OpenVPN for 2 LAN sites fail to connect each other
-
Hi, I got 2 LAN site which is belong my friend's network. I successfully to link up both site in PFSense box but those PCs in LAN cannot get connect each other in pinging.
The Client log:
May 1 18:37:42 openvpn[2777]: Initialization Sequence Completed
May 1 18:37:41 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
May 1 18:37:41 openvpn[2777]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
May 1 18:37:41 openvpn[2777]: TUN/TAP device /dev/tap0 opened
May 1 18:37:40 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.3 255.255.255.0 init
May 1 18:37:40 openvpn[2777]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
May 1 18:37:40 openvpn[2777]: Preserving previous TUN/TAP instance: tap0
May 1 18:37:38 openvpn[2777]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
May 1 18:37:38 openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
May 1 18:37:38 openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
May 1 18:37:31 openvpn[2777]: UDPv4 link remote: 60.54.233.221:1194
May 1 18:37:31 openvpn[2777]: UDPv4 link local (bound): [undef]:1194
May 1 18:37:31 openvpn[2777]: Re-using SSL/TLS contextIt seem can connect for both LAN but why those PCs cannot ping each other.
1 PC from A Network –-> connect with 1 PC from B Network = OK
1 PC from A Network ---> connect with 2 PC or more from B Network = Fail
2 PC or more from A Network ---> connect with 2 PC or more from B Network = FailI try with OpenVPN GUI interface, all can connect but cannot ping each other if more than 1 PC in a network.
It is openvpn only limited to 1PC per 1 Internet Line?
Even i try without OpenVPN GUI also cannot ping opposite network.
Please help.
Thanks'
Kelvin -
This is another log from client:
May 1 18:53:01 openvpn[12615]: Initialization Sequence Completed
May 1 18:53:00 openvpn[12615]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
May 1 18:53:00 openvpn[12615]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
May 1 18:53:00 openvpn[12615]: TUN/TAP device /dev/tap0 opened
May 1 18:52:59 openvpn[12615]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
May 1 18:52:59 openvpn[12615]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
May 1 18:52:59 openvpn[12615]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
May 1 18:52:52 openvpn[12615]: UDPv4 link remote: 60.54.233.221:1194
May 1 18:52:52 openvpn[12615]: UDPv4 link local (bound): [undef]:1194
May 1 18:52:52 openvpn[12614]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
May 1 18:52:52 openvpn[12614]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
May 1 18:52:52 openvpn[12614]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007It seem Connected with 10.8.0.2 but why those client in LAN cannot "see" each other?
-
Fix your configs:
May 1 18:37:38 openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
May 1 18:37:38 openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'You have a configuration missmatch on both sides.
Also you need to add routes that point to the other side of the tunnel for the remote subnet.
(The field "remote network") -
Hi, Gruens Froeschli,
Thanks for your reply. I try to make the comp-lzo both site. Now the new log is:
May 1 19:22:18 openvpn[18083]: Initialization Sequence Completed
May 1 19:22:17 openvpn[18083]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
May 1 19:22:17 openvpn[18083]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
May 1 19:22:17 openvpn[18083]: TUN/TAP device /dev/tap0 opened
May 1 19:22:16 openvpn[18083]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
May 1 19:22:08 openvpn[18083]: UDPv4 link remote: 60.54.233.221:1194
May 1 19:22:08 openvpn[18083]: UDPv4 link local (bound): [undef]:1194
May 1 19:22:08 openvpn[18082]: LZO compression initialized
May 1 19:22:08 openvpn[18082]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
May 1 19:22:08 openvpn[18082]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
May 1 19:22:08 openvpn[18082]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
May 1 19:22:06 openvpn[17332]: SIGTERM[hard,] received, process exiting
May 1 19:22:06 openvpn[17332]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
May 1 19:22:06 openvpn[17332]: event_wait : Interrupted system call (code=4)PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B: connectedI use dev tap and udp. I try to ping, still fail to ping each other…
Please help... :-[
-
They can connected but cannot be ping.. It is i use wrong method? Anyone got tutorial link? I try to google but it seem not much result and the link of tutorial provided in this forum seem broken…
-
PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B: connectedThis is quite confusing.
What are you trying to achieve?Can you draw a diagramm of your networks and which ip range you have where?
Also can you post screenshots of your config from the client and from the server? -
Hi, This is the network..
I hope to integrate OpenVPN to make tunnel for LAN A and LAN B so there can share files, play games together.PFSense Box 1 Configuration:
Protocol: UDP
Dynamic IP (Thick)
Local Port:1194
Address Pool: 10.8.0.0/24
Remote Network: 192.168.1.1/24
Client to Client VPN: (Thick)
Authenication method: PKI
CA: INserted
Server CA: INserted
Server Key: INserted
DH: Inserted
DHCP-OPT: DNS Domain Name: (Use domain which i host at dyndns.com)
DHCP-OPT: DNS Server: 202.188.0.133 (DNS Server ISP)
custom option:
;local 60.xx.xxx.xxx
;dev tap
;duplicate-cn
;comp-Izo
;max-clients 150
;persist-tun
;push "dhcp-option DNS 202.188.0.133"
;push "dhcp-option DNS 202.188.1.5"–----------
PFSense Box 2 (Client)
Configuration
Protocol: UDP
Server address: 60.xx.xxx.xxx
Server port:1194
Interface IP:192.168.1.1/24
Proxy port:3128
Cryptography:BF-CBC(128Bit)
Authentication method:PKI
CA certificate: Inserted
Client certificate: Inserted
Client key: Inserted
Custom options:
;dev tap;persist-key;persist-tun;ns-cert-type server;comp-lzo;remote 60.xx.xxx.xxx 1194
Result
Both PFSense show Initialization Sequence CompletedBut i cannot ping in PC 1, PC2 nor PC3 to each other
So, I install Window OpenVPN GUI
and configure the file:
–----------Client at Window XP Config log files:
client
dev tap
proto udp
remote 60.xx.xxx.xxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
Result:
Client success connected BUT if both side more than 1 PC connect then cannot get link together...It is i use wrong method on construct the network or insert wrong code??
