PFSense 2.2.4 + OpenVPN 2.3.8: LAN Access Problems



  • Dear all,

    Would you be so kind and take a look at this, please? I get frequent Request Timed Out responses after pinging pfSense's LAN port or LAN devices behind pfSense from my OpenVPN client. Within app. 40%, I get correct ping reply from the LAN and within app. 60% I get Request timed out. I as well, can not access any pfSense LAN resources, PCs, Widows Shared Folders, etc.. I have read many threads, but I can not find any similarities with my case.

    Here are the key remarks:

    • I had no difficulties creating and establishing OpenVPN connection and I have received no error messages.

    • I have not implemented any push "route x.x.x.x"; commands yet.

    • My network topology is: ISP Router with public IP -> pfSense behind NAT and Port Forwarding -> pfSense LAN PC(172.20.20.241)

    • -> OpenVPN client (Tunnel IP: 172.21.20.6, Private IP: 192.168.178.3)

    • From the pfSense LAN PC I can not ping and access OpenVPN client throught VPN Tunnel IP Address (172.21.20.6), but can ping and access internal the same device through IP address granted by the ISP router (192.168.178.3)

    • From the OpenVPN client I can ping with frequent timeouts pfSense server through pfSense LAN IP (172.20.20.1)

    • Firewall Rules are without change, as they were set by the OpenVPN wizzard

    Pinging device on pfSense's LAN from OpenVPN client ( "ping 172.20.20.241 -t" ):

    C:\Users\Bunka>ping 172.20.20.241 -t
    
    Pinging 172.20.20.241 with 32 bytes of data:
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=6ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=3ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=4ms TTL=254
    Reply from 172.20.20.241: bytes=32 time=2ms TTL=254
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    

    Pinging pfSense's LAN port from OpenVPN client ( "ping 172.20.20.1 -t" ):

    Request timed out.
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time=1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 172.20.20.1: bytes=32 time=1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time=1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time=1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Reply from 172.20.20.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    
    

    Pinging TAP-Windows Adapter V9 virtual port of the OpenVPN client ( "ping 172.21.20.6 -t" ):

    C:\Users\Bunka>ping 172.21.20.6 -t
    
    Pinging 172.21.20.6 with 32 bytes of data:
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    Reply from 172.21.20.6: bytes=32 time<1ms TTL=128
    
    

    Pinging pfSense OpenVPN Server through TAP-Windows Adapter V9 and IPv4 Tunnel Network from the OpenVPN client ( "ping 172.21.20.5 -t" ):

    
    C:\Users\Bunka>ping 172.21.20.5 -t
    
    Pinging 172.21.20.5 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    

    config.ovpn:

    
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote publicIpAddress.com 1194 udp
    lport 0
    verify-x509-name "ServerCert" name
    auth-user-pass
    pkcs12 firewall-udp-1194-xxx.p12
    tls-auth firewall-udp-1194-xxx-tls.key 1
    ns-cert-type server
    
    

    config.log:

    
    Sat Sep 05 22:57:24 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Sat Sep 05 22:57:24 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Sat Sep 05 22:57:43 2015 Control Channel Authentication: using 'firewall-udp-1194-xxx-tls.key' as a OpenVPN static key file
    Sat Sep 05 22:57:43 2015 UDPv4 link local (bound): [undef]
    Sat Sep 05 22:57:43 2015 UDPv4 link remote: [AF_INET]00.000.000.0:1194
    Sat Sep 05 22:57:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Sep 05 22:57:43 2015 [FileResortServerCert] Peer Connection Initiated with [AF_INET]00.000.000.0:1194
    Sat Sep 05 22:57:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Sep 05 22:57:45 2015 open_tun, tt->ipv6=0
    Sat Sep 05 22:57:45 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{564547DE-B3DF-4B0D-BBDA-AFF09687989E}.tap
    Sat Sep 05 22:57:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.21.20.6/255.255.255.252 on interface {564547DE-B3DF-4B0D-BBDA-AFF09687989E} [DHCP-serv: 172.21.20.5, lease-time: 31536000]
    Sat Sep 05 22:57:45 2015 Successful ARP Flush on interface [8] {564547DE-B3DF-4B0D-BBDA-AFF09687989E}
    Sat Sep 05 22:57:50 2015 Initialization Sequence Completed
    Sat Sep 05 22:59:40 2015 [FileResortServerCert] Inactivity timeout (--ping-restart), restarting
    Sat Sep 05 22:59:40 2015 SIGUSR1[soft,ping-restart] received, process restarting
    Sat Sep 05 22:59:42 2015 UDPv4 link local (bound): [undef]
    Sat Sep 05 22:59:42 2015 UDPv4 link remote: [AF_INET]00.000.000.0:1194
    Sat Sep 05 22:59:42 2015 [FileResortServerCert] Peer Connection Initiated with [AF_INET]00.000.000.0:1194
    Sat Sep 05 22:59:44 2015 Preserving previous TUN/TAP instance: Ethernet 2
    Sat Sep 05 22:59:44 2015 Initialization Sequence Completed
    
