Cant ping thru OpenVPN tunnel :(

niekshas

Hello

First i wana say sorry for mine bad english   :-\

So i hawe 2 PFSense boxes one at home, second at work. I read manual how to setup OpenVPN and tryng to set it :) Mine goal is to route big part of trafic thru home.

Mine tunel seems going up… But i cant ping mine HTTP server at adress 192.168.1.1 and any other pc at home :( i'm reading manuals about OpenVPN and so mest up now... and dont get any ideas why it is not working (

Home network (here is OpenVPN server)
LAN 192.168.1.0/24

Office (OpenVPN client)
LAN 192.168.255.0/24

If you can tell me where is  OpenVPN config file i can paste here all config (i dont want paste images)

Server LOG
openvpn[27067]: 89.249.84.29:61117 [niekshas_key] Peer Connection Initiated with 89.249.84.29:61117
openvpn[27067]: 89.249.84.29:61117 Re-using SSL/TLS context
openvpn[27067]: Initialization Sequence Completed
openvpn[27067]: UDPv4 link remote: [undef]
openvpn[27067]: UDPv4 link local (bound): [undef]:1194
openvpn[27054]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.1 192.168.200.2 init
openvpn[27054]: /sbin/ifconfig tun0 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
openvpn[27054]: TUN/TAP device /dev/tun0 opened
openvpn[27054]: gw 84.32.44.1
openvpn[27054]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible

Server Routes
default 84.32.44.1 UGS 0 269345 1500 fxp0   
84.32.44/22 link#1 UC 0 0 1500 fxp0   
84.32.44.1 00:17:94:70:49:43 UHLW 2 6483 1500 fxp0 1200
84.32.45.186 127.0.0.1 UGHS 0 0 16384 lo0   
127.0.0.1 127.0.0.1 UH 1 0 16384 lo0   
192.168.1 link#2 UC 0 0 1500 xl0   
192.168.1.1 00:50:bf:e7:7b:96 UHLW 1 76912 1500 xl0 924
192.168.200 192.168.200.2 UGS 0 0 1500 tun0   
192.168.200.2 192.168.200.1 UH 1 0 1500 tun0

Server ifconfig
tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
inet6 fe80::2c0:49ff:feb3:caff%tun0 prefixlen 64 scopeid 0x18
inet 192.168.200.1 –> 192.168.200.2 netmask 0xffffffff
Opened by PID 31961

Client LOG
openvpn[6181]: Initialization Sequence Completed
openvpn[6181]: /etc/rc.filter_configure tun0 1500 1541 192.168.200.6 192.168.200.5 init
openvpn[6181]: /sbin/ifconfig tun0 192.168.200.6 192.168.200.5 mtu 1500 netmask 255.255.255.255 up
openvpn[6181]: TUN/TAP device /dev/tun0 opened
openvpn[6181]: gw 192.168.107.254
openvpn[6181]: [server] Peer Connection Initiated with 84.32.45.186:1194
openvpn[6181]: UDPv4 link remote: 84.32.45.186:1194
openvpn[6181]: UDPv4 link local (bound): [undef]:1194
openvpn[6180]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
openvpn[6180]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
openvpn[6180]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

Client routes
default 192.168.107.254 UGS 0 18563 1500 fxp0   
127.0.0.1 127.0.0.1 UH 1 0 16384 lo0   
192.168.1 192.168.200.5 UGS 0 9 1500 tun0   
192.168.107 link#2 UC 0 0 1500 fxp0   
192.168.107.104 127.0.0.1 UGHS 0 0 16384 lo0   
192.168.107.254 00:1b:21:0e:63:ba UHLW 2 225 1500 fxp0 1098
192.168.200 192.168.200.5 UGS 0 0 1500 tun0   
192.168.200.5 192.168.200.6 UH 2 0 1500 tun0   
192.168.255 link#1 UC 0 0 1500 dc0   
192.168.255.98 00:13:02:b5:46:89 UHLW 1 7101 1500 dc0 987
192.168.255.99 00:12:79:c6:27:b5 UHLW 1 11697 1500 dc0 1090

Client ifconfig
tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
inet6 fe80::200:e8ff:fe57:579%tun0 prefixlen 64 scopeid 0xa
inet 192.168.200.6 –> 192.168.200.5 netmask 0xffffffff
Opened by PID 12806</up,pointopoint,running,multicast></up,pointopoint,running,multicast>

niekshas

Friend told me that server and cliend creates tunnels with diferent IP's.

