Netgate SG-1000 microFirewall

Author Topic: OpenVPN in 2.1RC1 not working as advertised  (Read 5434 times)

0 Members and 1 Guest are viewing this topic.

Offline peterlinuxgeek

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
OpenVPN in 2.1RC1 not working as advertised
« on: September 04, 2013, 12:49:46 pm »
Hi All,

I am not a specialist but do have some experience using openvpn with pfSense.

Installed 2.1-RC1  (i386)
 built on Wed Sep 4 01:46:12 EDT 2013
FreeBSD 8.3-RELEASE-p10

My Windows7 client does connect, I can access my pfSense webpage, but cannot get to any other node in the network...
Opened up the rules - re-did the whole server setup not using the wizard (I usually use it)

Nothing in the firewall logs for ovpn1 that jumps out.

Server Config:

/var/etc/openvpn(4): vi server1.conf

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.10.2.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN xxx.int"
push "dhcp-option DNS 192.168.1.1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
persist-remote-ip
float



Am I missing something obvious or is there a bug?

WAN rule
 IPv4 UDP  *  *  WAN address  1194 (OpenVPN)  *  none      OpenVPN vpnServer wizard   

OPENVPN rule
 IPv4 *  *  *  *  *  *  none      OpenVPN vpnServer wizard   

Nothing else I can think of...

Thx

Peter

Offline lucky

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #1 on: September 04, 2013, 01:59:18 pm »
I've been using OpenVPN on 2.1 RC1 with no issues. Let's see if we can track down what's going on...

- Does "any other node in the network." mean on your 192.168.1.x network?

- 192.168.1 is a very common subnet. Perhaps that's also the subnet where your Windows 7 client is located.

- How are you trying to access those nodes? IP, hostname? What protocol/methods? HTTP? RDP?

- Are you running the OpenVPN client as Administrator so it can add that route? (or are you using OpenVPNManager?)

« Last Edit: September 04, 2013, 02:02:56 pm by lucky »

Offline peterlinuxgeek

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #2 on: September 04, 2013, 02:25:13 pm »
Does "any other node in the network." mean on your 192.168.1.x network?

Yes anything but 192.168.1.1 - I can connect and visit pfSense via https.
but there is also a http (80) on 192.168.1.2 that stalls...

- 192.168.1 is a very common subnet. Perhaps that's also the subnet where your Windows 7 client is located.
I am very aware of that. Used my phone to tether a laptop so it was something random.
Tried it from another place with 192.168.210.0/24 same result...

- How are you trying to access those nodes? IP, hostname? What protocol/methods? HTTP? RDP?
both name and IP. I actually tried ping-ing from client and the internal name resolved to the right internal IP address...
(PFsense is setup to do DNS resolving) so that part worked
No pings came back and nothing in the firewall logs about it either.
Tried file browsing/ping/http nothing goes beyond 192.168.1.1 = the firewall
but again no traces of it in the logs
I actually took out the (wide open) default VPN rule, then I saw blocked traffic in the logs
made custom rules to allow it back in... no luck

- Are you running the OpenVPN client as Administrator so it can add that route? (or are you using OpenVPNManager?)

run it as administrator


Had this issue yrs ago but cannot recall how to fix it.
Tried he route-method exe & route-delay stuff no luck.
Connected from a Linux client same thing - up to the firewall, no further...

I to have 2 other RC1 setups that work great - it is very weird & frustrating.
Thinking of blowing it all away and start again.




Thx for the help.


Peter

Offline peterlinuxgeek

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #3 on: September 04, 2013, 02:27:29 pm »
Thought... maybe traffic is getting in... but not back out...
How could I 'see' that in the logs (where?)

Peter

Offline lucky

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #4 on: September 04, 2013, 03:51:11 pm »
arg, that sounds pretty frustrating.

your config looks pretty much like mine....i dont see anything that looks like it would cause a problem

what's the netmask on the pfsense interface for your 192.168.1.x network? is it the same as what you push in your openvpn route (255.255.255.0)

Offline ssheikh

  • Full Member
  • ***
  • Posts: 131
  • Karma: +2/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #5 on: September 04, 2013, 08:04:19 pm »
server 10.10.2.0 255.255.255.0

Are you blocking private networks on the interface this server is bound to?

What does the route table on your client say?

Offline individual-it

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #6 on: September 08, 2013, 11:23:38 pm »
We had very strange routing / firewall problems because of too less memory.

First I would check if the routes are set correctly in Diagnostics->Routes
And then connect with a serial cable to your box if possible and see if the boot process does not stop somewhere in between.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: OpenVPN in 2.1RC1 not working as advertised
« Reply #7 on: September 08, 2013, 11:33:49 pm »
This sounds exactly like what openvpn will do if its not installed with right-click, run as admin...