    

    Routing Table from the OpenVPN client

    
    C:\Users\Bunka>route print
    ===========================================================================
    Interface List
     17...94 de 80 a1 e2 d7 ......Intel(R) Ethernet Connection I217-LM
      8...00 ff 56 45 47 de ......TAP-Windows Adapter V9
      1...........................Software Loopback Interface 1
     12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     14...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
     10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.178.1    192.168.178.3    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          172.20.20.0    255.255.254.0      172.21.20.5      172.21.20.6     20
          172.21.20.1  255.255.255.255      172.21.20.5      172.21.20.6     20
          172.21.20.4  255.255.255.252         On-link       172.21.20.6    276
          172.21.20.6  255.255.255.255         On-link       172.21.20.6    276
          172.21.20.7  255.255.255.255         On-link       172.21.20.6    276
        192.168.178.0    255.255.255.0         On-link     192.168.178.3    266
        192.168.178.3  255.255.255.255         On-link     192.168.178.3    266
      192.168.178.255  255.255.255.255         On-link     192.168.178.3    266
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       172.21.20.6    276
            224.0.0.0        240.0.0.0         On-link     192.168.178.3    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       172.21.20.6    276
      255.255.255.255  255.255.255.255         On-link     192.168.178.3    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    192.168.178.1  Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
      8    276 fe80::/64                On-link
      8    276 fe80::5941:674c:b441:e844/128
                                        On-link
      1    306 ff00::/8                 On-link
      8    276 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    
    

    "ipconfig /all" from the OpenVPN client

    
    C:\Users\Bunka>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : DESKTOP001
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
    
    Ethernet adapter Ethernet:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
       Physical Address. . . . . . . . . : 94-DE-80-A1-E2-D7
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.178.3(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.178.1
       DNS Servers . . . . . . . . . . . : 192.168.178.1
                                           8.8.8.8
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Ethernet adapter Ethernet 2:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : TAP-Windows Adapter V9
       Physical Address. . . . . . . . . : 00-FF-56-45-47-DE
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5941:674c:b441:e844%8(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.21.20.6(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Lease Obtained. . . . . . . . . . : Samstag, 5\. September 2015 22:57:45
       Lease Expires . . . . . . . . . . : Sonntag, 4\. September 2016 22:57:45
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 172.21.20.5
       DHCPv6 IAID . . . . . . . . . . . : 218169174
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-4F-0C-26-94-DE-80-A1-E2-D7
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{564547DE-B3DF-4B0D-BBDA-AFF09687989E}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{E9E8776D-3514-40A3-8251-705E4A715A2A}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Users\Bunka>
    
    

    Please, tell me if you need more information. Thank you very much.
    ![TAP-Windows Adapter V9.PNG](/public/imported_attachments/1/TAP-Windows Adapter V9.PNG)
    ![TAP-Windows Adapter V9.PNG_thumb](/public/imported_attachments/1/TAP-Windows Adapter V9.PNG_thumb)



  • No trouble here with combination of pfSense 2.2.4 + OpenVPN 2.3.8.

    config.ovpn

    
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote <fqdn>1194 udp
    #tls-remote OpenVPN Server Certificate
    verify-x509-name "OpenVPN Server Certificate" name
    #x509-username-field CN
    auth-user-pass
    pkcs12 pfsense-udp-1194-XXX.p12
    tls-auth pfsense-udp-1194-XXX-tls.key 1
    ns-cert-type server
    comp-lzo</fqdn> 
    

