Cant ping thru OpenVPN tunnel :(



  • Hello

    First i wana say sorry for mine bad english   :-\

    So i hawe 2 PFSense boxes one at home, second at work. I read manual how to setup OpenVPN and tryng to set it :) Mine goal is to route big part of trafic thru home.

    Mine tunel seems going up… But i cant ping mine HTTP server at adress 192.168.1.1 and any other pc at home :( i'm reading manuals about OpenVPN and so mest up now... and dont get any ideas why it is not working (

    Home network (here is OpenVPN server)
    LAN 192.168.1.0/24

    Office (OpenVPN client)
    LAN 192.168.255.0/24

    If you can tell me where is  OpenVPN config file i can paste here all config (i dont want paste images)

    Server LOG
    openvpn[27067]: 89.249.84.29:61117 [niekshas_key] Peer Connection Initiated with 89.249.84.29:61117
    openvpn[27067]: 89.249.84.29:61117 Re-using SSL/TLS context
    openvpn[27067]: Initialization Sequence Completed
    openvpn[27067]: UDPv4 link remote: [undef]
    openvpn[27067]: UDPv4 link local (bound): [undef]:1194
    openvpn[27054]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init
    openvpn[27054]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
    openvpn[27054]: TUN/TAP device /dev/tun0 opened
    openvpn[27054]: gw 84.32.44.1
    openvpn[27054]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible

    Server Routes
    default 84.32.44.1 UGS 0 269345 1500 fxp0   
    84.32.44/22 link#1 UC 0 0 1500 fxp0   
    84.32.44.1 00:17:94:70:49:43 UHLW 2 6483 1500 fxp0 1200
    84.32.45.186 127.0.0.1 UGHS 0 0 16384 lo0   
    127.0.0.1 127.0.0.1 UH 1 0 16384 lo0   
    192.168.1 link#2 UC 0 0 1500 xl0   
    192.168.1.1 00:50:bf:e7:7b:96 UHLW 1 76912 1500 xl0 924
    192.168.200 192.168.200.2 UGS 0 0 1500 tun0   
    192.168.200.2 192.168.200.1 UH 1 0 1500 tun0

    Server ifconfig
    tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
    inet6 fe80::2c0:49ff:feb3:caff%tun0 prefixlen 64 scopeid 0x18
    inet 192.168.200.1 –> 192.168.200.2 netmask 0xffffffff
    Opened by PID 31961

    Client LOG
    openvpn[6181]: Initialization Sequence Completed
    openvpn[6181]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init
    openvpn[6181]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
    openvpn[6181]: TUN/TAP device /dev/tun0 opened
    openvpn[6181]: gw 192.168.107.254
    openvpn[6181]: [server] Peer Connection Initiated with 84.32.45.186:1194
    openvpn[6181]: UDPv4 link remote: 84.32.45.186:1194
    openvpn[6181]: UDPv4 link local (bound): [undef]:1194
    openvpn[6180]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    openvpn[6180]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    openvpn[6180]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

    Client routes
    default 192.168.107.254 UGS 0 18563 1500 fxp0   
    127.0.0.1 127.0.0.1 UH 1 0 16384 lo0   
    192.168.1 192.168.200.5 UGS 0 9 1500 tun0   
    192.168.107 link#2 UC 0 0 1500 fxp0   
    192.168.107.104 127.0.0.1 UGHS 0 0 16384 lo0   
    192.168.107.254 00:1b:21:0e:63:ba UHLW 2 225 1500 fxp0 1098
    192.168.200 192.168.200.5 UGS 0 0 1500 tun0   
    192.168.200.5 192.168.200.6 UH 2 0 1500 tun0   
    192.168.255 link#1 UC 0 0 1500 dc0   
    192.168.255.98 00:13:02:b5:46:89 UHLW 1 7101 1500 dc0 987
    192.168.255.99 00:12:79:c6:27:b5 UHLW 1 11697 1500 dc0 1090

    Client ifconfig
    tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
    inet6 fe80::200:e8ff:fe57:579%tun0 prefixlen 64 scopeid 0xa
    inet 192.168.200.6 –> 192.168.200.5 netmask 0xffffffff
    Opened by PID 12806</up,pointopoint,running,multicast></up,pointopoint,running,multicast>



  • Friend told me that server and cliend creates tunnels with diferent IP's.