Thanks
-
I suggest you start reading on http://openvpn.net/howto
I see that you only want to connect two LAN's together.
For this dont use a PKI but use a shared key setup.
–> resetup your openVPN connection.The custom options you added are mostly useless since they are generated by pfSense per default or ther eis a checkbox to enable them
For your test with a windows XP client... you cannot connect multiple clients with the same certificate.
-
Hi Mr.GruensFroeschli
Really thanks for your suggestion. I am noob on this.. Thanks, I will redo again and once got result i post here d.Thanks so much,
Kelvin
-
Hi,
Mr.GruensFroeschli,
Now i connect like this:Client LAN A (5PC) 192.168.10.2 to 5 <-> Switch <-> PFSense Box A (192.168.10.100) <-> ADSL Modem –-(ISP STATIC Line A) ISP --- ISP (ISP Dynamic Line B) <-> ADSL Modem <-> PFSense Box B (192.168.1.1) <-> Switch <-> Client LAN B (10PC) 192.168.1.2 to 11
PF Sense Box A OpenVPN - Configuration:
Protocol: UDP
Dynamic IP: (YES)
Local Port: 1194
Address Pool: 10.8.0.0/24
Local Network: 192.168.10.100/24
Remote Network: 192.168.1.1/24
Client-to-Client VPN: (YEs)
Cryptography: BF-CBC (128Bit)
Authentication method: PKI
CA inserted
Server CA Inserted
Server Key Inserted
DH Parameters Inserted
DHCP-Opt: DNS Server: 202.188.0.133;202.188.1.5
LZO: (Yes)
Custom Option: ;dev tap;keepalive 10 120;verb 3;duplicate-cn;client-to-client;max-clients 150;user nobody;group nobody===
PFsense Box B OpenVPN Configuration"
Protocol: UDP
Server address: xxx.dyndns.org
Server port:1194
Proxy port:3128
Cryptography:BF-CBC(128Bit)
Authentication method:PKI
CA Inserted
Client CA Inserted
CLient Key Inserted
LZO compression
Custom options: ;dev tap;resolv-retry infinite;persist-key;persist-tun;ns-cert-type server;After setup the log message show: May 7 21:23:30 openvpn[38053]: Initialization Sequence Completed
Both server and client get same message,
After connected, the server show the following log:
May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 MULTI: Learn: 00:bd:e0:0d:41:00 -> VPN-CLIENT1/124.13.87.49:1195
May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 SENT CONTROL [VPN-CLIENT1]: 'PUSH_REPLY,route 192.168.10.100 255.255.255.0,dhcp-option DNS 202.188.0.133,dhcp-option DNS 202.188.1.5,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 PUSH: Received control message: 'PUSH_REQUEST'Problem Now: PFSense box connected but the client machine LAN A to LAN B are not connected.. It is i less some step??
-
Client Site: -
Share Key Config
-
This is the server share key conf
Note: 192.168.10.0/24 is server site
192.168.1.0/24 is client site
192.168.100.0/24 is vpn tunnel subnet …. -
Follow-up-note:
We where able to solve the problem per MSN.
yce_kelvin forgot to mention that the server had more than one WAN.http://forum.pfsense.org/index.php/topic,7001.0.html
The rule on the LAN had as gateway a loadbalancing-pool.
The problem was solved through adding another rule with as destination 192.168.1.0/24 (subnet on the client side) and gateway * above the rule with as gateway Loadbalancer. (see screenshot posted by yce_kelvin below) -
The Firewall configuration:
-
Arrangement of rules:
-
Site to site connection with share key is okay but cannot bridging.
Try to do another site-to-site bridging. If some one have experience before kindly share ur exp here. Anyone success before? -
Anyone success with openvpn tunnel and lan game within 2 lan's client pc?
-
Nobody will ever be able to use UDP broadcast based LAN games in a routed scenario.
You NEED a bridge, or else a UDP proxy like this one: http://www.vttoth.com/tunnel.htm
In about 3 weeks or so i will have a bit more time. If i'm not too busy with other projects i think i'll try to get this running since i'm interrested in this too.
-
Bridge mode can successful for 2 LAN sites in a "normal" condition. "Normal" mean a normal office or group network. If those client is "cloned" then will meet the problem with MAC address issue. This is because if the PCs are cloned, that mean the MAC address also will duplicated.
Bridge mode i use is form a pfsense as openvpn server and other client pc install openvpn with tap-adaptor. Client can be successful connected but need a different MAC address of TAP-adaptor. I m try to come out a script that can make the TAP-adaptor MAC address can change according to IP address.
But, what i hope that is 2 site PF sense can form bridge mode and no need to do any setting or installation to the client PC.. It is possible.
I know that PFsense routed VPN is not work with what i want.. Anyway i hope that i can make a successful case under GruensFroeschli help :)
or someone interest on it can study together. My network knowledge is level 1 only ^^