    Connection Log

    
    Sat Sep 05 17:44:23 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Sat Sep 05 17:44:23 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Sat Sep 05 17:44:28 2015 Control Channel Authentication: using 'pfsense-udp-1194-XXX-tls.key' as a OpenVPN static key file
    Sat Sep 05 17:44:29 2015 UDPv4 link local (bound): [undef]
    Sat Sep 05 17:44:29 2015 UDPv4 link remote: [AF_INET]<publicipaddress:1194<br>Sat Sep 05 17:44:29 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Sep 05 17:44:38 2015 [OpenVPN Server Certificate] Peer Connection Initiated with [AF_INET]publicIpAddress:1194
    Sat Sep 05 17:44:40 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Sep 05 17:44:40 2015 open_tun, tt->ipv6=0
    Sat Sep 05 17:44:40 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{CD4C1995-6265-4B92-A5DA-BC983BAD3F9F}.tap
    Sat Sep 05 17:44:40 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.22.0/192.168.22.2/255.255.255.0 [SUCCEEDED]
    Sat Sep 05 17:44:40 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.22.2/255.255.255.0 on interface {CD4C1995-6265-4B92-A5DA-BC983BAD3F9F} [DHCP-serv: publicIpAddress, lease-time: 31536000]
    Sat Sep 05 17:44:40 2015 Successful ARP Flush on interface [13] {CD4C1995-6265-4B92-A5DA-BC983BAD3F9F}
    Sat Sep 05 17:44:45 2015 Initialization Sequence Completed</publicipaddress:1194<br> 
    


  • Hi NOYB,

    thank you very much for your samples, I have something to try and change on my side. Did you have to push any explicit route 'push "route x.x.x.x x.x.x.x";' please? None of the tutorials and videos I have seen done that, therefore I haven't done it neither.  Thanks again for your help.

    Regards,



  • Hi all,

    additionally, I am pasting VPNClient config.log with 'verb 5' for more detailed information. Please, be aware that I have done some private ip addressing changes, so the IP addresses will not fit with the samplesa above.

