PfSense OpenVPN client to CentOS 6.5 OpenVPN server



  • I've got a CentOS 6.5 server running OpenVPN 2.0.9 and I'm trying to setup a tunnel to pfSense 2.1.4 OpenVPN client.

    The server has a WAN IP address and a tun address of 10.0.1.1

    ifconfig shows:

    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
                inet addr:10.0.1.1  P-t-P:10.0.1.2  Mask:255.255.255.255

    route shows:

    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    10.0.1.2          *                255.255.255.255 UH    0      0        0 tun0
    10.0.1.0          10.0.1.2    255.255.255.0  UG    0      0        0 tun0
    xxx.xxx.xxx.0  *                255.255.240.0  U    0      0        0 eth0
    link-local          *                255.255.0.0    U    1002  0        0 eth0
    default            xxx.xxx.xxx.1  0.0.0.0        UG    0      0        0 eth0

    Where xxx.xxx.xxx is my WAN address

    The status page for OpenVPN shows a virtual IP of 10.0.1.6 and shows to be UP.

    I have the OpenVPN connected but I'm not able to ping across the tunnel. I can ping 10.0.1.1 from
    the server. I cannot ping 10.0.1.2.

    On the client from pfSense diagnostics I can ping 10.0.1.1 but not 10.0.1.2

    This is the server conf:

    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    server 10.0.1.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 10 120
    cipher AES-128-CBC  # AES
    comp-lzo
    user nobody
    group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    log        openvpn.log
    verb 3

    The client settings:

    Mode is set to SSL/TLS
    Enable authentication of TLS packets is unchecked
    I've setup my certs in the cert Manager
    I'm using AES-128-CBC as encryption
    Remote Network is 10.0.1.0/24
    Compress tunnel is checked.

    I'm not clear on several points:

    1. On the pfSense client do I need to setup a new interface with the OpenVPN as the device?
    2. On the OpenVPN client setup does Tunnel Network need a value?
    3. On the OpenVPN client Remote Network is set to 10.0.1.0/24, is that correct?
    4. What firewall/NAT rules do I need to add?
    5. What routing do I need to do on the server end?

    Any help is appreciated!



  • I'm not clear on several points:

    1. On the pfSense client do I need to setup a new interface with the OpenVPN as the device?
    2. On the OpenVPN client setup does Tunnel Network need a value?
    3. On the OpenVPN client Remote Network is set to 10.0.1.0/24, is that correct?
    4. What firewall/NAT rules do I need to add?
    5. What routing do I need to do on the server end?

    1. No, when you create an OpenVPN client on pfSense, that's dealt with for you.
    2. I always put in the tunnel network of the OVPN Server
    3. No, there isn't a "Remote Network" in your case other than the OVPN tunnel itself (your ifconfig doesn't show any other interfaces than WAN and tun0 does it?)
    4. You should have an Allow All, Any,Any rule on the OpenVPN Firewall tab
    5. I don't think you need anything more, the OpenVPN server config defines a 10.0.1.0/24 subnet your server can access.

    I would start with moving the 10.0.1.0/24 definition from 3. to 2. (leave 3. blank) and make sure you have the OpenVPN rule in 4.



  • Thanks for the reply. Still not working so here is what I've done:

    1. I don't have an interface setup for OpenVPN so that's alright.
    2. I set the client "tunnel network" to 10.0.1.0/24
    3. I removed the "Remote Network" on the client. You were right all I have on the server is the WAN IP on eth0 and the tun0 with 10.0.1.1 10.0.1.2 as the IP.
    4. I do have an allow, any, any rule on the OpenVPN tab on the client.

    5. route on the server is showing:

    10.0.1.2        *               255.255.255.255 UH    0      0        0 tun0
    10.0.1.0        10.0.1.2        255.255.255.0   UG    0      0        0 tun0
    xxx.xxx.xxx.0   *               255.255.240.0   U     0      0        0 eth0
    link-local      *               255.255.0.0     U     1002   0        0 eth0
    default         xxx.xxx.xxx.1   0.0.0.0         UG    0      0        0 eth0
    
    

    xxx.xxx.xxx is my WAN IP

    The firewall on the server looks like this:

