OpenVPN client get's IP, but can't ping office LAN



  • I'm having a bit of trouble with OpenVPN testing.  So far, I've followed the instructions here (http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf).  My test VPN client is Vista 32-bit (including adding the below to my *.ovpn config file), and I'm connecting to a PFSense 1.2-RELEASE box.  I generated keys from my linux box - and these appear to be good.

    Right now, I'm able to get an IP address using the OpenVPN GUI client of 192.168.124.6 when I establish a session.  However, I'm not able to ping hosts (or SMB, MSTSC, FTP, HTTP to etc.) on my office LAN.  If I do an "Ipconfig /all" from Vista, I see my ovpn client has a subnet of 255.255.255.252, DHCP server 192.168.124.5, DNS of 192.168.222.2, WINS 192.168.168.222.2, but no Gateway listed.  I can ping my own IP, but I can't ping the "DHCP" server address, or anything on the 192.168.222.0/24 network.

    My PFSense box has an IP on my LAN of 192.168.222.248, connecting to it's own private DSL line.  I have another firewall and separate internet connection of 192.168.222.1.  All my production boxes point at the 192.168.222.1 box for their gateway.

    Can anyone point me in the right direction, or identify anything in my config that's causing the problem?

    added to Vista Config for *.ovpn
    route-method exe
    mssfix 1200
    route-delay 2

    OpenVPN Server tab,
    Protocol: TCP
    Dynamic IP: checked
    Local port: 1194
    Address pool: 192.168.124.0/24
    Local network: 192.168.222.0/24
    DHCP-Opt DNS: domain.local
    DNS: 192.168.222.2
    WINS: 192.168.222.2
    NetBios node: p-node

    Client tab: empty
    client specific config tab: emtpry

    Firewall rules:

    WAN: TCP/UDP, *, *, *, 1194, *
    LAN: *, LAN net, *, *, *, *



  • Also - on my openvpn client, I'm getting the following error just before getting my IP:

    Thu May 08 17:02:10 2008 us=358000 Route addition via IPAPI failed
    Thu May 08 17:02:10 2008 us=358021 route ADD 192.168.124.1 MASK 255.255.255.255 192.168.124.5
    Thu May 08 17:02:10 2008 us=386089 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.  [if_index=20]
    Thu May 08 17:02:10 2008 us=386322 Route addition via IPAPI failed
    Thu May 08 17:02:10 2008 us=386339 Initialization Sequence Completed



  • Try adding the following in the custom options box

    push "route 192.168.222.0 255.255.255.0 vpn_gateway";

    Also, I have not bothered with any of the DHCP DNS stuff - it works for me without it!



  • Should I be adding this to the OpenVPN client "server" tab?  I tried doing so, literally typing…

    push "route 192.168.222.0 255.255.255.0 vpn_gateway";

    Should the words "push" and "vpn_gateway" be included, or should I be typing my actual gateway - 192.168.124.1?  I've tried these various iterations, and I can't get to my 192.168.222/0 LAN.  I can ping and connect to 192.168.124.1 (pfsense on the VPN subnet).

    Any other ideas, or did I miss something?



  • This should be put in on pfsense, on the VPN->openVPN server tab. Edit the server you have set up and at the bottom there is a custom options box. The server should then "push" this to the client when the client initiates the link.

    It works fine for me using an XP client

    My client config is:-

    port 1194
    dev tun
    dev-node OpenVPN
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    ping 30
    dhcp-option DNS 192.168.1.1
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert timh2.crt
    key timh2.key
    ns-cert-type server
    comp-lzo
    pull

    My server config:-

    <openvpnserver><config><disable><protocol>UDP</protocol>
    <dynamic_ip>on</dynamic_ip>
    <local_port>1194</local_port>
    <addresspool>192.168.20.0/24</addresspool>
    <nopool><local_network>192.168.1.0/24</local_network>
    <remote_network><client2client>on</client2client>
    <crypto>BF-CBC</crypto>
    <auth_method>pki</auth_method>
    <shared_key><ca_cert>yyyyyyyyyy</ca_cert>
    <server_cert>yyyyyyyyyyyy</server_cert>
    <server_key>yyyyyyyyyyyyyyy</server_key>
    <dh_params>yyyyyyyyyyyyyyyyyyyyyyyyy</dh_params>
    <crl>yyyyyyyyyyyyyyyyyyy</crl>
    <use_lzo>on</use_lzo>
    <custom_options>push "route 192.168.1.0 255.255.255.0 vpn_gateway";route 192.168.20.0 255.255.255.0;push "route 192.168.1.0 255.255.255.0 vpn_gateway";management 192.168.1.180 7506</custom_options>
    <description>MainVPN (1194)</description></shared_key></remote_network></nopool></disable></config></openvpnserver>



  • Are you remembering to run the OpenVPN client as Administrator (right click, Run as Administrator)?



  • You dont need to add the
    push "route 192.168.222.0 255.255.255.0 vpn_gateway";
    to your custom commands.

    The field
    Local network: 192.168.222.0/24
    already does that.

    Thu May 08 17:02:10 2008 us=358000 Route addition via IPAPI failed
    Thu May 08 17:02:10 2008 us=358021 route ADD 192.168.124.1 MASK 255.255.255.255 192.168.124.5
    Thu May 08 17:02:10 2008 us=386089 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.  [if_index=20]
    Thu May 08 17:02:10 2008 us=386322 Route addition via IPAPI failed
    Thu May 08 17:02:10 2008 us=386339 Initialization Sequence Completed

    It's a Vista problem.
    Are you sure you HAVE to use Vista for this?

    If you use google you find this:
    http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/

    The solution is there described.

    added to Vista Config for *.ovpn
    route-method exe
    mssfix 1200
    route-delay 2

    Are you really sure that the file with this changes gets used?
    Your log shows that OpenVPN still tries to add the routes with route-method ipapi which obviously fails with vista.



  • I'll come back the Vista testing in a bit and post any changes after testing.

    In the interim, I grabbed an XP box, removed the custom config statement ("push "route 192.168.222.0 255.255.255.0 vpn_gateway"), and tried connecting via OpenVPN.  I was able to connect without a "route addition failure" error, and received an IP address (192.168.124.6).  Initially I could not ping anything on the production LAN, but soon realized that those production boxes weren't pointing at pfSense (*.248) for the gateway, and were instead pointing their gateway at *.1, which had no knowledge of the *.248.  After chaning one to point at *.248, I was able to ping it from my openVpn client at 192.168.124.6, as well as TS/RDP into it.

    So that's a big improvement - and thanks to everyone who helped!  As I said, I'll keep hammering away at Vista and let you know what I find.



  • all you need to do for vista is run it as an administrator
    and download the openvpn-2.1_rc4-install

    version i have this running on this laptop and on 2 other vista machines with no problems.

    my config also look like this  i have to running on 15 or so clients with a road warrior setup

    float
    port 1195
    dev tun
    dev-node vpn
    #dev-node vpn <-vpn is the name of the renamed interface
    proto tcp-client
    remote 12.34.56.78 1195
    remote 87.65.54.43 1195
    resolv-retry 30
    ping 10
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert user.crt
    key user.key
    ns-cert-type server
    #comp-lzo <- to enable remove the #
    pull
    verb 4



  • I'm running Vista and since i didn't want to install the RC i got it running adding these lines to the openvpn client configuration:

    
    route-method exe
    route-delay 2
    
    

    That did it for me.


Log in to reply