Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN for 2 LAN sites fail to connect each other

    OpenVPN
    2
    19
    12967
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yce_kelvin last edited by

      Hi, I got 2 LAN site which is belong my friend's network. I successfully to link up both site in PFSense box but those PCs in LAN cannot get connect each other in pinging.

      The Client log:
      May 1 18:37:42 openvpn[2777]: Initialization Sequence Completed
      May 1 18:37:41 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
      May 1 18:37:41 openvpn[2777]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
      May 1 18:37:41 openvpn[2777]: TUN/TAP device /dev/tap0 opened
      May 1 18:37:40 openvpn[2777]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.3 255.255.255.0 init
      May 1 18:37:40 openvpn[2777]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
      May 1 18:37:40 openvpn[2777]: Preserving previous TUN/TAP instance: tap0
      May 1 18:37:38 openvpn[2777]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
      May 1 18:37:38 openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
      May 1 18:37:38 openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
      May 1 18:37:31 openvpn[2777]: UDPv4 link remote: 60.54.233.221:1194
      May 1 18:37:31 openvpn[2777]: UDPv4 link local (bound): [undef]:1194
      May 1 18:37:31 openvpn[2777]: Re-using SSL/TLS context

      It seem can connect for both LAN but why those PCs cannot ping each other.

      1 PC from A Network  –->  connect with 1 PC from B Network = OK
      1 PC from A Network  ---> connect with 2 PC or more from B Network = Fail
      2 PC or more from A Network ---> connect with 2 PC or more from B Network = Fail

      I try with OpenVPN GUI interface, all can connect but cannot ping each other if more than 1 PC in a network.

      It is openvpn only limited to 1PC per 1 Internet Line?

      Even i try without OpenVPN GUI also cannot ping opposite network.

      Please help.

      Thanks'
      Kelvin

      1 Reply Last reply Reply Quote 0
      • Y
        yce_kelvin last edited by

        This is another log from client:
        May 1 18:53:01 openvpn[12615]: Initialization Sequence Completed
        May 1 18:53:00 openvpn[12615]: /etc/rc.filter_configure tap0 1500 1573 10.8.0.2 255.255.255.0 init
        May 1 18:53:00 openvpn[12615]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
        May 1 18:53:00 openvpn[12615]: TUN/TAP device /dev/tap0 opened
        May 1 18:52:59 openvpn[12615]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
        May 1 18:52:59 openvpn[12615]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
        May 1 18:52:59 openvpn[12615]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
        May 1 18:52:52 openvpn[12615]: UDPv4 link remote: 60.54.233.221:1194
        May 1 18:52:52 openvpn[12615]: UDPv4 link local (bound): [undef]:1194
        May 1 18:52:52 openvpn[12614]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
        May 1 18:52:52 openvpn[12614]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
        May 1 18:52:52 openvpn[12614]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

        It seem Connected with 10.8.0.2 but why those client in LAN cannot "see" each other?

        1 Reply Last reply Reply Quote 0
        • GruensFroeschli
          GruensFroeschli last edited by

          Fix your configs:

          May 1 18:37:38    openvpn[2777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
          May 1 18:37:38    openvpn[2777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'

          You have a configuration missmatch on both sides.

          Also you need to add routes that point to the other side of the tunnel for the remote subnet.
          (The field "remote network")

          1 Reply Last reply Reply Quote 0
          • Y
            yce_kelvin last edited by

            Hi, Gruens Froeschli,
            Thanks for your reply. I try to make the comp-lzo both site. Now the new log is:
            May 1 19:22:18 openvpn[18083]: Initialization Sequence Completed
            May 1 19:22:17 openvpn[18083]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
            May 1 19:22:17 openvpn[18083]: /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
            May 1 19:22:17 openvpn[18083]: TUN/TAP device /dev/tap0 opened
            May 1 19:22:16 openvpn[18083]: [VPN-SERVER] Peer Connection Initiated with 60.54.233.221:1194
            May 1 19:22:08 openvpn[18083]: UDPv4 link remote: 60.54.233.221:1194
            May 1 19:22:08 openvpn[18083]: UDPv4 link local (bound): [undef]:1194
            May 1 19:22:08 openvpn[18082]: LZO compression initialized
            May 1 19:22:08 openvpn[18082]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
            May 1 19:22:08 openvpn[18082]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
            May 1 19:22:08 openvpn[18082]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
            May 1 19:22:06 openvpn[17332]: SIGTERM[hard,] received, process exiting
            May 1 19:22:06 openvpn[17332]: /etc/rc.filter_configure tap0 1500 1574 10.8.0.2 255.255.255.0 init
            May 1 19:22:06 openvpn[17332]: event_wait : Interrupted system call (code=4)

            PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
            PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B:  connected

            I use dev tap and udp. I try to ping, still fail to ping each other…

            Please help...  :-[

            1 Reply Last reply Reply Quote 0
            • Y
              yce_kelvin last edited by

              They can connected but cannot be ping.. It is i use wrong method? Anyone got tutorial link? I try to google but it seem not much result and the link of tutorial provided in this forum seem broken…

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                PC at LAN A: 10.8.0.3 connected. Pfsense at LAN A: 10.8.0.2 connected.
                PC at LAN B: 10.8.0.4 connected, PC at LAN B: 10.8.0.5 connected, Pfsense at LAN B:  connected

                This is quite confusing.
                What are you trying to achieve?

