Trouble Getting Traffic from pfsense OpenVPN Client to OpenVPN Server (SOLVED)



  • I've been running a OpenVPN server on Debian for a while now. No problems. Server config follows.

    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    topology subnet
    server 10.8.0.0 255.255.255.0
    client-config-dir ccd
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
    mssfix 1432

    Extract from client config follows.

    client
    dev tun
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    comp-lzo
    verb 3
    redirect-gateway def1
    dhcp-option DNS xxx.xxx.xxx.xxx
    dhcp-option DNS xxx.xxx.xxx.xxx

    It has worked well for both "on-site" and "off-site" clients passing all Internet traffic through the VPN and out into the wild via the US.

    Our local network was behind a Mac mini running OS X. This routing all local traffic through the VPN. It was a bit of a house of cards but it worked.

    I've dumped OS X for pfsense but am having trouble with OpenVPN. I can setup an OpenVPN client and get it to connect but I cannot for the life of me get traffic to route through it. I've read everything I can and been experimenting for days but no luck. I'm feeling like a bit of an idiot.

    Local subnet is 10.11.12.0/24.

    Attached are screenshots of my client config in pfsense, and NAT & firewall rules.

    The output from the OpenVPN log when restarting follows:

    Dec 14 23:37:06  openvpn[28670]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1541 10.8.0.3 255.255.255.0 init
    Dec 14 23:37:06  openvpn[28670]: SIGTERM[hard,] received, process exiting
    Dec 14 23:37:06  openvpn[11670]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Dec 14 23:37:06  openvpn[11670]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Dec 14 23:37:06  openvpn[11777]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Dec 14 23:37:06  openvpn[11777]: Initializing OpenSSL support for engine 'rdrand'
    Dec 14 23:37:06  openvpn[11777]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx
    Dec 14 23:37:06  openvpn[11777]: UDPv4 link remote: [AF_INET]yyy.yyy.yyy.yyy:1194
    Dec 14 23:37:09  openvpn[11777]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    Dec 14 23:37:09  openvpn[11777]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Dec 14 23:37:09  openvpn[11777]: [server] Peer Connection Initiated with [AF_INET]yyy.yyy.yyy.yyy:1194
    Dec 14 23:37:11  openvpn[11777]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Dec 14 23:37:11  openvpn[11777]: TUN/TAP device /dev/tun1 opened
    Dec 14 23:37:11  openvpn[11777]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Dec 14 23:37:11  openvpn[11777]: /sbin/ifconfig ovpnc1 10.8.0.3 10.8.0.1 mtu 1500 netmask 255.255.255.0 up
    Dec 14 23:37:11  openvpn[11777]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1541 10.8.0.3 255.255.255.0 init
    Dec 14 23:37:11  openvpn[11777]: Initialization Sequence Completed

    And the routing table.

    default  xxx.xxx.xxx.xxx  UGS  26209  1492  pppoe0
    10.8.0.0/24  10.8.0.3  UGS  0  1500  ovpnc1
    10.8.0.1  link#10  UH  0  1500  ovpnc1
    10.8.0.3  link#10  UHS  324  16384  lo0
    10.11.0.0/16  link#1  U  28090  1500  em0
    10.11.12.1  link#1  UHS  0  16384  lo0
    yyy.yyy.yyy.yyy  link#8  UHS  0  16384  lo0
    127.0.0.1  link#6  UH  52  16384  lo0
    172.16.0.0/30  link#2  U  2035  1500  em1
    172.16.0.2  link#2  UHS  0  16384  lo0
    172.16.1.0/30  link#3  U  2035  1500  em2
    172.16.1.2  link#3  UHS  0  16384  lo0
    xxx.xxx.xxx.xxx  link#8  UH  2040  1492  pppoe0

    I don't think the appropriate route is being setup properly but I don't how or where. If anyone has any idea what I'm missing it'd be very much appreciated. I'm feeling like a real idiot at the moment.  :(









  • Do you have an allow any-any rule under the OpenVPN tab?

    Have you tried the typical pings tests - try and reach the Debian OpenVPN server  from the client and vice versa then move outward to LAN devices on each net?



  • I have solved my problem.

    I had the following warnings in my OpenVPN log.

    WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
    WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lao'

    Fixed up the compression warning, mtu disappeared, and everything is now working.



  • Glad your up and running  :)

    You might want to update the subject of your first message to include  "(SOLVED)".
    It's helpful for people checking in the future.


Log in to reply