    
    Sun Sep 06 11:40:21 2015 us=374408 Current Parameter Settings:
    Sun Sep 06 11:40:21 2015 us=374408   config = 'firewall-udp-1194-xxx-config.ovpn'
    Sun Sep 06 11:40:21 2015 us=374408   mode = 0
    Sun Sep 06 11:40:21 2015 us=374408   show_ciphers = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   show_digests = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   show_engines = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   genkey = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   key_pass_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   show_tls_ciphers = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408 Connection profiles [default]:
    Sun Sep 06 11:40:21 2015 us=374408   proto = udp
    Sun Sep 06 11:40:21 2015 us=374408   local = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   local_port = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote = <fqdn>
    Sun Sep 06 11:40:21 2015 us=374408   remote_port = 1194
    Sun Sep 06 11:40:21 2015 us=374408   remote_float = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   bind_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   bind_local = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   connect_retry_seconds = 5
    Sun Sep 06 11:40:21 2015 us=374408   connect_timeout = 10
    Sun Sep 06 11:40:21 2015 us=374408   connect_retry_max = 0
    Sun Sep 06 11:40:21 2015 us=374408   socks_proxy_server = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   socks_proxy_port = 0
    Sun Sep 06 11:40:21 2015 us=374408   socks_proxy_retry = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tun_mtu = 1500
    Sun Sep 06 11:40:21 2015 us=374408   tun_mtu_defined = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   link_mtu = 1500
    Sun Sep 06 11:40:21 2015 us=374408   link_mtu_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tun_mtu_extra = 0
    Sun Sep 06 11:40:21 2015 us=374408   tun_mtu_extra_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   mtu_discover_type = -1
    Sun Sep 06 11:40:21 2015 us=374408   fragment = 0
    Sun Sep 06 11:40:21 2015 us=374408   mssfix = 1450
    Sun Sep 06 11:40:21 2015 us=374408   explicit_exit_notification = 0
    Sun Sep 06 11:40:21 2015 us=374408 Connection profiles END
    Sun Sep 06 11:40:21 2015 us=374408   remote_random = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ipchange = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   dev = 'tun'
    Sun Sep 06 11:40:21 2015 us=374408   dev_type = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   dev_node = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   lladdr = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   topology = 1
    Sun Sep 06 11:40:21 2015 us=374408   tun_ipv6 = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_local = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_remote_netmask = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_noexec = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_nowarn = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_local = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_netbits = 0
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_remote = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   shaper = 0
    Sun Sep 06 11:40:21 2015 us=374408   mtu_test = 0
    Sun Sep 06 11:40:21 2015 us=374408   mlock = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   keepalive_ping = 0
    Sun Sep 06 11:40:21 2015 us=374408   keepalive_timeout = 0
    Sun Sep 06 11:40:21 2015 us=374408   inactivity_timeout = 0
    Sun Sep 06 11:40:21 2015 us=374408   ping_send_timeout = 0
    Sun Sep 06 11:40:21 2015 us=374408   ping_rec_timeout = 0
    Sun Sep 06 11:40:21 2015 us=374408   ping_rec_timeout_action = 0
    Sun Sep 06 11:40:21 2015 us=374408   ping_timer_remote = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   remap_sigusr1 = 0
    Sun Sep 06 11:40:21 2015 us=374408   persist_tun = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   persist_local_ip = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   persist_remote_ip = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   persist_key = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   passtos = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   resolve_retry_seconds = 1000000000
    Sun Sep 06 11:40:21 2015 us=374408   username = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   groupname = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   chroot_dir = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   cd_dir = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   writepid = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   up_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   down_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   down_pre = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   up_restart = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   up_delay = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   daemon = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   inetd = 0
    Sun Sep 06 11:40:21 2015 us=374408   log = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   suppress_timestamps = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   nice = 0
    Sun Sep 06 11:40:21 2015 us=374408   verbosity = 5
    Sun Sep 06 11:40:21 2015 us=374408   mute = 0
    Sun Sep 06 11:40:21 2015 us=374408   status_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   status_file_version = 1
    Sun Sep 06 11:40:21 2015 us=374408   status_file_update_freq = 60
    Sun Sep 06 11:40:21 2015 us=374408   occ = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   rcvbuf = 0
    Sun Sep 06 11:40:21 2015 us=374408   sndbuf = 0
