OpenVPN for 2 LAN sites fail to connect each other



  • Hi, I got 2 LAN site which is belong my friend's network. I successfully to link up both site in PFSense box but those PCs in LAN cannot get connect each other in pinging.

    The Client log:
    May 1 18:37:42 openvpn[2777]: Initialization Sequence Completed
    May 1 18:37:41 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
    May 1 18:37:41 openvpn[2777]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
    May 1 18:37:41 openvpn[2777]: TUN/TAP device /dev/tap0 opened
    May 1 18:37:40 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.3 255.255.255.0 init
    May 1 18:37:40 openvpn[2777]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    May 1 18:37:40 openvpn[2777]: Preserving previous TUN/TAP instance: tap0
    May 1 18:37:38 openvpn[2777]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
    May 1 18:37:38 openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    May 1 18:37:38 openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
    May 1 18:37:31 openvpn[2777]: UDPv4 link remote: 60.54.233.221:1194
    May 1 18:37:31 openvpn[2777]: UDPv4 link local (bound): [undef]:1194
    May 1 18:37:31 openvpn[2777]: Re-using SSL/TLS context

    It seem can connect for both LAN but why those PCs cannot ping each other.

    1 PC from A Network  –->  connect with 1 PC from B Network = OK
    1 PC from A Network  ---> connect with 2 PC or more from B Network = Fail
    2 PC or more from A Network ---> connect with 2 PC or more from B Network = Fail

    I try with OpenVPN GUI interface, all can connect but cannot ping each other if more than 1 PC in a network.

    It is openvpn only limited to 1PC per 1 Internet Line?

    Even i try without OpenVPN GUI also cannot ping opposite network.

    Please help.

    Thanks'
    Kelvin



  • This is another log from client:
    May 1 18:53:01 openvpn[12615]: Initialization Sequence Completed
    May 1 18:53:00 openvpn[12615]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
    May 1 18:53:00 openvpn[12615]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
    May 1 18:53:00 openvpn[12615]: TUN/TAP device /dev/tap0 opened
    May 1 18:52:59 openvpn[12615]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
    May 1 18:52:59 openvpn[12615]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    May 1 18:52:59 openvpn[12615]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
    May 1 18:52:52 openvpn[12615]: UDPv4 link remote: 60.54.233.221:1194
    May 1 18:52:52 openvpn[12615]: UDPv4 link local (bound): [undef]:1194
    May 1 18:52:52 openvpn[12614]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    May 1 18:52:52 openvpn[12614]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    May 1 18:52:52 openvpn[12614]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

    It seem Connected with 10.8.0.2 but why those client in LAN cannot "see" each other?



  • Fix your configs:

    May 1 18:37:38    openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    May 1 18:37:38    openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'

    You have a configuration missmatch on both sides.

    Also you need to add routes that point to the other side of the tunnel for the remote subnet.
    (The field "remote network")



  • Hi, Gruens Froeschli,
    Thanks for your reply. I try to make the comp-lzo both site. Now the new log is:
    May 1 19:22:18 openvpn[18083]: Initialization Sequence Completed
    May 1 19:22:17 openvpn[18083]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
    May 1 19:22:17 openvpn[18083]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
    May 1 19:22:17 openvpn[18083]: TUN/TAP device /dev/tap0 opened
    May 1 19:22:16 openvpn[18083]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
    May 1 19:22:08 openvpn[18083]: UDPv4 link remote: 60.54.233.221:1194
    May 1 19:22:08 openvpn[18083]: UDPv4 link local (bound): [undef]:1194
    May 1 19:22:08 openvpn[18082]: LZO compression initialized
    May 1 19:22:08 openvpn[18082]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    May 1 19:22:08 openvpn[18082]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    May 1 19:22:08 openvpn[18082]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
    May 1 19:22:06 openvpn[17332]: SIGTERM[hard,] received, process exiting
    May 1 19:22:06 openvpn[17332]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
    May 1 19:22:06 openvpn[17332]: event_wait : Interrupted system call (code=4)

    PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
    PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B:  connected

    I use dev tap and udp. I try to ping, still fail to ping each other…

    Please help...  :-[



  • They can connected but cannot be ping.. It is i use wrong method? Anyone got tutorial link? I try to google but it seem not much result and the link of tutorial provided in this forum seem broken…



  • PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
    PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B:  connected

    This is quite confusing.
    What are you trying to achieve?