                Can you draw a diagramm of your networks and which ip range you have where?
                Also can you post screenshots of your config from the client and from the server?

                1 Reply Last reply Reply Quote 0
                • Y
                  yce_kelvin last edited by

                  Hi, This is the network..

                  I hope to integrate OpenVPN to make tunnel for LAN A and LAN B so there can share files, play games together.

                  PFSense Box 1 Configuration:
                  Protocol: UDP
                  Dynamic IP (Thick)
                  Local Port:1194
                  Address Pool: 10.8.0.0/24
                  Remote Network: 192.168.1.1/24
                  Client to Client VPN: (Thick)
                  Authenication method: PKI
                  CA: INserted
                  Server CA: INserted
                  Server Key: INserted
                  DH: Inserted
                  DHCP-OPT: DNS Domain Name: (Use domain which i host at dyndns.com)
                  DHCP-OPT: DNS Server: 202.188.0.133 (DNS Server ISP)
                  custom option:
                  ;local 60.xx.xxx.xxx
                  ;dev tap
                  ;duplicate-cn
                  ;comp-Izo
                  ;max-clients 150
                  ;persist-tun
                  ;push "dhcp-option DNS 202.188.0.133"
                  ;push "dhcp-option DNS 202.188.1.5"

                  –----------
                  PFSense Box 2 (Client)
                  Configuration
                  Protocol: UDP
                  Server address: 60.xx.xxx.xxx
                  Server port:1194
                  Interface IP:192.168.1.1/24
                  Proxy port:3128
                  Cryptography:BF-CBC(128Bit)
                  Authentication method:PKI
                  CA certificate: Inserted
                  Client certificate: Inserted
                  Client key: Inserted
                  Custom options:
                  ;dev tap;persist-key;persist-tun;ns-cert-type server;comp-lzo;remote 60.xx.xxx.xxx 1194


                  Result
                  Both PFSense show  Initialization Sequence Completed

                  But i cannot ping in PC 1, PC2 nor PC3 to each other

                  So, I install Window OpenVPN GUI
                  and configure the file:
                  –----------

                  Client at Window XP Config log files:
                  client
                  dev tap
                  proto udp
                  remote 60.xx.xxx.xxx
                  resolv-retry infinite
                  nobind
                  persist-key
                  persist-tun
                  ca ca.crt
                  cert client1.crt
                  key client1.key
                  ns-cert-type server
                  comp-lzo
                  verb 3


                  Result:
                  Client success connected BUT if both side more than 1 PC connect then cannot get link together...

                  It is i use wrong method on construct the network or insert wrong code??

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschli
                    GruensFroeschli last edited by

                    I suggest you start reading on http://openvpn.net/howto

                    I see that you only want to connect two LAN's together.
                    For this dont use a PKI but use a shared key setup.
                    –> resetup your openVPN connection.

                    The custom options you added are mostly useless since they are generated by pfSense per default or ther eis a checkbox to enable them

                    For your test with a windows XP client... you cannot connect multiple clients with the same certificate.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yce_kelvin last edited by

                      Hi Mr.GruensFroeschli
                      Really thanks for your suggestion. I am noob on this.. Thanks, I will redo again and once got result i post here d.

                      Thanks so much,

                      Kelvin

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yce_kelvin last edited by

                        Hi,
                        Mr.GruensFroeschli,
                        Now i connect like this:

                        Client LAN A (5PC) 192.168.10.2 to 5 <-> Switch <-> PFSense Box A (192.168.10.100) <-> ADSL Modem  –-(ISP STATIC Line A)  ISP --- ISP (ISP Dynamic Line B) <-> ADSL Modem <-> PFSense Box B (192.168.1.1) <-> Switch <-> Client LAN B (10PC) 192.168.1.2 to 11

                        PF Sense Box A OpenVPN - Configuration:
                        Protocol: UDP
                        Dynamic IP: (YES)
                        Local Port: 1194
                        Address Pool: 10.8.0.0/24
                        Local Network: 192.168.10.100/24
                        Remote Network: 192.168.1.1/24
                        Client-to-Client VPN: (YEs)
                        Cryptography: BF-CBC (128Bit)
                        Authentication method: PKI
                        CA inserted
                        Server CA Inserted
                        Server Key Inserted
                        DH Parameters Inserted
                        DHCP-Opt: DNS Server: 202.188.0.133;202.188.1.5
                        LZO: (Yes)
                        Custom Option: ;dev tap;keepalive 10 120;verb 3;duplicate-cn;client-to-client;max-clients 150;user nobody;group nobody