    Sun Sep 06 11:40:21 2015 us=374408   sockflags = 0
    Sun Sep 06 11:40:21 2015 us=374408   fast_io = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   lzo = 0
    Sun Sep 06 11:40:21 2015 us=374408   route_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   route_default_gateway = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   route_default_metric = 0
    Sun Sep 06 11:40:21 2015 us=374408   route_noexec = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   route_delay = 5
    Sun Sep 06 11:40:21 2015 us=374408   route_delay_window = 30
    Sun Sep 06 11:40:21 2015 us=374408   route_delay_defined = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   route_nopull = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   route_gateway_via_dhcp = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   max_routes = 100
    Sun Sep 06 11:40:21 2015 us=374408   allow_pull_fqdn = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   management_addr = '127.0.0.1'
    Sun Sep 06 11:40:21 2015 us=374408   management_port = 25340
    Sun Sep 06 11:40:21 2015 us=374408   management_user_pass = 'stdin'
    Sun Sep 06 11:40:21 2015 us=374408   management_log_history_cache = 250
    Sun Sep 06 11:40:21 2015 us=374408   management_echo_buffer_size = 100
    Sun Sep 06 11:40:21 2015 us=374408   management_write_peer_info_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   management_client_user = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   management_client_group = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   management_flags = 6
    Sun Sep 06 11:40:21 2015 us=374408   shared_secret_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   key_direction = 2
    Sun Sep 06 11:40:21 2015 us=374408   ciphername_defined = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   ciphername = 'AES-256-CBC'
    Sun Sep 06 11:40:21 2015 us=374408   authname_defined = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   authname = 'SHA1'
    Sun Sep 06 11:40:21 2015 us=374408   prng_hash = 'SHA1'
    Sun Sep 06 11:40:21 2015 us=374408   prng_nonce_secret_len = 16
    Sun Sep 06 11:40:21 2015 us=374408   keysize = 0
    Sun Sep 06 11:40:21 2015 us=374408   engine = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   replay = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   mute_replay_warnings = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   replay_window = 64
    Sun Sep 06 11:40:21 2015 us=374408   replay_time = 15
    Sun Sep 06 11:40:21 2015 us=374408   packet_id_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   use_iv = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   test_crypto = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tls_server = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tls_client = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   key_method = 2
    Sun Sep 06 11:40:21 2015 us=374408   ca_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ca_path = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   dh_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   cert_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   priv_key_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   pkcs12_file = 'firewall-udp-1194-xxx.p12'
    Sun Sep 06 11:40:21 2015 us=374408   cryptoapi_cert = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   cipher_list = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   tls_verify = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   tls_export_cert = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   verify_x509_type = 2
    Sun Sep 06 11:40:21 2015 us=374408   verify_x509_name = 'ServerCert'
    Sun Sep 06 11:40:21 2015 us=374408   crl_file = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ns_cert_type = 1
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_ku[i] = 0
    Sun Sep 06 11:40:21 2015 us=374408   remote_cert_eku = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ssl_flags = 0
    Sun Sep 06 11:40:21 2015 us=374408   tls_timeout = 2
    Sun Sep 06 11:40:21 2015 us=374408   renegotiate_bytes = 0
    Sun Sep 06 11:40:21 2015 us=374408   renegotiate_packets = 0
    Sun Sep 06 11:40:21 2015 us=374408   renegotiate_seconds = 3600
    Sun Sep 06 11:40:21 2015 us=374408   handshake_window = 60
    Sun Sep 06 11:40:21 2015 us=374408   transition_window = 3600
    Sun Sep 06 11:40:21 2015 us=374408   single_session = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   push_peer_info = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tls_exit = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tls_auth_file = 'firewall-udp-1194-xxx-tls.key'
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_protected_authentication = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_private_mode = 00000000
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_cert_private = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_pin_cache_period = -1
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_id = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   pkcs11_id_management = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   server_network = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   server_netmask = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   server_network_ipv6 = ::
    Sun Sep 06 11:40:21 2015 us=374408   server_netbits_ipv6 = 0
    Sun Sep 06 11:40:21 2015 us=374408   server_bridge_ip = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   server_bridge_netmask = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   server_bridge_pool_start = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   server_bridge_pool_end = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_start = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_end = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_netmask = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_persist_filename = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_pool_persist_refresh_freq = 600
