192.168.79.5, lease-time: 31536000] Thu Feb 19 22:48:51 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=13] Thu Feb 19 22:48:51 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu Feb 19 22:48:51 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1 Thu Feb 19 22:48:51 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=13] Thu Feb 19 22:48:51 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu Feb 19 22:48:51 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1 Thu Feb 19 22:48:51 2015 Initialization Sequence Completed
-
Well - If you like it broken, leave it as is.
Probably what will happen if you modify pfsense set up and reboot it is all your clients will re-start their connections automatically and all will be fine.
kejianshi, are you saying that you think if I resetup all my DHCP reservations and change the IP of PFSense to something other than 192.168.1.1 that it will solve the VPN issue I'm having?
Or it simply a best practice that I should do, but likely doesn't have anything to do with my VPN issue? If it's a best practice, I'll absolutely do it…when I get back in town. If you are telling me it will likely solve my VPN issue, I'll do it right now. I just know it's going to be very time consuming.
-
Can you do something? Post a few pics here.
First post a pic of the pfsense Status: Dashboard (the main page) - Id love to see the private adresses in use.
Then show the openvpn server setup page - The one where you configured openvpn
Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.
I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.
-
Yes - Both.
I think your current IPs you are using are very possibly breaking everything for you AND I also think its best practice and will save you tons of trouble in the future.
-
OK - new evolution. So…I ran the OpenVPN GUI as an administrator, and it connects just fine. Works as it should...just as if I'm on the local LAN.
To reiterate, I've created a hotspot on an LTE network using my mobile phone, and connected to it with a Windows8 laptop. It connects and works just fine. I can even browse the PFSense Web GUI.
So...I guess at this point I just need to figure out why my mobile phone connects, but with a seemingly limited connection.
-
Can you do something? Post a few pics here.
First post a pic of the pfsense Status: Dashboard (the main page) - Id love to see the private adresses in use.
Then show the openvpn server setup page - The one where you configured openvpn
Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.
I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.
I appreciate your help…I really do. So, the Windows laptop connects and works wonderfully.
The problem I need to trouble shoot now is why my phone connects, but has a seemingly limited connection. It can't browse to 192.168.1.1 and the apps on my phone do not connect to the devices on the LAN as they should. It may be worth noting, this used to work great before the HDD in my PFSense died and I had to rebuild everything (without a backup).
-
Can you do something? Post a few pics here.
First post a pic of the pfsense Status: Dashboard (the main page) - Id love to see the private adresses in use.
Then show the openvpn server setup page - The one where you configured openvpn
Then finally, the local ip of the machine you are trying to connect to openvpn with - before connecting to openvpn, just type ipconfig in windows or ifconfig for linux and dump the contents here.
I like watching you get carpal tunnel and everything, but really I'm pretty sure you just need to fix your IP ranges in use.
Here are the pictures. I blocked out my IP address. Don't know why, just seemed like the right thing to do.





 -
Damn - Blacked out - Now I can't magically hack you…
OK - Now, what is the IP of the machine that is trying to connect to your server?
I need to know its PRIVATE address.
-
Damn - Blacked out - Now I can't magically hack you…
OK - Now, what is the IP of the machine that is trying to connect to your server?
I need to know its PRIVATE address.
The private IP address of my cell phone? When I go in to Status while connected to the LTE network, the IP address has two listed.
2607:fb90:480:dc2e:45a6:fe5f:b457:5b55
192.0.0.4Is that what you needed? And like I said it connects…it just seems to be on a limited basis.
-
Do you want to tunnel everything? Or just connections to 192.168.1.0/24?
-
Do you want to tunnel everything? Or just connections to 192.168.1.0/24?
I'm sorry, but I don't know what it means to "tunnel everything". When I'm connected to the VPN, I want to be able to access all the devices on the local LAN. I want all "internet" or "IP" traffic from the phone to through the VPN. From within the web browser or otherwise (IE: My Control4 app needs to connect to the Control4 controller on the LAN/VPN).
Does that answer your question? Sorry I'm such a novice at this. I truly appreciate your help.
-
Tunnel everything means that the client gets a default route that sends all traffic through the tunnel and nothing should egress the client's WAN natively while connected to the OpenVPN server.
Alternately, the client can get routes for just the remote networks, usually private networks (Remote LAN, etc). Only traffic for those networks will be sent to OpenVPN. All other traffic will be given to the client host's routing table and be routed accordingly.
-
OK - Baby steps…
I want you to change a few things if thats ok?
Force all client generated traffic through the tunnel.
Also, provide DNS Servers.
192.168.1.1
8.8.8.8 -
So, this is my cell phone we're talking about. While the cell phone is connected to the VPN, I think I want all internet/IP based traffic to go through the VPN.
What do I need to do for that to happen, because it doesn't appear to be happening now.
-
OK - Baby steps…
I want you to change a few things if thats ok?
Force all client generated traffic through the tunnel.
Also, provide DNS Servers.
192.168.1.1
8.8.8.8I'm down with the baby steps, but let me make sure I understand. You want me to recheck the DNS servers box in the VPN config, and add those 2 DNS servers?
-
Please make the initial changes to the openvpn server that I suggested. Then test it.
BTW - How are you seeing your server config if you are away and your VPN isn't working?
"You want me to recheck the DNS servers box in the VPN config, and add those 2 DNS servers?" - Yes
I want you to use your pfsense LAN as DNS server (192,168.1.1) and if something on your local network interferes with that, like the subnet in use, 8.8.8.8, just in case.
Just temporary to ensure you have DNS.
BTW - What kind of phone? What is the openvpn client software being used?
-
Please make the initial changes to the openvpn server that I suggested. Then test it.
BTW - How are you seeing your server config if you are away and your VPN isn't working?
I'm not away. I'm at home. I've got computers that are hard wired on the LAN here. I'm testing it from mobile phones and hotspots.
I think I made those changes correctly. I'm going to test it now.