    Server ifconfig
    inet 192.168.200.1 –> 192.168.200.2 netmask 0xffffffff
    Client ifconfig
    inet 192.168.200.6 --> 192.168.200.5 netmask 0xffffffff

    It must be so, or it is wrong ?

    Since no one replying me :) couse  such a noob (i think) maybe at least you can say me where in PFSense files tree i can find Open vpn config files...



  • Sorry i didnt see your thread.

    From what i see, i assume you want to use openVPN in a site-to-site.
    Also you seem to use a PKI.

    Use a shared key for site-to-site.
    If you set the site-to-site up you can define what lies on the other side of the tunnel. (Field remote network).

    Change your setup to a shared key setup, set the "remote network" and it should work.



  • Yes it is working with shared key….

    THANK YOU A LOT

    Shall i delete topic or leaveit ?



  • ur case something like me before, can i know what u doing with the vpn linking? I am interest on it. I m try doing vpn bridging but fail..



  • OK here we go…
    First i generated Shared key

    Then i making OpenVPN server with settings

    Protocol -> UDP
    Dynamic IP -> unchek
    Local port -> 1194
    Address pool - > 192.168.200.0/24 (this is tunnels pool address space, it must be diferent from routers lan anddress space… mine is 192.168.1.0/24)
    Use static IPs -> unchek
    Remote network -> 192.168.255.0/24 (this is clients router lans space)
    Cryptography -> BF-CBC
    Authentication method -> Shared Key
    Shared Key -> (enter key here)
    DHCP-Opt.: NetBIOS node type -> none
    DHCP-Opt.: Disable NetBIOS -> chek
    LZO compression -> chek

    Now client

    Protocol -> UDP
    Server address -> (put yours OpenVPN server IP)
    Server port -> 1194
    Interface IP -> 192.168.200.0/24 (tunnels address space… must be same as servers)
    Remote network -> 192.168.1.0/24 (this is server LAN's address space)
    Proxy port -> 3128
    Cryptography -> BF-CBC
    Authentication method -> Shared Key
    Shared Key -> (enter key here)
    LZO compression -> chek

    Now you just need Firewall rules.

    So its all... for me

    To redirect trafik you need
    On OpenVPN server:
    Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
    And set rule for each network thats needs to get out.
    VPN -> OpenVPN -> Server -> Custom options
    Add option [push "redirect-gateway def1"]

    Now on Cleint side
    VPN -> OpenVPN -> Client -> Custom options
    –route 62.231.8.188 255.255.255.0 192.168.1.254; --route 70.0.0.0 255.0.0.0 192.168.1.254;
    This routes 62.231.8.0/24 and 70.0.0.0/8 trafik int to the tunnel...

    Sorry for bad english



  • Well i can now ping thru  tunnel…  :)
    But next step for me is to redirekt some trafik trhu mine new OpenVPN tunnel... And i hawe problem.... Like always :) lol

    when i tri do:
    Tracing route to ereality.ru [62.231.8.188]
    over a maximum of 30 hops:
      1    1 ms    1 ms    <1 ms  pfsense.local [192.168.255.254]
      2    1 ms    1 ms    1 ms  192.168.107.254
      3    43 ms    42 ms    42 ms  62.231.8.188
    Trace complete.

    it is fine… but i'm entering a static route to redirect trafik:
    iterface -> LAN
    Destination networt -> 62.231.8.188/32
    Gateway -> 192.168.1.254 (thats adress of mine OpenVPN server LAN network card… its serving like gatevay for network 192.168.1.0/24)

    Then i can trace :(
    Tracing route to ereality.ru [62.231.8.188]
    over a maximum of 30 hops:
      1    1 ms    <1 ms    1 ms  pfsense.local [192.168.255.254]
      2    4 ms    4 ms    3 ms  192.168.200.1
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.

    like i see it goes thru 192.168.255.254 (thats OpenVPN client LAN gateway), then 192.168.200.1 (thats tunnel),, and boom….

    Any one hawe any ideas ???

    Thank you for your time



  • Today i tryed to add on OpenVPN server in cusom options field:
    push “route 192.168.100.0 255.255.255.0”

    but i think nothing happens… client dont get new route... :(



  • You dont use pushes if not in a PKI.