Server ifconfig
inet 192.168.200.1 –> 192.168.200.2 netmask 0xffffffff
Client ifconfig
inet 192.168.200.6 --> 192.168.200.5 netmask 0xffffffff

It must be so, or it is wrong ?

Since no one replying me :) couse  such a noob (i think) maybe at least you can say me where in PFSense files tree i can find Open vpn config files...

GruensFroeschli

Sorry i didnt see your thread.

From what i see, i assume you want to use openVPN in a site-to-site.
Also you seem to use a PKI.

Use a shared key for site-to-site.
If you set the site-to-site up you can define what lies on the other side of the tunnel. (Field remote network).

Change your setup to a shared key setup, set the "remote network" and it should work.

niekshas

Yes it is working with shared key….

THANK YOU A LOT

Shall i delete topic or leaveit ?

yce_kelvin

ur case something like me before, can i know what u doing with the vpn linking? I am interest on it. I m try doing vpn bridging but fail..

niekshas

OK here we go…
First i generated Shared key

Then i making OpenVPN server with settings

Protocol -> UDP
Dynamic IP -> unchek
Local port -> 1194
Address pool - > 192.168.200.0/24 (this is tunnels pool address space, it must be diferent from routers lan anddress space… mine is 192.168.1.0/24)
Use static IPs -> unchek
Remote network -> 192.168.255.0/24 (this is clients router lans space)
Cryptography -> BF-CBC
Authentication method -> Shared Key
Shared Key -> (enter key here)
DHCP-Opt.: NetBIOS node type -> none
DHCP-Opt.: Disable NetBIOS -> chek
LZO compression -> chek

Now client

Protocol -> UDP
Server address -> (put yours OpenVPN server IP)
Server port -> 1194
Interface IP -> 192.168.200.0/24 (tunnels address space… must be same as servers)
Remote network -> 192.168.1.0/24 (this is server LAN's address space)
Proxy port -> 3128
Cryptography -> BF-CBC
Authentication method -> Shared Key
Shared Key -> (enter key here)
LZO compression -> chek

Now you just need Firewall rules.

So its all... for me

To redirect trafik you need
On OpenVPN server:
Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
And set rule for each network thats needs to get out.
VPN -> OpenVPN -> Server -> Custom options
Add option [push "redirect-gateway def1"]

Now on Cleint side
VPN -> OpenVPN -> Client -> Custom options
–route 62.231.8.188 255.255.255.0 192.168.1.254; --route 70.0.0.0 255.0.0.0 192.168.1.254;
This routes 62.231.8.0/24 and 70.0.0.0/8 trafik int to the tunnel...

Sorry for bad english

niekshas

Well i can now ping thru  tunnel…  :)
But next step for me is to redirekt some trafik trhu mine new OpenVPN tunnel... And i hawe problem.... Like always :) lol

when i tri do:
Tracing route to ereality.ru [62.231.8.188]
over a maximum of 30 hops:
  1    1 ms    1 ms    <1 ms  pfsense.local [192.168.255.254]
  2    1 ms    1 ms    1 ms  192.168.107.254
  3    43 ms    42 ms    42 ms  62.231.8.188
Trace complete.

it is fine… but i'm entering a static route to redirect trafik:
iterface -> LAN
Destination networt -> 62.231.8.188/32
Gateway -> 192.168.1.254 (thats adress of mine OpenVPN server LAN network card… its serving like gatevay for network 192.168.1.0/24)

Then i can trace :(
Tracing route to ereality.ru [62.231.8.188]
over a maximum of 30 hops:
  1    1 ms    <1 ms    1 ms  pfsense.local [192.168.255.254]
  2    4 ms    4 ms    3 ms  192.168.200.1
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.

like i see it goes thru 192.168.255.254 (thats OpenVPN client LAN gateway), then 192.168.200.1 (thats tunnel),, and boom….

Any one hawe any ideas ???

