I'm trying to get OpenVPN working in a virtual environment (as a proof of concept for a production environment). I also have a real lab set up for testing as well. Both labs are giving me the same symptoms now. The frustrating thing is that both of these labs worked once (I was able to ping a box on the LAN from the client), and then I've never been able to get it to work again.
This is my set up:
2 Windows 10 VM's (CLIENT and WINDOWS)
2 pfSense firewalls (FIREWALL and FW02, pfSense version 2.5.2-RELEASE)
All networks are /24.
CLIENT - 192.168.100.40
FW02 - LAN: 192.168.100.20 / WAN: 192.168.175.200
FIREWALL - LAN: 192.168.146.10 / WAN 192.168.175.100
WINDOWS - 192.168.146.40
Goal: Install/run OpenVPN GUI on CLIENT and be able to ping WINDOWS.
The test that I run is that I connect to the VPN on CLIENT (using GUI as my users will be doing), and then run a cmd prompt and try to ping WINDOWS (192.168.146.40). The end goal is that my users can turn on the VPN and enter an IP/DNS in their Chrome browser and be able to access the GUI for something like a NAS on the 192.168.146.0/24 network.
With OpenVPN connected, from CLIENT I can successfully ping the FIREWALL WAN/LAN, and the VPN tunnel gateway (in my case, 192.168.123.1).
The networking between all the devices is (I believe) correct. Both firewalls can ping eachother's WAN, and my Windows boxes can ping their own firewall's WAN and LAN. (While the OpenVPN is connected, I did notice CLIENT can't ping FW02's WAN)
Also, I will note that I am using the Wizard in pfSense to set up the server, and then go back in and change my setting to "User Auth-only" instead of "SSL/TLS + User Auth". I can post pics of the server settings as well if needed. I am also using the "openvpn-client-export" (v1.6_2) package in pfSense to run the .exe on the CLIENT to install/config OpenVPN. My certificate authority and certificates are just made by me (self-signed?), I just made them in pfSense, not using GoDaddy/LetsEncrypt/etc.
OpenVPN config file on CLIENT:
CLIENT config
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 192.168.175.100 5698 tcp4
auth-user-pass
ca FIREWALL-TCP4-5698-ca.crt
tls-auth FIREWALL-TCP4-5698-tls.key 1
remote-cert-tls server
Log from CLIENT (right click in tray and hit View log):
CLIENT log
2022-01-28 13:59:55 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
2022-01-28 13:59:55 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-28 13:59:55 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
2022-01-28 13:59:58 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 Attempting to establish TCP connection with [AF_INET]192.168.175.100:5698 [nonblock]
2022-01-28 13:59:58 TCP connection established with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 TCPv4_CLIENT link local: (not bound)
2022-01-28 13:59:58 TCPv4_CLIENT link remote: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 [VPNcertSERV] Peer Connection Initiated with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 open_tun
2022-01-28 13:59:58 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-01-28 13:59:58 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.123.0/192.168.123.2/255.255.255.0 [SUCCEEDED]
2022-01-28 13:59:58 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.123.2/255.255.255.0 on interface {5713925F-46BF-4277-9015-0AA440B6E486} [DHCP-serv: 192.168.123.254, lease-time: 31536000]
2022-01-28 13:59:58 Successful ARP Flush on interface [16] {5713925F-46BF-4277-9015-0AA440B6E486}
2022-01-28 13:59:58 IPv4 MTU set to 1500 on interface 16 using service
2022-01-28 14:00:03 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-28 14:00:03 Initialization Sequence Completed
2022-01-28 13:59:55 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-28 13:59:55 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
2022-01-28 13:59:58 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 Attempting to establish TCP connection with [AF_INET]192.168.175.100:5698 [nonblock]
2022-01-28 13:59:58 TCP connection established with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 TCPv4_CLIENT link local: (not bound)
2022-01-28 13:59:58 TCPv4_CLIENT link remote: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 [VPNcertSERV] Peer Connection Initiated with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 open_tun
2022-01-28 13:59:58 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-01-28 13:59:58 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.123.0/192.168.123.2/255.255.255.0 [SUCCEEDED]
2022-01-28 13:59:58 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.123.2/255.255.255.0 on interface {5713925F-46BF-4277-9015-0AA440B6E486} [DHCP-serv: 192.168.123.254, lease-time: 31536000]
2022-01-28 13:59:58 Successful ARP Flush on interface [16] {5713925F-46BF-4277-9015-0AA440B6E486}
2022-01-28 13:59:58 IPv4 MTU set to 1500 on interface 16 using service
2022-01-28 14:00:03 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-28 14:00:03 Initialization Sequence Completed
Log from the FIREWALL for the most recent connection:
FIREWALL log
Jan 28 07:59:57 openvpn 45186 VPNuser/192.168.175.200:55830 MULTI_sva: pool returned IPv4=192.168.123.2, IPv6=(Not enabled)
Jan 28 07:59:57 openvpn 13252 user 'VPNuser' authenticated
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 [VPNuser] Peer Connection Initiated with [AF_INET]192.168.175.200:55830
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_GUI_VER=OpenVPN_GUI_11
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_TCPNL=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUBv2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUB=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZO=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4v2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_NCP=2
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PROTO=6
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PLAT=win
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_VER=2.5.2
Jan 28 07:59:56 openvpn 45186 TCP connection established with [AF_INET]192.168.175.200:55830
Jan 28 07:59:39 openvpn 45186 VPNuser/192.168.175.200:47254 Connection reset, restarting [-1]
Jan 28 07:59:57 openvpn 13252 user 'VPNuser' authenticated
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 [VPNuser] Peer Connection Initiated with [AF_INET]192.168.175.200:55830
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_GUI_VER=OpenVPN_GUI_11
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_TCPNL=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUBv2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUB=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZO=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4v2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_NCP=2
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PROTO=6
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PLAT=win
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_VER=2.5.2
Jan 28 07:59:56 openvpn 45186 TCP connection established with [AF_INET]192.168.175.200:55830
Jan 28 07:59:39 openvpn 45186 VPNuser/192.168.175.200:47254 Connection reset, restarting [-1]
And the FIREWALL OpenVPN config (/var/etc/openvpn/server1/config.ovpn):
FIREWALL config
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.175.100
tls-server
server 192.168.123.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 5698
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNcertSERV' 1"
lport 5698
management /var/etc/openvpn/server1/sock unix
max-clients 3
push "redirect-gateway def1"
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.175.100
tls-server
server 192.168.123.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 5698
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNcertSERV' 1"
lport 5698
management /var/etc/openvpn/server1/sock unix
max-clients 3
push "redirect-gateway def1"
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
When I go to Status > OpenVPN in pfSense, here is the established connection:
Code: Select all
Common Name: VPNuser VPNuser
Real Address: 192.168.175.200:55830
Virtual Address: 192.168.123.2
Connected Since: XXXXXXXXXXXXXXX
Bytes Sent: 16 KiB
Bytes Received: 22KiB
Cipher: AES-256-GCM
Code: Select all
Common Name: VPNuser
Real Address: 192.168.175.200:55830
Target Network: 192.168.123.2
Last Used: XXXXXXXXXXXXXXXXXX
Thank you to anyone who attempts to help!! Have been banging my head on this.
Edit: Getting my config/log tags to work
Edit: Based on https://openvpn.net/community-resources ... er-subnet/, I tried changing the PUSH statement in the FIREWALL config to "route 192.168.146.0 255.255.255.0", but this did not seem to work, my test pinging to WINDOWS still failed.
Perhaps I need to do this? https://openvpn.net/community-resources ... ux-server/