[Solved]Setting up VPN on pfSense behind router

[Bart]

Hello guys,

First things first: I'm not an IT-professional and only have a basic understanding of most related concepts. I work for an NGO and am trying to upgrade our IT-infrastructure with limited resources. I've been reading some tutorials and forum topics, but I don't think they contain an answer to my question. So if the answer can already be found, my apologies for asking again, but that does mean I'm in need of a more detailed version of the existing answer

My goal is to reach the internal network at our HQ from several single remote computers.

Our setup at HQ: Modem --> Cisco router --> pfSense (an old PC) --> local network
The Cisco router is provided and managed by our ISP. The pfSense firewall is managed by us. This might seem like a strange setup, but this is what we have to work with for reasons I won't get into right now.
pfSense version 2.1-RELEASE (i386)

Our ISP has tried to build a VPN tunnel for us by setting up a VPN server on their Cisco router, but is unable to grant us access to our local network. They recommended setting up a server on our pfSense PC, which I have done using the OpenVPN wizard. When my laptop is in our local network, I can successfully connect to that VPN server, meaning OpenVPN creates a virtual LAN-connection on my PC and my PC is assigned an IP-address by the VPN server. (Ipv4 Tunnel Network)
I don't get very far however, trying to connect from my home network. Logfiles below.

I'm guessing that the router being in front of our pfSense is the cause of this problem. Port 1723 has been forwarded on the Cisco router to the pfSense WAN. (Because I asked our ISP to do so.) This port is specified as Local Port on the VPN server. Apparently, that doesn't do the trick.

What can I do to remedy this situation? I can of course modify the OpenVPN server settings if you guys can tell me what to do. An acceptable solution would als be to ask our ISP to make configuration changes to the Cisco router, but they too would have to be pretty specific.

On to the log files. Those I was able to retrieve, anyway.

I'm afraid I am unable to find a way to post the server config. If anyone could point me in the right direction, I'd be happy to do so.

Client config. It seems to try to connect to an address in our local network directly, so I'm not surprised it's not working. I have tried overwriting that IP with our HQ's external IP, and even tried external IP\\internal IP, but to no avail.

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infiniteremote 192.168.1.2 1723 udp
lport 0
verify-x509-name "VPNserver cert" name
auth-user-pass
pkcs12 openvpn-udp-1723-VPNbarts.p12
tls-auth openvpn-udp-1723-VPNbarts-tls.key 1
ns-cert-type server
comp-lzo

Client log when using this config:

Code: Select all

Wed Feb 25 17:31:41 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Wed Feb 25 17:31:41 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Wed Feb 25 17:31:50 2015 Control Channel Authentication: using 'openvpn-udp-1723-VPNbarts-tls.key' as a OpenVPN static key file
Wed Feb 25 17:31:50 2015 UDPv4 link local (bound): [undef]
Wed Feb 25 17:31:50 2015 UDPv4 link remote: [undef]
Wed Feb 25 17:33:50 2015 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Feb 25 17:33:50 2015 SIGUSR1[soft,ping-restart] received, process restarting
Wed Feb 25 17:33:52 2015 UDPv4 link local (bound): [undef]
Wed Feb 25 17:33:52 2015 UDPv4 link remote: [undef]

And so on.

Server log:

Code: Select all

Feb 23 17:37:23 	openvpn[69654]: 192.168.0.13:51336 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 23 17:37:23 	openvpn[69654]: 192.168.0.13:51336 [VPNingridf] Peer Connection Initiated with [AF_INET]192.168.0.13:51336
Feb 23 17:37:46 	openvpn: user 'VPNingridf' authenticated
Feb 23 17:37:46 	openvpn[69654]: 192.168.0.13:51337 [VPNingridf] Peer Connection Initiated with [AF_INET]192.168.0.13:51337
Feb 23 17:37:46 	openvpn[69654]: VPNingridf/192.168.0.13:51337 MULTI_sva: pool returned IPv4=192.168.200.10, IPv6=(Not enabled)
Feb 23 17:37:48 	openvpn[69654]: VPNingridf/192.168.0.13:51337 send_push_reply(): safe_cap=940
Feb 23 17:40:52 	openvpn[69654]: VPNingridf/192.168.0.13:51337 [VPNingridf] Inactivity timeout (--ping-restart), restarting
Feb 23 17:48:55 	openvpn[69654]: VPNbarts/192.168.0.49:54309 [VPNbarts] Inactivity timeout (--ping-restart), restarting
Feb 25 14:10:06 	openvpn[69654]: event_wait : Interrupted system call (code=4)
Feb 25 14:10:06 	openvpn[69654]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 14:10:06 	openvpn[69654]: SIGTERM[hard,] received, process exiting
Feb 25 14:10:06 	openvpn[9763]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 14:10:06 	openvpn[9763]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 14:10:06 	openvpn[9763]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 14:10:06 	openvpn[9763]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 14:10:06 	openvpn[9763]: TUN/TAP device /dev/tun1 opened
Feb 25 14:10:06 	openvpn[9763]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 14:10:06 	openvpn[9763]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 14:10:06 	openvpn[9763]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 14:10:06 	openvpn[11310]: UDPv4 link local (bound): [AF_INET]192.168.1.2:1723
Feb 25 14:10:06 	openvpn[11310]: UDPv4 link remote: [undef]
Feb 25 14:10:06 	openvpn[11310]: Initialization Sequence Completed
Feb 25 15:06:36 	openvpn[11310]: event_wait : Interrupted system call (code=4)
Feb 25 15:06:36 	openvpn[11310]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 15:06:36 	openvpn[11310]: SIGTERM[hard,] received, process exiting
Feb 25 15:06:36 	openvpn[19717]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 15:06:36 	openvpn[19717]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 15:06:36 	openvpn[19717]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 15:06:36 	openvpn[19717]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 15:06:36 	openvpn[19717]: TUN/TAP device /dev/tun1 opened
Feb 25 15:06:36 	openvpn[19717]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 15:06:36 	openvpn[19717]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 15:06:36 	openvpn[19717]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 15:06:36 	openvpn[20956]: UDPv4 link local (bound): [AF_INET]127.0.0.1:1723
Feb 25 15:06:36 	openvpn[20956]: UDPv4 link remote: [undef]
Feb 25 15:06:36 	openvpn[20956]: Initialization Sequence Completed
Feb 25 17:27:58 	openvpn[20956]: event_wait : Interrupted system call (code=4)
Feb 25 17:27:58 	openvpn[20956]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 17:27:58 	openvpn[20956]: SIGTERM[hard,] received, process exiting
Feb 25 17:27:58 	openvpn[39438]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 17:27:58 	openvpn[39438]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 17:27:58 	openvpn[39438]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 17:27:58 	openvpn[39438]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 17:27:58 	openvpn[39438]: TUN/TAP device /dev/tun1 opened
Feb 25 17:27:58 	openvpn[39438]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 17:27:58 	openvpn[39438]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 17:27:58 	openvpn[39438]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 17:27:58 	openvpn[40767]: UDPv4 link local (bound): [AF_INET]127.0.0.1:1723
Feb 25 17:27:58 	openvpn[40767]: UDPv4 link remote: [undef]
Feb 25 17:27:58 	openvpn[40767]: Initialization Sequence Completed

[maikcat]

hello there,

Our setup at HQ: Modem --> Cisco router --> pfSense (an old PC) --> local network

assuming your pfsense has 2 nics and performs routing (and NAT) correct?

connecting to your vpn while in the same lan is actually meaningless,
only tests VERY basic connectivity...

I'm guessing that the router being in front of our pfSense is the cause of this problem. Port 1723 has been forwarded on the Cisco router to the pfSense WAN. (Because I asked our ISP to do so.) This port is specified as Local Port on the VPN server. Apparently, that doesn't do the trick.

if your cisco forwards udp port 1723 to your pfsense WAN interface you are good,
did you configured your pfsense firewall to allow incoming traffic from its wan interface to this openvpn port?

you can alternative try to use tcp for testing.

please clarify your pfsense setup.

Michael.

[Bart]

Hello Maikcat,

Turns out my ISP only forwarded TCP. UDP is now being forwarded as well, but I have had little more success. New logfiles below.

Our pfSense indeed performs routing. (It is the gateway for internal network.) I'm not sure about NAT. All 4 tabs under Firewall > NAT are actually empty. Our pfSense has 2 NICs, one onboard acting as WAN (connected to the Cisco router) and one PCI-card as LAN (connected to our first switch).

Server settings:

• Server mode= Remote Access (SSL/TLS+User Auth)
  Backend:Local Database
  Protocol=UDP
  Device mode=tun
  Interface=Localhost (I changed the default value to this after doing some reading.)
  Local port=1723
  TLS Authentication=Enabled
  DH Parameters Length=1024 bits
  Encryption algorithm=AES-128-CBC (128-bit)
  No Hardware Crypto Acceleration
  Certificate Depth=Two (Client+Intermediate+Server) (I changed the default value to this after doing some reading.)
  IPv4 Tunnel Network=192.168.200.0/24
  IPv4 Local Network=192.168.0.1/24

If any other settings are relevant, let me know. I still can't find an efficient way to post the server config.