Thank you for your time

niekshas

Today i tryed to add on OpenVPN server in cusom options field:
push “route 192.168.100.0 255.255.255.0”

but i think nothing happens… client dont get new route... :(

GruensFroeschli

You dont use pushes if not in a PKI.

To add new routes in a shared key setup you add the custom "route" line on the client:
FOr the syntax of the route command refer to:
http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

niekshas

Well it is not working for me :( i'm out if ideas…

To add route i'm in OpenVPN server using:
–route 80.240.10.0 255.255.255.0 192.168.1.254
where 192.168.1.254 is lans gateway of OpenVPN server
and cant trace any adress of 80.240.10.0/24 network

Tracing route to cable-10-40.cgates.lt [80.240.10.40]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  pfsense.local [192.168.55.254]
  2   105 ms   175 ms   151 ms  192.168.200.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
it seep dont go out from tunnel…
Any one hawe any ideas ???

routing table:
Destination        Gateway Flags Refs Use Mtu Netif Expire
default              192.168.107.254 UGS 0 215188 1500 fxp0 
80.240.10/24      192.168.1.254 UGS 0 43 1500 tun0   
127.0.0.1          127.0.0.1 UH 1 0 16384 lo0 
192.168.1          192.168.200.1 UGS 1 4 1500 tun0 
192.168.55        link#1 UC 0 0 1500 dc0 
192.168.55.97    00:17:08:2f:f6:eb UHLW 1 85977 1500 dc0 814
192.168.107        link#2 UC 0 1 1500 fxp0 
192.168.107.101 127.0.0.1 UGHS 0 0 16384 lo0 
192.168.107.254 00:1b:21:0e:63:ba UHLW 2 1355 1500 fxp0 1089
192.168.200.1    192.168.200.2 UH 1 0 1500 tun0

GruensFroeschli

On the server side:
You have to enable Advanced outbound NAT and create a rule that NAT's the office-side.

http://forum.pfsense.org/index.php/topic,7001.0.html

niekshas

Well thank you… Now all works fine...

BTW i posted mine setup... so if someone like me needs... can read and use :)

stefanBG

@GruensFroeschli:

You dont use pushes in a PKI.

To add new routes in a shared key setup you add the custom "route" line on the client:
FOr the syntax of the route command refer to:
http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

I am trying to set a openvpn between my windows and work using pfsense. I am using PKI authentication. Have been struggling for days, googled but aparently google does not indexes the board well, so I came here to check if there is really nothing on the topic. Apparently there is a lot.
Have I correctly understood that with PKI the push of the remote network is disabled/not executed???
Please, confirm this.

10x

PS. Pfsense team! Great work!!!

GruensFroeschli

Sorry was a typo.

You dont use pushes if not in a PKI.
You DO use pushes in a PKI.

What exactly doesnt work in your setup?
Did you read the HowTo's on http://openvpn.net

stefanBG

@GruensFroeschli:

Sorry was a typo.

You dont use pushes if not in a PKI.
You DO use pushes in a PKI.

What exactly doesnt work in your setup?
Did you read the HowTo's on http://openvpn.net

;D Thanx, I almost wagged a war on the router! And in fact I managed to ping the VPN gateway from the Pfsense, so my remote machine did respond, but only from Pfsense, not from the local net. So no site2site real connection :(

This post is about my problem!
http://forum.pfsense.org/index.php/topic,9884.0.html

So finnally..in conclusion!
To have a site2site between pfsense and Suse distro I need use:

• PKIs and push? not shared keys, right???
• and change my networks to RFC 1918 networks standard???

I shall forgot about my XP, although I am willing to try to configure it as a router :) …can I do that with cygwin ..sorry this is different topic

10x  GruensFroeschli

GruensFroeschli

For a site-to-site i would not use a PKI and pushes.
A PKI is intended to be used with roadwarriors. (Or really many site-to-site connections, 10+)

In a shared key site-to-site setup you define what lies on the other side of the tunnel via the "route" command. In the gui this is the "remote subnet" field.

Search the forum on that. Read the stickies.
There is really a LOT of info around. Also it might not hurt if you read the howto's on http://openVPN.net
And the sample-configs openvpn.net provides.

And yes you should move your address space to RFC1918.

stefanBG

Thank you very much GruensFroeschli,

Now everything much more clear. The topology that has been setup is obviously the problem.

10x again.