Openvpn ping and routing issue



  • Hello all I have this configuration:

    pc with ip 192.168.250.33
    |
    office lan: 192.168.250.0/24
    |
    pfsense 2.2.4 internal ip 192.168.250.250 external 192.168.1.2
    |
    gateway with ip 192.168.1.254
    |
    |
    several openvpn client with different network

    I'm trying to configure openvpn with this features:

    • from the office lan I need to access to 8080 port of each remote client
    • every remote client must have an unique ip (using client specific overrides)

    I have configured the with this network 10.0.8.0/24

    The remote client can connect (i.e. 10.0.8.26) correctly but I can't ping it from the server side.
    I can't understand if I have to configure the opt interface: if i left ovpns1 unassigned and I try to ping the client I see in the client side the ping request (but with "no response found" error)
    If I assing ovpns1 to opt1 I see that the default route for every 10.0.8.26/24 address became 192.168.0.254 and so it's wrong.

    1- which special parameters I have to configure to the openvpn server ?
    2- I have to configure opt1 or not ? Why the gateway go wrong if I configure it ?

    excuse of may english
    every suggestions are welcome
    Thanks


  • LAYER 8 Global Moderator

    Ok so you have a road warrior connecting into your pfsense (openvpn server)?

    And you want to be able to ping that remote client.. Well most likely that is firewall on your remote client blocking that, unless you have modified rules on your pfsense interface the box behind pfsense is getting to pfsense with.

    So for example.. I am vpn'd my home pfsense box.. I rdp to a box on that lan 192.168.9.100, from there I can ping my remote client 10.0.8.6

    C:>ping 10.0.8.6

    Pinging 10.0.8.6 with 32 bytes of data:
    Reply from 10.0.8.6: bytes=32 time=144ms TTL=127
    Reply from 10.0.8.6: bytes=32 time=123ms TTL=127
    Reply from 10.0.8.6: bytes=32 time=155ms TTL=127
    Reply from 10.0.8.6: bytes=32 time=160ms TTL=127

    Ping statistics for 10.0.8.6:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 123ms, Maximum = 160ms, Average = 145ms

    You really should not have to do anything special here..



  • Thank you.. yes should be easy.
    I tried again starting from scratch (new installation), I used the wizard for build the openvpn configuration.

    Once created the connection I started in the client pc wireshark and I see che ping request (so I don't think is a firewall problem)
    In wireshark I see in the icmp packet with src 192.168.250.100 (my pc in the office lan) and des 10.0.6.1 with "no response found !" message

    PING 10.0.8.6 (10.0.8.6): 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1

    same problem from the firewall itself
    ping 10.0.8.6
    PING 10.0.8.6 (10.0.8.6): 56 data bytes
    ^C
    --- 10.0.8.6 ping statistics ---
    19 packets transmitted, 0 packets received, 100.0% packet loss

    In wireshark I see in the icmp packet with src 10.0.8.1 and des 10.0.6.1 with "no response found !" message

    I have the same problem with different client (windows and linux ) in two different network.
    I think it's a routing problem



  • Are the routs for LAN pushed to the clients correctly? You have to enter your LAN network (192.168.250.0/24) in IPv4 Local Network/s to do so.



  • yes I put 192.168.250.0/24 in IPv4 Local Network/s

    this is my server configuration file located in /var/etc/openvpn of pfsense:

    dev ovpns1
    verb 3
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.2
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'internalserverce' 1 "
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.250.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    comp-lzo adaptive
    persist-remote-ip
    float

    probably there is something wrong but I not understand what



  • The config seems to be okay, but what shows the routing table at the client if connection is established?
    Maybe an equal subnet there on an interface?


  • LAYER 8 Global Moderator

    Where do you wireshark??  At pfsense you see the icmp go down the tunnel, but no response.. Are you sniffing at the client, most likely as stated before firewall on the client..



  • Just to ask the obvious simple question:

    If these are Windows machines, have you made sure the internal firewalls are not blocking "foreign" subnets (perhaps turn them off for testing purposes)?

    Have you tried pinging something easier (like a network printer) instead?


Log in to reply