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_pool_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_pool_base = ::
    Sun Sep 06 11:40:21 2015 us=374408   ifconfig_ipv6_pool_netbits = 0
    Sun Sep 06 11:40:21 2015 us=374408   n_bcast_buf = 256
    Sun Sep 06 11:40:21 2015 us=374408   tcp_queue_limit = 64
    Sun Sep 06 11:40:21 2015 us=374408   real_hash_size = 256
    Sun Sep 06 11:40:21 2015 us=374408   virtual_hash_size = 256
    Sun Sep 06 11:40:21 2015 us=374408   client_connect_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   learn_address_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   client_disconnect_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   client_config_dir = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   ccd_exclusive = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   tmp_dir = 'C:\Users\Bunka\AppData\Local\Temp\'
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_local = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_remote_netmask = 0.0.0.0
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_ipv6_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_ipv6_local = ::/0
    Sun Sep 06 11:40:21 2015 us=374408   push_ifconfig_ipv6_remote = ::
    Sun Sep 06 11:40:21 2015 us=374408   enable_c2c = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   duplicate_cn = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   cf_max = 0
    Sun Sep 06 11:40:21 2015 us=374408   cf_per = 0
    Sun Sep 06 11:40:21 2015 us=374408   max_clients = 1024
    Sun Sep 06 11:40:21 2015 us=374408   max_routes_per_client = 256
    Sun Sep 06 11:40:21 2015 us=374408   auth_user_pass_verify_script = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   auth_user_pass_verify_script_via_file = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   client = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   pull = ENABLED
    Sun Sep 06 11:40:21 2015 us=374408   auth_user_pass_file = 'stdin'
    Sun Sep 06 11:40:21 2015 us=374408   show_net_up = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   route_method = 0
    Sun Sep 06 11:40:21 2015 us=374408   ip_win32_defined = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   ip_win32_type = 3
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_masq_offset = 0
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_lease_time = 31536000
    Sun Sep 06 11:40:21 2015 us=374408   tap_sleep = 0
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_options = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_renew = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_pre_release = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   dhcp_release = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408   domain = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   netbios_scope = '[UNDEF]'
    Sun Sep 06 11:40:21 2015 us=374408   netbios_node_type = 0
    Sun Sep 06 11:40:21 2015 us=374408   disable_nbt = DISABLED
    Sun Sep 06 11:40:21 2015 us=374408 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Sun Sep 06 11:40:21 2015 us=374408 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Sun Sep 06 11:40:21 2015 us=374408 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun Sep 06 11:40:21 2015 us=374408 Need hold release from management interface, waiting...
    Sun Sep 06 11:40:21 2015 us=885577 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun Sep 06 11:40:21 2015 us=994954 MANAGEMENT: CMD 'state on'
    Sun Sep 06 11:40:21 2015 us=994954 MANAGEMENT: CMD 'log all on'
    Sun Sep 06 11:40:22 2015 us=166818 MANAGEMENT: CMD 'hold off'
    Sun Sep 06 11:40:22 2015 us=166818 MANAGEMENT: CMD 'hold release'
    Sun Sep 06 11:40:45 2015 us=476516 MANAGEMENT: CMD 'username "Auth" "xxx"'
    Sun Sep 06 11:40:45 2015 us=507754 MANAGEMENT: CMD 'password [...]'
    Sun Sep 06 11:40:45 2015 us=570253 Control Channel Authentication: using 'firewall-udp-1194-xxx-tls.key' as a OpenVPN static key file
    Sun Sep 06 11:40:45 2015 us=570253 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 06 11:40:45 2015 us=570253 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 06 11:40:45 2015 us=570253 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:3 ]
    Sun Sep 06 11:40:45 2015 us=570253 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Sep 06 11:40:45 2015 us=570253 MANAGEMENT: >STATE:1441532445,RESOLVE,,,
    Sun Sep 06 11:40:45 2015 us=585888 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:12 ET:0 EL:3 ]
    Sun Sep 06 11:40:45 2015 us=585888 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
    Sun Sep 06 11:40:45 2015 us=585888 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
    Sun Sep 06 11:40:45 2015 us=585888 Local Options hash (VER=V4): 'ed844052'
    Sun Sep 06 11:40:45 2015 us=585888 Expected Remote Options hash (VER=V4): '8a244582'
    Sun Sep 06 11:40:45 2015 us=585888 UDPv4 link local (bound): [undef]
    Sun Sep 06 11:40:45 2015 us=585888 UDPv4 link remote: [AF_INET]00.000.000.0:1194
    Sun Sep 06 11:40:45 2015 us=585888 MANAGEMENT: >STATE:1441532445,WAIT,,,
    Sun Sep 06 11:40:45 2015 us=585888 MANAGEMENT: >STATE:1441532445,AUTH,,,
    Sun Sep 06 11:40:45 2015 us=585888 TLS: Initial packet from [AF_INET]00.000.000.0:1194, sid=a3605d5d bd3315b4
    Sun Sep 06 11:40:45 2015 us=585888 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sun Sep 06 11:40:45 2015 us=617144 VERIFY OK: depth=1, C=SK, ST=ST, L=L, O=Organisation, emailAddress=email@email.com, CN=MyCA
