Openvpn ping and routing issue
-
Hello all I have this configuration:
pc with ip 192.168.250.33
|
office lan: 192.168.250.0/24
|
pfsense 2.2.4 internal ip 192.168.250.250 external 192.168.1.2
|
gateway with ip 192.168.1.254
|
|
several openvpn client with different networkI'm trying to configure openvpn with this features:
- from the office lan I need to access to 8080 port of each remote client
- every remote client must have an unique ip (using client specific overrides)
I have configured the with this network 10.0.8.0/24
The remote client can connect (i.e. 10.0.8.26) correctly but I can't ping it from the server side.
I can't understand if I have to configure the opt interface: if i left ovpns1 unassigned and I try to ping the client I see in the client side the ping request (but with "no response found" error)
If I assing ovpns1 to opt1 I see that the default route for every 10.0.8.26/24 address became 192.168.0.254 and so it's wrong.1- which special parameters I have to configure to the openvpn server ?
2- I have to configure opt1 or not ? Why the gateway go wrong if I configure it ?excuse of may english
every suggestions are welcome
Thanks -
Ok so you have a road warrior connecting into your pfsense (openvpn server)?
And you want to be able to ping that remote client.. Well most likely that is firewall on your remote client blocking that, unless you have modified rules on your pfsense interface the box behind pfsense is getting to pfsense with.
So for example.. I am vpn'd my home pfsense box.. I rdp to a box on that lan 192.168.9.100, from there I can ping my remote client 10.0.8.6
C:>ping 10.0.8.6
Pinging 10.0.8.6 with 32 bytes of data:
Reply from 10.0.8.6: bytes=32 time=144ms TTL=127
Reply from 10.0.8.6: bytes=32 time=123ms TTL=127
Reply from 10.0.8.6: bytes=32 time=155ms TTL=127
Reply from 10.0.8.6: bytes=32 time=160ms TTL=127Ping statistics for 10.0.8.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 123ms, Maximum = 160ms, Average = 145msYou really should not have to do anything special here..
-
Thank you.. yes should be easy.
I tried again starting from scratch (new installation), I used the wizard for build the openvpn configuration.Once created the connection I started in the client pc wireshark and I see che ping request (so I don't think is a firewall problem)
In wireshark I see in the icmp packet with src 192.168.250.100 (my pc in the office lan) and des 10.0.6.1 with "no response found !" messagePING 10.0.8.6 (10.0.8.6): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
…same problem from the firewall itself
ping 10.0.8.6
PING 10.0.8.6 (10.0.8.6): 56 data bytes
^C
--- 10.0.8.6 ping statistics ---
19 packets transmitted, 0 packets received, 100.0% packet lossIn wireshark I see in the icmp packet with src 10.0.8.1 and des 10.0.6.1 with "no response found !" message
I have the same problem with different client (windows and linux ) in two different network.
I think it's a routing problem -
Are the routs for LAN pushed to the clients correctly? You have to enter your LAN network (192.168.250.0/24) in IPv4 Local Network/s to do so.
-
yes I put 192.168.250.0/24 in IPv4 Local Network/s
this is my server configuration file located in /var/etc/openvpn of pfsense:
dev ovpns1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.2
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'internalserverce' 1 "
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.250.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
comp-lzo adaptive
persist-remote-ip
floatprobably there is something wrong but I not understand what
-
The config seems to be okay, but what shows the routing table at the client if connection is established?
Maybe an equal subnet there on an interface? -
Where do you wireshark?? At pfsense you see the icmp go down the tunnel, but no response.. Are you sniffing at the client, most likely as stated before firewall on the client..
-
Just to ask the obvious simple question:
If these are Windows machines, have you made sure the internal firewalls are not blocking "foreign" subnets (perhaps turn them off for testing purposes)?
Have you tried pinging something easier (like a network printer) instead?