    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    fail2ban-FTP  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    2    fail2ban-BadBots  tcp  --  0.0.0.0/0     0.0.0.0/0          multiport dports 80,443
    3    fail2ban-PBX-GUI  tcp  --  0.0.0.0/0     0.0.0.0/0
    4    fail2ban-SIP  all  --  0.0.0.0/0              0.0.0.0/0
    5    fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    
    Chain fail2ban-BadBots (1 references)
    num  target     prot opt source               destination
    1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-FTP (1 references)
    num  target     prot opt source               destination
    1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-PBX-GUI (1 references)
    num  target     prot opt source               destination
    1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-SIP (1 references)
    num  target     prot opt source               destination
    1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-SSH (1 references)
    num  target     prot opt source               destination
    1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
    
    Table: nat
    Chain PREROUTING (policy ACCEPT)
    num  target     prot opt source               destination
    
    Chain POSTROUTING (policy ACCEPT)
    num  target     prot opt source               destination
    1    MASQUERADE  all  --  10.0.1.0/24          0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    
    

    I'm wondering if my server firewall is correct for the 10.0.1.x tunnel:

    Chain POSTROUTING (policy ACCEPT)
    num  target    prot opt source              destination
    1    MASQUERADE  all  –  10.0.1.0/24          0.0.0.0/0

    Also have forwarding set in sysctl.conf

    So I restarted the service at both ends.

    On the server I can ping 10.0.1.1 but not 10.0.1.2

    On the client I can also ping 10.0.1.1 but not 10.0.1.2



  • I just played around with the packet capture on the client. Nothing is captured when I ping 10.0.1.1 or 10.0.1.2 from the server. But when I ping 10.0.1.6 (the IP listed as the virtual IP in Status->OpenVPN I get this:

    15:21:03.915809 IP 10.0.1.1 > 10.0.1.6: ICMP echo request, id 53589, seq 5, length 64
    15:21:03.915855 IP 10.0.1.6 > 10.0.1.1: ICMP echo reply, id 53589, seq 5, length 64
    15:21:04.920400 IP 10.0.1.1 > 10.0.1.6: ICMP echo request, id 53589, seq 6, length 64
    15:21:04.920436 IP 10.0.1.6 > 10.0.1.1: ICMP echo reply, id 53589, seq 6, length 64
    
    


  • What is the 10.0.1.6 IP that is listed as the virtual IP in the Status->OpenVPN on the client? I can ping that IP address and also ssh to it but it does not seem to be my server (will not accept my password).



  • I would guess that's the address being given to the pfSense client by the OpenVPN server.

    If you turn up the Verb settings for both the client and the Server to "4", you'll get a wack of logged info.
    On the server, it should show you the connection attempt by the client and the address assigned on the client (among other things).

    After you've connected the client, what does the Route table look like on pfSense?

    Have you tried ssh into 10.0.1.6 from the server (assuming ssh is turned on on your pfSense box)?



  • Ok so 10.0.1.6 is my pfSense box. I can log in to it from the server using 10.0.1.6 so I know the packets are getting that far.

    I found this in the OpenVPN log file:

    Apr 20 12:18:34 	openvpn[85721]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Apr 20 12:18:34 	openvpn[85721]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.0.1.6 10.0.1.5 init
    Apr 20 12:18:34 	openvpn[85721]: /sbin/ifconfig ovpnc1 10.0.1.6 10.0.1.5 mtu 1500 netmask 255.255.255.255 up
    Apr 20 12:18:34 	openvpn[85721]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 20 12:18:34 	openvpn[85721]: TUN/TAP device /dev/tun1 opened
    Apr 20 12:18:34 	openvpn[85721]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 20 12:18:32 	openvpn[85721]: [server] Peer Connection Initiated with [AF_INET]159.203.234.144:1194
    Apr 20 12:18:30 	openvpn[85721]: UDPv4 link remote: [AF_INET]159.203.234.144:1194
    Apr 20 12:18:30 	openvpn[85721]: UDPv4 link local (bound): [AF_INET]66.76.176.130
    Apr 20 12:18:30 	openvpn[85562]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Apr 20 12:18:30 	openvpn[85562]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 20 12:18:30 	openvpn[85562]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014
    Apr 20 12:18:29 	openvpn[92630]: SIGTERM[hard,] received, process exiting
    Apr 20 12:18:29 	openvpn[92630]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1558 10.0.1.6 10.0.1.5 init
    Apr 20 12:18:29 	openvpn[92630]: event_wait : Interrupted system call (code=4)
    Apr 20 12:15:32 	openvpn[92630]: Initialization Sequence Completed
    

    Looks like the route add command is failing.

    I'll turn Verb higher and check it again and also look at the route table.