    To add new routes in a shared key setup you add the custom "route" line on the client:
    FOr the syntax of the route command refer to:
    http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html



  • Well it is not working for me :( i'm out if ideas…

    To add route i'm in OpenVPN server using:
    –route 80.240.10.0 255.255.255.0 192.168.1.254
    where 192.168.1.254 is lans gateway of OpenVPN server
    and cant trace any adress of 80.240.10.0/24 network

    Tracing route to cable-10-40.cgates.lt [80.240.10.40]
    over a maximum of 30 hops:
      1    <1 ms    <1 ms    <1 ms  pfsense.local [192.168.55.254]
      2   105 ms   175 ms   151 ms  192.168.200.1
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.

    it seep dont go out from tunnel…
    Any one hawe any ideas ???

    routing table:
    Destination        Gateway Flags Refs Use Mtu Netif Expire
    default              192.168.107.254 UGS 0 215188 1500 fxp0 
    80.240.10/24      192.168.1.254 UGS 0 43 1500 tun0   
    127.0.0.1          127.0.0.1 UH 1 0 16384 lo0 
    192.168.1          192.168.200.1 UGS 1 4 1500 tun0 
    192.168.55        link#1 UC 0 0 1500 dc0 
    192.168.55.97    00:17:08:2f:f6:eb UHLW 1 85977 1500 dc0 814
    192.168.107        link#2 UC 0 1 1500 fxp0 
    192.168.107.101 127.0.0.1 UGHS 0 0 16384 lo0 
    192.168.107.254 00:1b:21:0e:63:ba UHLW 2 1355 1500 fxp0 1089
    192.168.200.1    192.168.200.2 UH 1 0 1500 tun0



  • On the server side:
    You have to enable Advanced outbound NAT and create a rule that NAT's the office-side.

    http://forum.pfsense.org/index.php/topic,7001.0.html



  • Well thank you… Now all works fine...

    BTW i posted mine setup... so if someone like me needs... can read and use :)



  • @GruensFroeschli:

    You dont use pushes in a PKI.

    To add new routes in a shared key setup you add the custom "route" line on the client:
    FOr the syntax of the route command refer to:
    http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

    I am trying to set a openvpn between my windows and work using pfsense. I am using PKI authentication. Have been struggling for days, googled but aparently google does not indexes the board well, so I came here to check if there is really nothing on the topic. Apparently there is a lot.
    Have I correctly understood that with PKI the push of the remote network is disabled/not executed???
    Please, confirm this.

    10x

    PS. Pfsense team! Great work!!!



  • Sorry was a typo.

    You dont use pushes if not in a PKI.
    You DO use pushes in a PKI.

    What exactly doesnt work in your setup?
    Did you read the HowTo's on http://openvpn.net



  • @GruensFroeschli:

    Sorry was a typo.

    You dont use pushes if not in a PKI.
    You DO use pushes in a PKI.

    What exactly doesnt work in your setup?
    Did you read the HowTo's on http://openvpn.net

    ;D Thanx, I almost wagged a war on the router! And in fact I managed to ping the VPN gateway from the Pfsense, so my remote machine did respond, but only from Pfsense, not from the local net. So no site2site real connection :(

    This post is about my problem!
    http://forum.pfsense.org/index.php/topic,9884.0.html

    So finnally..in conclusion!
    To have a site2site between pfsense and Suse distro I need use:

    • PKIs and push? not shared keys, right???
    • and change my networks to RFC 1918 networks standard???

    I shall forgot about my XP, although I am willing to try to configure it as a router :) …can I do that with cygwin ..sorry this is different topic

    10x  GruensFroeschli



  • For a site-to-site i would not use a PKI and pushes.
    A PKI is intended to be used with roadwarriors. (Or really many site-to-site connections, 10+)

    In a shared key site-to-site setup you define what lies on the other side of the tunnel via the "route" command. In the gui this is the "remote subnet" field.

    Search the forum on that. Read the stickies.
    There is really a LOT of info around. Also it might not hurt if you read the howto's on http://openVPN.net
    And the sample-configs openvpn.net provides.

    And yes you should move your address space to RFC1918.



  • Thank you very much GruensFroeschli,

    Now everything much more clear. The topology that has been setup is obviously the problem.

    10x again.


Log in to reply