    Sun Sep 06 11:40:45 2015 us=617144 VERIFY OK: nsCertType=SERVER
    Sun Sep 06 11:40:45 2015 us=617144 VERIFY X509NAME OK: C=SK, ST=ST, L=L, O=Organisation, emailAddress=email@email.com, CN=ServerCert
    Sun Sep 06 11:40:45 2015 us=617144 VERIFY OK: depth=0, C=SK, ST=ST, L=L, O=Organisation, emailAddress=email@email.com, CN=ServerCert
    Sun Sep 06 11:40:45 2015 us=664018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Sep 06 11:40:45 2015 us=664018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 06 11:40:45 2015 us=664018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Sep 06 11:40:45 2015 us=664018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Sep 06 11:40:45 2015 us=664018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Sun Sep 06 11:40:45 2015 us=664018 [ServerCert] Peer Connection Initiated with [AF_INET]00.000.000.0:1194
    Sun Sep 06 11:40:46 2015 us=798997 MANAGEMENT: >STATE:1441532446,GET_CONFIG,,,
    Sun Sep 06 11:40:47 2015 us=924012 SENT CONTROL [ServerCert]: 'PUSH_REQUEST' (status=1)
    Sun Sep 06 11:40:47 2015 us=924012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.168.0 255.255.255.0,route 192.168.169.0 255.255.255.0,route 192.168.178.1 255.255.255.0,route 192.168.188.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.188.6 192.168.188.5'
    Sun Sep 06 11:40:47 2015 us=924012 OPTIONS IMPORT: timers and/or timeouts modified
    Sun Sep 06 11:40:47 2015 us=924012 OPTIONS IMPORT: --ifconfig/up options modified
    Sun Sep 06 11:40:47 2015 us=924012 OPTIONS IMPORT: route options modified
    Sun Sep 06 11:40:47 2015 us=924012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sun Sep 06 11:40:47 2015 us=924012 MANAGEMENT: >STATE:1441532447,ASSIGN_IP,,192.168.188.6,
    Sun Sep 06 11:40:47 2015 us=924012 open_tun, tt->ipv6=0
    Sun Sep 06 11:40:47 2015 us=924012 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{04E863BA-8478-4818-BC9A-9DC0BF6CB04E}.tap
    Sun Sep 06 11:40:47 2015 us=924012 TAP-Windows Driver Version 9.21 
    Sun Sep 06 11:40:47 2015 us=924012 TAP-Windows MTU=1500
    Sun Sep 06 11:40:47 2015 us=939639 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.188.6/255.255.255.252 on interface {04E863BA-8478-4818-BC9A-9DC0BF6CB04E} [DHCP-serv: 192.168.188.5, lease-time: 31536000]
    Sun Sep 06 11:40:47 2015 us=939639 Successful ARP Flush on interface [8] {04E863BA-8478-4818-BC9A-9DC0BF6CB04E}
    Sun Sep 06 11:40:53 2015 us=89982 TEST ROUTES: 4/4 succeeded len=4 ret=1 a=0 u/d=up
    Sun Sep 06 11:40:53 2015 us=89982 MANAGEMENT: >STATE:1441532453,ADD_ROUTES,,,
    Sun Sep 06 11:40:53 2015 us=89982 C:\Windows\system32\route.exe ADD 192.168.168.0 MASK 255.255.255.0 192.168.188.5
    Sun Sep 06 11:40:53 2015 us=89982 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Sun Sep 06 11:40:53 2015 us=89982 Route addition via IPAPI succeeded [adaptive]
    Sun Sep 06 11:40:53 2015 us=89982 C:\Windows\system32\route.exe ADD 192.168.169.0 MASK 255.255.255.0 192.168.188.5
    Sun Sep 06 11:40:53 2015 us=89982 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Sun Sep 06 11:40:53 2015 us=89982 Route addition via IPAPI succeeded [adaptive]
    Sun Sep 06 11:40:53 2015 us=89982 C:\Windows\system32\route.exe ADD 192.168.178.1 MASK 255.255.255.0 192.168.188.5
    Sun Sep 06 11:40:53 2015 us=105596 Warning: address 192.168.178.1 is not a network address in relation to netmask 255.255.255.0
    Sun Sep 06 11:40:53 2015 us=105596 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.   [status=87 if_index=8]
    Sun Sep 06 11:40:53 2015 us=105596 Route addition via IPAPI failed [adaptive]
    Sun Sep 06 11:40:53 2015 us=105596 Route addition fallback to route.exe
    Sun Sep 06 11:40:53 2015 us=105596 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Sun Sep 06 11:40:53 2015 us=152471 C:\Windows\system32\route.exe ADD 192.168.188.1 MASK 255.255.255.255 192.168.188.5
    Sun Sep 06 11:40:53 2015 us=152471 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Sun Sep 06 11:40:53 2015 us=152471 Route addition via IPAPI succeeded [adaptive]
    Sun Sep 06 11:40:53 2015 us=152471 Initialization Sequence Completed
    Sun Sep 06 11:40:53 2015 us=152471 MANAGEMENT: >STATE:1441532453,CONNECTED,SUCCESS,192.168.188.6,00.000.000.0
    [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]</fqdn>
    


  • No I did not push any routes.  Pretty plain straight forward setup.






  • Hi Noyb,

    thank you for your screenshots. Excellent help. Today, I was able to stabilize the connection on my own. To be honest, I do not exactly know where was problem. I have reset pfSense to factory defaults, and configured everything from scratch. After that, the ping reply from pfSense was stable and without timeouts. I was able to get to pfSense and manage it through VPN channel. Despite my settings are slightly different, I tried your ones, and they work in my case as well.

    Now I face an issue how to see LAN devices which are connected to pfSense. Despite I can ping the pfSense appliance, I can not ping any of the devices behind it. Are you able to access your devices that are on your network, please?

    Thank you very much for trying to help me. Bye for now.



  • Yes.  That's pretty much the purpose of the VPN; to access the LAN.  Have full access to everything 192.168.2.0/24.  Also to the LAN the client is connected to (assuming it's not the same as the remote LAN; 192.168.2.0/24).

    Be sure the LAN the client is connected to is not the same as the remote LAN.  That's why I use 192.168.2.0/24 instead of the common defaults 192.168.0.0/24 or 192.168.1.0/24 that most private LANs are configured as.