    Can you draw a diagramm of your networks and which ip range you have where?
    Also can you post screenshots of your config from the client and from the server?



  • Hi, This is the network..

    I hope to integrate OpenVPN to make tunnel for LAN A and LAN B so there can share files, play games together.

    PFSense Box 1 Configuration:
    Protocol: UDP
    Dynamic IP (Thick)
    Local Port:1194
    Address Pool: 10.8.0.0/24
    Remote Network: 192.168.1.1/24
    Client to Client VPN: (Thick)
    Authenication method: PKI
    CA: INserted
    Server CA: INserted
    Server Key: INserted
    DH: Inserted
    DHCP-OPT: DNS Domain Name: (Use domain which i host at dyndns.com)
    DHCP-OPT: DNS Server: 202.188.0.133 (DNS Server ISP)
    custom option:
    ;local 60.xx.xxx.xxx
    ;dev tap
    ;duplicate-cn
    ;comp-Izo
    ;max-clients 150
    ;persist-tun
    ;push "dhcp-option DNS 202.188.0.133"
    ;push "dhcp-option DNS 202.188.1.5"

    –----------
    PFSense Box 2 (Client)
    Configuration
    Protocol: UDP
    Server address: 60.xx.xxx.xxx
    Server port:1194
    Interface IP:192.168.1.1/24
    Proxy port:3128
    Cryptography:BF-CBC(128Bit)
    Authentication method:PKI
    CA certificate: Inserted
    Client certificate: Inserted
    Client key: Inserted
    Custom options:
    ;dev tap;persist-key;persist-tun;ns-cert-type server;comp-lzo;remote 60.xx.xxx.xxx 1194


    Result
    Both PFSense show  Initialization Sequence Completed

    But i cannot ping in PC 1, PC2 nor PC3 to each other

    So, I install Window OpenVPN GUI
    and configure the file:
    –----------

    Client at Window XP Config log files:
    client
    dev tap
    proto udp
    remote 60.xx.xxx.xxx
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3


    Result:
    Client success connected BUT if both side more than 1 PC connect then cannot get link together...

    It is i use wrong method on construct the network or insert wrong code??

    Thanks



  • I suggest you start reading on http://openvpn.net/howto

    I see that you only want to connect two LAN's together.
    For this dont use a PKI but use a shared key setup.
    –> resetup your openVPN connection.

    The custom options you added are mostly useless since they are generated by pfSense per default or ther eis a checkbox to enable them

    For your test with a windows XP client... you cannot connect multiple clients with the same certificate.



  • Hi Mr.GruensFroeschli
    Really thanks for your suggestion. I am noob on this.. Thanks, I will redo again and once got result i post here d.

    Thanks so much,

    Kelvin



  • Hi,
    Mr.GruensFroeschli,
    Now i connect like this:

    Client LAN A (5PC) 192.168.10.2 to 5 <-> Switch <-> PFSense Box A (192.168.10.100) <-> ADSL Modem  –-(ISP STATIC Line A)  ISP --- ISP (ISP Dynamic Line B) <-> ADSL Modem <-> PFSense Box B (192.168.1.1) <-> Switch <-> Client LAN B (10PC) 192.168.1.2 to 11

