OpenVPN connects, can't get to lan network



  • I have:
    Two PFSense firewalls in carp failover.
    Which means I have a Virtual Wan, and Virtual Lan, as well as an actual wan and lan for each of them.
    (I'm going to obviously change a few IPs around for posting purposes)
    I've setup OpenVPN on the firewall, did the whole shabang.
    OpenVPN connects on the client.  But doesn't let me access the remote lan at all.
    I'd LOVE to have it go through our DHCP box to auto-assign some IP addresses.

    My users are being Authenticated through an Ldap connection: "Nas2"
    Tested this, and it's functioning.

    So focusing on one firewall:
    Wan IP: 12.64.150.188
    Lan IP: 10.1.1.15
    VWan IP: 12.64.150.187
    VLan IP: 10.1.1.254

    My desired lan is on the 10 net.  That's the goal.  To get the VPN users to be able to access anything that may be on 10net.

    In my OpenVPN Server Settings:
    Protocol UDP
    Device mode Tun
    My port is 1190
    my tunnel Network is: 172.50.48.0/24
    I currently have my Local Network assigned to: 10.0.0.0/8
    Compression is enabled with adaptive compression
    I have Inter-client communication checked.

    In my client settings:
    Dynamic IP is checked
    Address pool is checked
    Topology checked

    Firewall rules:
    Wan: IPv4 UDP * * Wan Address 1190 * none
    OpenVPN: IPv4 * * * * * * none

    Server Config:
    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 12.64.150.188
    tls-server
    server 172.50.48.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Nas2' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN-Server-Cert' 1 "
    lport 1190
    management /var/etc/openvpn/server1.sock unix
    max-clients 80
    push "route 10.0.0.0 255.0.0.0"
    push "dhcp-option DOMAIN company.com"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet

    Client Config
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA512
    tls-client
    client
    resolv-retry infinite
    remote 12.64.150.188 1190 udp
    lport 0
    verify-x509-name "VPN-Server-Cert" name
    auth-user-pass
    pkcs12 fw360-udp-1190-User-Cert.p12
    tls-auth fw360-udp-1190-User-Cert-tls.key 1
    ns-cert-type server
    comp-lzo adaptive

    I've tried making a bridge to bridge the tunnel and lan.  Nothing.
    The firewall couldn't ping the lan when using diagnostics -> ping when using the source OpenVPN. I added the OpenVPN as an interface.  Configured the IPv4 to DHCP and added the IPv4 address alias: 10.10.0.2
    Once I did that I was able to ping the lan when using the source OpenVPN.  -Edit: this doesn't seem to be working today….

    Please, if you have ideas on how to make this work.  Let me know.  I'm literally throwing darts in the dark while drunk and blind folded.


  • Banned

    @burn56:

    Lan IP: 10.1.1.15
    VLan IP: 10.1.1.254

    I have no idea what's VLAN IP but both of the above obviously overlap with the absolutely obnoxious 10.0.0.0/8 clusterfuck. No wonder it's broken. You really need 16M hosts on your network? Seriously?



  • @doktornotor:

    @burn56:

    Lan IP: 10.1.1.15
    VLan IP: 10.1.1.254

    I have no idea what's VLAN IP but both of the above obviously overlap with the absolutely obnoxious 10.0.0.0/8 clusterfuck. No wonder it's broken. You really need 16M hosts on your network? Seriously?

    VLan is the virtual IP for carp failover for lan.

    As for the obnoxious 10.0.0.0/8, from my reading of the documentation, this was supposed to be the range of IPv4 networks that you want accessible from the remote connection.
    As I have IPs all along that range, it makes sense to shoot for everything.
    I mean, I could be totally wrong and have misread.

    These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.

    I mean if I follow the "this is generally set to your LAN network", wouldn't that mean that 10.1.1.254 or 10.1.1.15 should work as well?  Wouldn't that still be an overlap?
    Thanks for you input.

    Edit:
    Reading a bit in the forums, I saw a few people mentioning routing tables, and so I looked there:

    Now Em0 is my Lan interface.
    But I can't find ANYWHERE where 10.0.0.0/8 is set.  (I'm thinking there may be something to this)
    I even took it off my OpenVPN setting to be sure.
    Thoughts?



  • The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.

