Trouble Getting Traffic from pfsense OpenVPN Client to OpenVPN Server (SOLVED)
I've been running a OpenVPN server on Debian for a while now. No problems. Server config follows.
server 10.8.0.0 255.255.255.0
keepalive 10 120
Extract from client config follows.
remote xxx.xxx.xxx.xxx 1194
dhcp-option DNS xxx.xxx.xxx.xxx
dhcp-option DNS xxx.xxx.xxx.xxx
It has worked well for both "on-site" and "off-site" clients passing all Internet traffic through the VPN and out into the wild via the US.
Our local network was behind a Mac mini running OS X. This routing all local traffic through the VPN. It was a bit of a house of cards but it worked.
I've dumped OS X for pfsense but am having trouble with OpenVPN. I can setup an OpenVPN client and get it to connect but I cannot for the life of me get traffic to route through it. I've read everything I can and been experimenting for days but no luck. I'm feeling like a bit of an idiot.
Local subnet is 10.11.12.0/24.
Attached are screenshots of my client config in pfsense, and NAT & firewall rules.
The output from the OpenVPN log when restarting follows:
Dec 14 23:37:06 openvpn: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1541 10.8.0.3 255.255.255.0 init
Dec 14 23:37:06 openvpn: SIGTERM[hard,] received, process exiting
Dec 14 23:37:06 openvpn: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Dec 14 23:37:06 openvpn: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Dec 14 23:37:06 openvpn: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 14 23:37:06 openvpn: Initializing OpenSSL support for engine 'rdrand'
Dec 14 23:37:06 openvpn: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx
Dec 14 23:37:06 openvpn: UDPv4 link remote: [AF_INET]yyy.yyy.yyy.yyy:1194
Dec 14 23:37:09 openvpn: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Dec 14 23:37:09 openvpn: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Dec 14 23:37:09 openvpn: [server] Peer Connection Initiated with [AF_INET]yyy.yyy.yyy.yyy:1194
Dec 14 23:37:11 openvpn: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 14 23:37:11 openvpn: TUN/TAP device /dev/tun1 opened
Dec 14 23:37:11 openvpn: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 14 23:37:11 openvpn: /sbin/ifconfig ovpnc1 10.8.0.3 10.8.0.1 mtu 1500 netmask 255.255.255.0 up
Dec 14 23:37:11 openvpn: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1541 10.8.0.3 255.255.255.0 init
Dec 14 23:37:11 openvpn: Initialization Sequence Completed
And the routing table.
default xxx.xxx.xxx.xxx UGS 26209 1492 pppoe0
10.8.0.0/24 10.8.0.3 UGS 0 1500 ovpnc1
10.8.0.1 link#10 UH 0 1500 ovpnc1
10.8.0.3 link#10 UHS 324 16384 lo0
10.11.0.0/16 link#1 U 28090 1500 em0
10.11.12.1 link#1 UHS 0 16384 lo0
yyy.yyy.yyy.yyy link#8 UHS 0 16384 lo0
127.0.0.1 link#6 UH 52 16384 lo0
172.16.0.0/30 link#2 U 2035 1500 em1
172.16.0.2 link#2 UHS 0 16384 lo0
172.16.1.0/30 link#3 U 2035 1500 em2
172.16.1.2 link#3 UHS 0 16384 lo0
xxx.xxx.xxx.xxx link#8 UH 2040 1492 pppoe0
I don't think the appropriate route is being setup properly but I don't how or where. If anyone has any idea what I'm missing it'd be very much appreciated. I'm feeling like a real idiot at the moment. :(
Do you have an allow any-any rule under the OpenVPN tab?
Have you tried the typical pings tests - try and reach the Debian OpenVPN server from the client and vice versa then move outward to LAN devices on each net?
I have solved my problem.
I had the following warnings in my OpenVPN log.
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lao'
Fixed up the compression warning, mtu disappeared, and everything is now working.
Glad your up and running :)
You might want to update the subject of your first message to include "(SOLVED)".
It's helpful for people checking in the future.