    PF Sense Box A OpenVPN - Configuration:
    Protocol: UDP
    Dynamic IP: (YES)
    Local Port: 1194
    Address Pool: 10.8.0.0/24
    Local Network: 192.168.10.100/24
    Remote Network: 192.168.1.1/24
    Client-to-Client VPN: (YEs)
    Cryptography: BF-CBC (128Bit)
    Authentication method: PKI
    CA inserted
    Server CA Inserted
    Server Key Inserted
    DH Parameters Inserted
    DHCP-Opt: DNS Server: 202.188.0.133;202.188.1.5
    LZO: (Yes)
    Custom Option: ;dev tap;keepalive 10 120;verb 3;duplicate-cn;client-to-client;max-clients 150;user nobody;group nobody

    ===

    PFsense Box B OpenVPN Configuration"
    Protocol: UDP
    Server address: xxx.dyndns.org
    Server port:1194
    Proxy port:3128
    Cryptography:BF-CBC(128Bit)
    Authentication method:PKI
    CA Inserted
    Client CA Inserted
    CLient Key Inserted
    LZO compression
    Custom options: ;dev tap;resolv-retry infinite;persist-key;persist-tun;ns-cert-type server;

    After setup the log message show: May 7 21:23:30 openvpn[38053]: Initialization Sequence Completed

    Both server and client get same message,

    After connected, the server show the following log:

    May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 MULTI: Learn: 00:bd:e0:0d:41:00 -> VPN-CLIENT1/124.13.87.49:1195
    May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 SENT CONTROL [VPN-CLIENT1]: 'PUSH_REPLY,route 192.168.10.100 255.255.255.0,dhcp-option DNS 202.188.0.133,dhcp-option DNS 202.188.1.5,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
    May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 PUSH: Received control message: 'PUSH_REQUEST'

    Problem Now: PFSense box connected but the client machine LAN A to LAN B are not connected.. It is i less some step??



  • Client Site: -
    Share Key Config



  • This is the server share key conf

    Note: 192.168.10.0/24 is server site
    192.168.1.0/24 is client site
    192.168.100.0/24 is vpn tunnel subnet ….



  • Follow-up-note:
    We where able to solve the problem per MSN.
    yce_kelvin forgot to mention that the server had more than one WAN.

    http://forum.pfsense.org/index.php/topic,7001.0.html

    The rule on the LAN had as gateway a loadbalancing-pool.
    The problem was solved through adding another rule with as destination 192.168.1.0/24 (subnet on the client side) and gateway * above the rule with as gateway Loadbalancer. (see screenshot posted by yce_kelvin below)



  • The Firewall configuration:



  • Arrangement of rules:



  • Site to site connection with share key is okay but cannot bridging.
    Try to do another site-to-site bridging. If some one have experience before kindly share ur exp here. Anyone success before?



  • Anyone success with openvpn tunnel and lan game within 2 lan's client pc?



  • Nobody will ever be able to use UDP broadcast based LAN games in a routed scenario.

    You NEED a bridge, or else a UDP proxy like this one: http://www.vttoth.com/tunnel.htm

    In about 3 weeks or so i will have a bit more time. If i'm not too busy with other projects i think i'll try to get this running since i'm interrested in this too.



  • Bridge mode can successful for 2 LAN sites in a "normal" condition. "Normal" mean a normal office or group network. If those client is "cloned" then will meet the problem with MAC address issue. This is because if the PCs are cloned, that mean the MAC address also will duplicated.

    Bridge mode i use is form a pfsense as openvpn server and other client pc install openvpn with tap-adaptor. Client can be successful connected but need a different MAC address of TAP-adaptor. I m try to come out a script that can make the TAP-adaptor MAC address can change according to IP address.

    But, what i hope that is 2 site PF sense can form bridge mode and no need to do any setting or installation to the client PC.. It is possible.

    I know that PFsense routed VPN is not work with what i want.. Anyway i hope that i can make a successful case under GruensFroeschli help :)

    or someone interest on it can study together. My network knowledge is level 1 only ^^


Log in to reply