OpenVPN Doesn't work from some devices.



  • Hello people,

    i am experiencing a weird problem here related to OpenVPN.
    If i connect from Linux or Mac everything works great, but as soon as i want to use the VPN from Windows, iPhone or Android it just doesn't work, it gives me IP Address so the connection is established but i can't surf or log to the pF.

    Any help would be appreciated,

    Regards,
    Alex.



  • Version of pfsense, what steps did you use to configure openvpn, ie did you follow steps on website somewhere if so URL?

    Have you used any methods to monitor your android traffic like here?
    http://www.symantec.com/connect/blogs/monitoring-android-network-traffic-part-i-installing-toolchain
    http://www.symantec.com/connect/blogs/monitoring-android-network-traffic-part-ii-cross-compiling-tcpdump
    http://www.symantec.com/connect/blogs/monitoring-android-network-traffic-part-iii-installing-executing-tcpdump
    http://www.symantec.com/connect/blogs/monitoring-android-network-traffic-part-iv-forwarding-wireshark

    If so anything show up?

    Netcat is also useful for getting TCPDUMP's sent to other devices/locations.



  • Hello there, thanks for the answer.

    I followed this guide: https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/

    Worked sometimes from those devices that now it doesnt. It doesnt even work if im connected to the net's wifi

    Weird, pFsense version is 2.2.3 32 bits



  • That link brings back memories to when I set my openvpn up, then found someone tested the presence of openvpn port within minutes of completion, not many people can time that right, but they didnt bank on me having the openvpn on a different port!

    Anyway, one option, install the same version of pfsense as in the guide, carry out out same procedure and then see if Windows & android work or not. If it does, upgrade pfsense to latest version, repeat to make sure it still works. This confirms your windows/android devices work ok or not in the later version of pfsense.

    Another option is to check the logs see if any error messages are showing up, and see if any traffic is actually coming in or being blocked.
    Ticking the Log packets option in a fw rule is useful for this as you can see if the openvpn rules are seeing traffic or not.

    I dont know if it still exists in 2.2.3, but earlier versions of pfsense and windows had issues, which involved TUN/TAP so worth checking out https://openvpn.net/install.html

    You dont say what version of windows or android which may or may not be relevant but checking the various pfsense logs would be my first port of call.



  • then found someone tested the presence of openvpn port within minutes of completion, not many people can time that right

    Surely it was a coincidence.  At any given moment, there are a million different worms and other nasties scanning all of public IP space for listening servers, looking to exploit them.



  • @KOM:

    then found someone tested the presence of openvpn port within minutes of completion, not many people can time that right

    Surely it was a coincidence.  At any given moment, there are a million different worms and other nasties scanning all of public IP space for listening servers, looking to exploit them.

    It might well have been, but until you log these things, patterns dont become obvious. :)



  • Reminds me of every time a management suit asks to see firewall logs, and then their heads explode when they think we're under constant, targeted attack by every bad actor on Earth.  Good luck trying to convince them it's no different from kids rustling doorknobs or playing Nicky-nicky-9-door in a hotel. Trust in your locks and ignore the noise.


  • Rebel Alliance Global Moderator

    I can tell you for fact that pfsense open vpn works just fine from windows clients.. I use it every single day.. Did you run the openvpn client as admin?  You should be using the latest client 2.3.7

    Tue Jul 28 15:43:48 2015 OpenVPN 2.3.7 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jul  9 2015
    Tue Jul 28 15:43:48 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08

    I use both tcp and udp connection, and even bounce the tcp off a proxy at work without any issues.

    Did your driver get installed on windows?  What are the errors you get when you connect turn up the verb if needed in the config..  Did you install the client on your own or grab the bundel from the openvpn client xport package?  What config did you grab if you installed the client on your own?

    I am connected right now - through a vpn connection (at a customer site) to work on their wireless to my work proxy and then my openvpn connection to home

    Ethernet adapter vpn:

    Connection-specific DNS Suffix  . : local.lan
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-5A-2F-7E-EA
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : 2001:<snipped>::1000(Preferred)
      Link-local IPv6 Address . . . . . : fe80::e94a:98a4:4c11:3db1%22(Preferred)
      IPv4 Address. . . . . . . . . . . : 10.0.8.6(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.252
      Lease Obtained. . . . . . . . . . : Tuesday, July 28, 2015 3:44:08 PM
      Lease Expires . . . . . . . . . . : Wednesday, July 27, 2016 3:44:08 PM
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 10.0.8.5
      DHCPv6 IAID . . . . . . . . . . . : 385941338
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75
      DNS Servers . . . . . . . . . . . : 192.168.9.253
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Even have ipv6 over my vpn working
    C:>ping 192.168.9.100

    Pinging 192.168.9.100 with 32 bytes of data:                                 
    Reply from 192.168.9.100: bytes=32 time=719ms TTL=127                       
    Reply from 192.168.9.100: bytes=32 time=325ms TTL=127                       
    Reply from 192.168.9.100: bytes=32 time=332ms TTL=127                       
    Reply from 192.168.9.100: bytes=32 time=326ms TTL=127

    Ping statistics for 192.168.9.100:                                           
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                     
    Approximate round trip times in milli-seconds:                               
        Minimum = 325ms, Maximum = 719ms, Average = 425ms

    C:>ping ipv6.google.com

    Pinging ipv6.l.google.com [2607:f8b0:4004:808::100e] with 32 bytes of data: 
    Reply from 2607:f8b0:4004:808::100e: time=357ms                             
    Reply from 2607:f8b0:4004:808::100e: time=356ms                             
    Reply from 2607:f8b0:4004:808::100e: time=356ms                             
    Reply from 2607:f8b0:4004:808::100e: time=384ms

    Ping statistics for 2607:f8b0:4004:808::100e:                               
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                     
    Approximate round trip times in milli-seconds:                               
        Minimum = 356ms, Maximum = 384ms, Average = 363ms

    Really shitting times because my vpn to work endpoint is in Germany currently ;)  While my work proxy I have to bounce off is in TX and my home is in Chicago and I am in Indy currently.  So clearly taking the scenic route to my home network ;)</snipped>



  • Yeah I forgot all about OpenVPN pretending to work but not really if you forget to run it as administrator.



  • Finally… i got it to work.
    The question is that Hostnames dont work, i have to type IP Addresses, but only from the VPN.
    Any thoughts?


  • Rebel Alliance Global Moderator

    yeah what are you using for name resolution - you can not broadcast for host names when your not on the same segment..  So you need to query dns for a fqdn..  What is your search suffix if you just trying to lookup host

    what is domain.tld that makes it a fully qualified domain name?  FQDN



  • Yeah, the only problems I've ever had is when you don't run as administrator. That's a big one.