                        ===

                        PFsense Box B OpenVPN Configuration"
                        Protocol: UDP
                        Server address: xxx.dyndns.org
                        Server port:1194
                        Proxy port:3128
                        Cryptography:BF-CBC(128Bit)
                        Authentication method:PKI
                        CA Inserted
                        Client CA Inserted
                        CLient Key Inserted
                        LZO compression
                        Custom options: ;dev tap;resolv-retry infinite;persist-key;persist-tun;ns-cert-type server;

                        After setup the log message show: May 7 21:23:30 openvpn[38053]: Initialization Sequence Completed

                        Both server and client get same message,

                        After connected, the server show the following log:

                        May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 MULTI: Learn: 00:bd:e0:0d:41:00 -> VPN-CLIENT1/124.13.87.49:1195
                        May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 SENT CONTROL [VPN-CLIENT1]: 'PUSH_REPLY,route 192.168.10.100 255.255.255.0,dhcp-option DNS 202.188.0.133,dhcp-option DNS 202.188.1.5,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
                        May 7 21:23:30 openvpn[1911]: VPN-CLIENT1/124.13.87.49:1195 PUSH: Received control message: 'PUSH_REQUEST'

                        Problem Now: PFSense box connected but the client machine LAN A to LAN B are not connected.. It is i less some step??

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yce_kelvin last edited by

                          Client Site: -
                          Share Key Config

                          1 Reply Last reply Reply Quote 0
                          • Y
                            yce_kelvin last edited by

                            This is the server share key conf

                            Note: 192.168.10.0/24 is server site
                            192.168.1.0/24 is client site
                            192.168.100.0/24 is vpn tunnel subnet ….

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschli
                              GruensFroeschli last edited by

                              Follow-up-note:
                              We where able to solve the problem per MSN.
                              yce_kelvin forgot to mention that the server had more than one WAN.

                              http://forum.pfsense.org/index.php/topic,7001.0.html

                              The rule on the LAN had as gateway a loadbalancing-pool.
                              The problem was solved through adding another rule with as destination 192.168.1.0/24 (subnet on the client side) and gateway * above the rule with as gateway Loadbalancer. (see screenshot posted by yce_kelvin below)

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yce_kelvin last edited by

                                The Firewall configuration:

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yce_kelvin last edited by

                                  Arrangement of rules:

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yce_kelvin last edited by

                                    Site to site connection with share key is okay but cannot bridging.
                                    Try to do another site-to-site bridging. If some one have experience before kindly share ur exp here. Anyone success before?

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yce_kelvin last edited by

                                      Anyone success with openvpn tunnel and lan game within 2 lan's client pc?

                                      1 Reply Last reply Reply Quote 0
                                      • GruensFroeschli
                                        GruensFroeschli last edited by

                                        Nobody will ever be able to use UDP broadcast based LAN games in a routed scenario.

                                        You NEED a bridge, or else a UDP proxy like this one: http://www.vttoth.com/tunnel.htm

                                        In about 3 weeks or so i will have a bit more time. If i'm not too busy with other projects i think i'll try to get this running since i'm interrested in this too.

                                        1 Reply Last reply Reply Quote 0
                                        • Y
                                          yce_kelvin last edited by

                                          Bridge mode can successful for 2 LAN sites in a "normal" condition. "Normal" mean a normal office or group network. If those client is "cloned" then will meet the problem with MAC address issue. This is because if the PCs are cloned, that mean the MAC address also will duplicated.

                                          Bridge mode i use is form a pfsense as openvpn server and other client pc install openvpn with tap-adaptor. Client can be successful connected but need a different MAC address of TAP-adaptor. I m try to come out a script that can make the TAP-adaptor MAC address can change according to IP address.

                                          But, what i hope that is 2 site PF sense can form bridge mode and no need to do any setting or installation to the client PC.. It is possible.

                                          I know that PFsense routed VPN is not work with what i want.. Anyway i hope that i can make a successful case under GruensFroeschli help :)

                                          or someone interest on it can study together. My network knowledge is level 1 only ^^

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post

                                          Products

                                          • Platform Overview
                                          • TNSR
                                          • pfSense Plus
                                          • Appliances

                                          Services

                                          • Training
                                          • Professional Services

                                          Support

                                          • Subscription Plans
                                          • Contact Support
                                          • Product Lifecycle
                                          • Documentation

                                          News

                                          • Media Coverage
                                          • Press
                                          • Events

                                          Resources

                                          • Blog
                                          • FAQ
                                          • Find a Partner
                                          • Resource Library
                                          • Security Information

                                          Company

                                          • About Us
                                          • Careers
                                          • Partners
                                          • Contact Us
                                          • Legal
                                          Our Mission

                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                          Subscribe to our Newsletter

                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                          © 2021 Rubicon Communications, LLC | Privacy Policy