Our Setup:
Server: OpenVPN 2.3.11 server (on pfSense 2.3.2-RELEASE-p1)
Example Remote Client: Mac OS Sierra (10.12.2) running Tunnelblick 3.7.1beta01 (build 4800)
VPN IP Range for remote clients: 10.8.15.0/24
Local IP ranges for the main office they are connecting to:
10.8.10.0/24
10.8.11.0/24
10.8.12.0/24
External IP used (changed for security, example only):
1.1.1.130
OpenVPN server config:
Code: Select all
[2.3.2-RELEASE][root@fw]/var/etc/openvpn: cat server1.conf
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 1.1.1.130
tls-server
server 10.8.15.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.mydomain.org' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 10.8.10.0 255.255.255.0"
push "route 10.8.11.0 255.255.255.0"
push "route 10.8.12.0 255.255.255.0"
push "dhcp-option DNS 10.8.12.4"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
Code: Select all
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 1.1.1.130 1194 udp
verify-x509-name "vpn.mydomain.org" name
ns-cert-type server
comp-lzo adaptive
<certs omitted>
The client's VPN IP is 10.8.15.2
For comparison, here is the routing table on a Mac:
The client's VPN IP is 10.8.15.3
What strikes me as weird here are the routes to itself...(10.8.15/24 and 10.8.15.3 both having a gateway of 10.8.15.3). Is this just an odd way of saying "on-link" like Windows does?
The only part of the client log that jumps out at me on a Mac is this:
Right before the highlighted bt t says it can't assign requested address.
No errors in the OpenVPN server log on pfSense.
To wrap things up....Windows remote clients who are using the VPN have no issues pinging any local IP in the main office. Mac clients cannot ping any local IPs in the main office, but they can ping other remote VPN clients.
Ideas? I'm fresh out.