  • Here is the routing table on the client:

    default 	aaa.aaa.aaa.1 	UGS 	0 	519132 	1500 	sk0 	 
    10.0.0.0/24 	link#7 	U 	0 	1 	1500 	sk2 	 
    10.0.0.1 	link#7 	UHS 	0 	0 	16384 	lo0 	 
    10.0.1.1/32 	10.0.1.5 	UGS 	0 	140 	1500 	ovpnc1 	 
    10.0.1.5 	link#14 	UH 	0 	0 	1500 	ovpnc1 	 
    10.0.1.6 	link#14 	UHS 	0 	3 	16384 	lo0 	 
    aaa.aaa.aaa.0/24 	link#5 	U 	0 	15773411 	1500 	sk0 	 
    aaa.aaa.aaa.aaa 	link#5 	UHS 	0 	0 	16384 	lo0 	 
    127.0.0.1 	link#12 	UH 	0 	211103 	16384 	lo0 	 
    192.168.0.0/24 	link#6 	U 	0 	230154043 	1500 	sk1 	 
    192.168.0.1 	link#6 	UHS 	0 	0 	16384 	lo0 	 
    192.168.21.0/24 	link#4 	U 	0 	0 	1500 	msk3 	 
    192.168.21.254 	link#4 	UHS 	0 	0 	16384 	lo0 	 
    192.168.201.0/24 	link#1 	U 	0 	0 	1500 	msk0 	 
    192.168.201.2 	link#1 	UHS 	0 	0 	16384 	lo0 	 
    
    

    aaa.aaa.aaa.aaa is my WAN ip on the client.  192.168.0.0, 192.168.201.0, 192.168.21.0 and 10.0.0.0 are my local networks.



  • The 10.0.1.6 address comes from the NET30 topology if I remember it correctly, nothing to worry about. The remote network SHOULD NOT be 10.0.1.0/24 because that is the "transfer network" where the addresses for the tun* devices are assigned for both ends of the tunnel. What should be in remote network field is the LAN address space at the remote end if applicable, this setting will cause the client to add a route to that network over the VPN tunnel.



  • The server end has a WAN IP and the tun0 10.0.1.x IP's there are no other networks at that end. So should "Remote Networks" be blank?

    I had this at the server end and I think it was causing the route add command to fail:

    push "route 192.168.0.0 255.255.255.0"

    This is after I removed it and verb set to 6:

    Apr 20 16:18:39 	openvpn[35005]: /sbin/route add -net 10.0.1.1 10.0.1.5 255.255.255.255
    Apr 20 16:18:39 	openvpn[35005]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.0.1.6 10.0.1.5 init
    Apr 20 16:18:39 	openvpn[35005]: /sbin/ifconfig ovpnc1 10.0.1.6 10.0.1.5 mtu 1500 netmask 255.255.255.255 up
    Apr 20 16:18:39 	openvpn[35005]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 20 16:18:39 	openvpn[35005]: TUN/TAP device /dev/tun1 opened
    Apr 20 16:18:39 	openvpn[35005]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 20 16:18:39 	openvpn[35005]: ROUTE_GATEWAY aaa.aaa.aaa.1
    Apr 20 16:18:39 	openvpn[35005]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 20 16:18:39 	openvpn[35005]: OPTIONS IMPORT: route options modified
    Apr 20 16:18:39 	openvpn[35005]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 20 16:18:39 	openvpn[35005]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 20 16:18:39 	openvpn[35005]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.1.1,ping 10,ping-restart 120,ifconfig 10.0.1.6 10.0.1.5'
    

    Still no change in pings or access



  • Yes, leave the remote network blank if there's no LAN network at the server's end.



  • Do i need a route at the server end to the 192.168.0.0 network via the 10.0.1.0 tunnel?



  • Does the server end need to have access to the 192.168.0.0/24 network? I mean as an initiator of connections to any services on 192.168.0.0/24? If not I would use NAT on the tunnel interface to hide the local network completely and you wouldn't need to set up a route back at the server.



  • No the server does not need to initiate any connections.

    Not sure what you mean by using NAT on the tunnel interface. Can you explain that in a little more detail?



  • It's been a while since I've actually run an OpenVPN server or client but roughly speaking:

    • Assign the tun(4) interface used by the OpenVPN client as an OPT interface at the Interfaces->(assign) menu.

    • Create a new outbound NAT rule at Firewall->NAT, set interface in the rule to the newly created OPT interface, leave everything else at defaults.


Log in to reply