    But two other wrong things I've found in your config:

    • Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

    • Your VPN tunnel network has a public IP range. You should change this to a private range.



  • @viragomann:

    The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.

    But two other wrong things I've found in your config:

    • Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

    • Your VPN tunnel network has a public IP range. You should change this to a private range.

    Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

    What do you mean, I seem to be made of bricks today.  So, what I have set is a problem?  Or it's okay?

    Your VPN tunnel network has a public IP range. You should change this to a private range.

    My tunnel is 172.50.48.0/24, isn't that private?
    What would you suggest other than that?  Something that won't bork other settings

    Thanks for your help thus far!


  • Banned

    @burn56:

    My tunnel is 172.50.48.0/24, isn't that private?

    No, obviously…

    
    NetRange:       172.32.0.0 - 172.63.255.255
    CIDR:           172.32.0.0/11
    NetName:        TMO9
    NetHandle:      NET-172-32-0-0-1
    Parent:         NET172 (NET-172-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:       AS21928
    Organization:   T-Mobile USA, Inc. (TMOBI)
    RegDate:        2012-09-18
    Updated:        2012-09-18
    Ref:            http://whois.arin.net/rest/net/NET-172-32-0-0-1
    
    


  • @doktornotor:

    @burn56:

    My tunnel is 172.50.48.0/24, isn't that private?

    No, obviously…

    
    NetRange:       172.32.0.0 - 172.63.255.255
    CIDR:           172.32.0.0/11
    NetName:        TMO9
    NetHandle:      NET-172-32-0-0-1
    Parent:         NET172 (NET-172-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:       AS21928
    Organization:   T-Mobile USA, Inc. (TMOBI)
    RegDate:        2012-09-18
    Updated:        2012-09-18
    Ref:            http://whois.arin.net/rest/net/NET-172-32-0-0-1
    
    

    Ah!
    Okay.  Easy change.
    172.24.48.0\24 it is.



  • @burn56:

    Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

    What do you mean, I seem to be made of bricks today.  So, what I have set is a problem?  Or it's okay?

    For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.

    Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.




  • @viragomann:

    For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.

    Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.

    Ah yeah, I had it to that, and then started trying some other stuff around.
    I've changed it back.  (Thanks for that sanity check that I was right the first time!)

    Now, my vpn connects, and from the test machine DNS fails to resolve.
    I tried providing DNS server list to clients from the client settings in the server config (8.8.8.8, 8.8.4.4) But it still fails.
    I then tried to have them route to my DHCP server at 10.10.0.2 and that also fails.

    Client logs had this to say:

    Wed Dec 09 16:56:32 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 172.24.48.0/172.24.48.2/255.255.255.0 [SUCCEEDED]
    Wed Dec 09 16:56:32 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.24.48.2/255.255.255.0 on interface {8E8DE95B-B134-4001-A110-B08D646A4D45} [DHCP-serv: 172.24.48.254, lease-time: 31536000]
    Wed Dec 09 16:56:32 2015 Successful ARP Flush on interface [47] {8E8DE95B-B134-4001-A110-B08D646A4D45}
    Wed Dec 09 16:56:32 2015 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
    Wed Dec 09 16:56:37 2015 Initialization Sequence Completed
    
    

    Thoughts?


  • Banned

    You know, there are well known test tools for DNS. "It fails" is useless description.



  • I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.

    If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.



  • @doktornotor:

    You know, there are well known test tools for DNS. "It fails" is useless description.

    Thanks.
    @viragomann:

    I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.

    If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.

    I checked redirect gateway, and I can get to the internet on the test machine, but it still won't let me on the lan.
    What would you suggest for a good route to apply?

    The end goal is just to get them to be able to access the lan.



  • If you can reach Internet over the VPN you should also be able to access the LAN subnet at server side, as long as firewall rules do not prohibit this.

    For routing the LAN net, you only need to push 10.1.1.0/24 to the client (if /24 is your LAN mask).

    The pfSense box running the vpn server is the default gateway in its network? If it isn't, you need appropriate routes for the vpn tunnel or do NAT.

    Maybe the LAN host you want to access, does not permit access form different subnet, like Windows firewall do by default.



  • So I got this working finally.
    Turns out, for my DNS servers, I needed to put my DHCP server there.
    This allowed the DNS to get resolved.
    Thanks for your help folks.


Log in to reply