OpenVPN connected site-to-site but stll unable to connect.



  • I set up a site to site tunnel with OpenVPN.  Everything was working great until I had an unintentional power outage on the OpenVPN server.  (A kedborad fell and struck the power switch suddenly shutting the machine off).  When the Office Firewall and OpenVPN tunnel was turned back on the VPM tunnel was not working.  No pings. No connection through the tunnel in either direction.

    I have upgraded the firmware on bothe the office server and the home firewalls to pfSense 1.2 Release.

    I am using 192.168.100.0/24 for the office network and 192.166.1.0/24 for the client network.

    Previously I had restricted the firewall rules to remoteIP:any to serverIP:1194 on the server machine.  On the client machine I had allowed clientIP:any to serverIP:1194.  Since I was having trouble connecting I simplified the firewall rules to allow any:any to any:1194 on the server side wan and the on the client any to any:1194.

    I recreated the configurations.  The OpenVPN connection has the following Server side configuration.  The client side is similar.  I am using preshared keys.

    Protocol: TCP

    Dynamic IP: off

    Local port:  1194

    Address pool:  192.168.1.0/24

    Use static IPs: off

    Local network: blank

    Remote network: 192.168.1.0/24

    Client-to-client VPN: off

    The connection is completed:

    OpenVPN logs:

    Jun 17 17:26:42 openvpn[93710]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
    Jun 17 17:26:42 openvpn[93710]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Jun 17 17:26:42 openvpn[93710]: gw 192.168.198.1
    Jun 17 17:26:42 openvpn[93710]: TUN/TAP device /dev/tun0 opened
    Jun 17 17:26:42 openvpn[93710]: /sbin/ifconfig tun0 192.168.1.1 192.168.1.2 mtu 1500 netmask 255.255.255.255 up
    Jun 17 17:26:42 openvpn[93710]: /etc/rc.filter_configure tun0 1500 1562 192.168.1.1 192.168.1.2 init Jun 17 17:26:42 openvpn[93710]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
    Jun 17 17:26:42 openvpn[93725]: Listening for incoming TCP connection on [undef]:1194
    Jun 17 17:26:45 openvpn[93725]: TCP connection established with xxx.xxx.xxx.xxx:31896
    Jun 17 17:26:45 openvpn[93725]: TCPv4_SERVER link local (bound): [undef]:1194
    Jun 17 17:26:45 openvpn[93725]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:31896
    Jun 17 17:26:45 openvpn[93725]: Peer Connection Initiated with xxx.xxx.xxx.xxx:31896
    Jun 17 17:26:47 openvpn[93725]: Initialization Sequence Completed

    From the office OpenVPN server I can ping the client OpenVPN / firewall but not other members of the home network.

    From the client / home network I can ping the OpenVPN server but cannot connect or ping other machines on the office network.

    The firewall rules are set to log traffic on Port 1194.  These logs do know should traffic across the tunnel.

    The routes are:

    default 192.168.198.1 UGS 0 227780 1500 re1
    127.0.0.1 127.0.0.1 UH 0 0 16384 lo0
    192.168.1 192.168.198.1 UGS 0 2 1500 re1
    192.168.1.2 192.168.1.1 UH 0 0 1500 tun0
    192.168.100 link#1 UC 0 0 1500 re0

    Previously, I was allowed to turn on the Client-toClient flag which allowed client to client network connection across the OpenVPN tunnel.  Currently the pfSense OpenVPN web page will not allow me to enable the OpenVPN Client-to-Client option and I cannot enable the Local Network CIDR range.

    I was happy with the site-to-site connection before but do not understand why I am no longer able the connect from client to client across the tunnel as I had previously.

    I also do not under stand why the OpenVPN  pfSense web page will not allow me to enable the OpenVPN Client-to-Client option and I cannot enable the Local Network CIDR range.

    Any ideas?

    Help would be much appreciated.

    Sam Bowen



  • Hi,
    Sam Bowen.

    You are doing a basic route tunnel. Shared key tunnel is cannot using client-to-client option unless u are doing bridge-mode tunnel.

    I m open this question in forum before for your issue and you can refer to my post: http://forum.pfsense.org/index.php/topic,9219.0.html

    What you want to do is something like me, doing bridging vpn network.

    Gruens Froeschli help me so much in this. Hope that can help u.

    yce_Kelvin

    Kelvin



  • Thanks Kelvin,

    The client-to-client check box is misleading.  It would be nice if the HOWTOs were better written especially concerning this detail.  They imply that this is required when in fact it is not required for simple pre shared key site-to-site configuration.

    The frustrating thing is that everything was working until the accidental power outage.  My configuration worked fine.  After rebooting the VPN tunnel would ping from server to client, and from client to server but I still could not connect through tunnel.

    I subsequently made things a lot worse when I tried to restore an older working configuration file and crashed the server end firewall while trying to repair the damage.  "Crashed" in the sense of every one in the office lost Internet connectivity in mid-morning.  There was a lot of burning hot looks and gnashing of teeth in my general direction.

    After feverishly reformatting the hard drive, a fresh reinstall went very smooth and the OpenVPN tunnel came right up and works perfectly.

    The lesson I learned from this is that pfSense is not very fault tolerant to hardware crashes.

    Sam Bowen
    http://www.oemr.org/



  • Hi, drbowen,

    Congratulation that you successful make the tunnel and works fine. If u plan long term running pfsense, better build with a best condition hardware.

    Ya, you are running the vpn tunnel for files access or bridging? From what i know, you should not able to do bridging if doing shared key method.

    Correct me if i m wrong.

    kelvin


Log in to reply