Client log:

Code: Select all

Thu Feb 26 14:24:42 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Thu Feb 26 14:24:42 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Thu Feb 26 14:24:53 2015 Control Channel Authentication: using 'openvpn-udp-1723-VPNbarts-tls.key' as a OpenVPN static key file
Thu Feb 26 14:24:53 2015 UDPv4 link local (bound): [undef]
Thu Feb 26 14:24:53 2015 UDPv4 link remote: [undef]
Thu Feb 26 14:26:54 2015 [UNDEF] Inactivity timeout (--ping-restart), restarting
Thu Feb 26 14:26:54 2015 SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb 26 14:26:56 2015 UDPv4 link local (bound): [undef]
Thu Feb 26 14:26:56 2015 UDPv4 link remote: [undef]

Client config, generated anew by the Client Export after the UDP forward, using Automagic Multi-WAN IPs as Hostname resolution. (Thought this could be more successful after the UDP forward was enabled.)

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite

lport 0
verify-x509-name "VPNserver cert" name
auth-user-pass
pkcs12 openvpn-udp-1723-VPNbarts.p12
tls-auth openvpn-udp-1723-VPNbarts-tls.key 1
ns-cert-type server
comp-lzo

Server log:

Code: Select all

Feb 23 17:37:23 	openvpn[69654]: 192.168.0.13:51336 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 23 17:37:23 	openvpn[69654]: 192.168.0.13:51336 [VPNingridf] Peer Connection Initiated with [AF_INET]192.168.0.13:51336
Feb 23 17:37:46 	openvpn: user 'VPNingridf' authenticated
Feb 23 17:37:46 	openvpn[69654]: 192.168.0.13:51337 [VPNingridf] Peer Connection Initiated with [AF_INET]192.168.0.13:51337
Feb 23 17:37:46 	openvpn[69654]: VPNingridf/192.168.0.13:51337 MULTI_sva: pool returned IPv4=192.168.200.10, IPv6=(Not enabled)
Feb 23 17:37:48 	openvpn[69654]: VPNingridf/192.168.0.13:51337 send_push_reply(): safe_cap=940
Feb 23 17:40:52 	openvpn[69654]: VPNingridf/192.168.0.13:51337 [VPNingridf] Inactivity timeout (--ping-restart), restarting
Feb 23 17:48:55 	openvpn[69654]: VPNbarts/192.168.0.49:54309 [VPNbarts] Inactivity timeout (--ping-restart), restarting
Feb 25 14:10:06 	openvpn[69654]: event_wait : Interrupted system call (code=4)
Feb 25 14:10:06 	openvpn[69654]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 14:10:06 	openvpn[69654]: SIGTERM[hard,] received, process exiting
Feb 25 14:10:06 	openvpn[9763]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 14:10:06 	openvpn[9763]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 14:10:06 	openvpn[9763]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 14:10:06 	openvpn[9763]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 14:10:06 	openvpn[9763]: TUN/TAP device /dev/tun1 opened
Feb 25 14:10:06 	openvpn[9763]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 14:10:06 	openvpn[9763]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 14:10:06 	openvpn[9763]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 14:10:06 	openvpn[11310]: UDPv4 link local (bound): [AF_INET]192.168.1.2:1723
Feb 25 14:10:06 	openvpn[11310]: UDPv4 link remote: [undef]
Feb 25 14:10:06 	openvpn[11310]: Initialization Sequence Completed
Feb 25 15:06:36 	openvpn[11310]: event_wait : Interrupted system call (code=4)
Feb 25 15:06:36 	openvpn[11310]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 15:06:36 	openvpn[11310]: SIGTERM[hard,] received, process exiting
Feb 25 15:06:36 	openvpn[19717]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 15:06:36 	openvpn[19717]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 15:06:36 	openvpn[19717]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 15:06:36 	openvpn[19717]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 15:06:36 	openvpn[19717]: TUN/TAP device /dev/tun1 opened
Feb 25 15:06:36 	openvpn[19717]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 15:06:36 	openvpn[19717]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 15:06:36 	openvpn[19717]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 15:06:36 	openvpn[20956]: UDPv4 link local (bound): [AF_INET]127.0.0.1:1723
Feb 25 15:06:36 	openvpn[20956]: UDPv4 link remote: [undef]
Feb 25 15:06:36 	openvpn[20956]: Initialization Sequence Completed
Feb 25 17:27:58 	openvpn[20956]: event_wait : Interrupted system call (code=4)
Feb 25 17:27:58 	openvpn[20956]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 17:27:58 	openvpn[20956]: SIGTERM[hard,] received, process exiting
Feb 25 17:27:58 	openvpn[39438]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 25 17:27:58 	openvpn[39438]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 17:27:58 	openvpn[39438]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 25 17:27:58 	openvpn[39438]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 17:27:58 	openvpn[39438]: TUN/TAP device /dev/tun1 opened
Feb 25 17:27:58 	openvpn[39438]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 17:27:58 	openvpn[39438]: /sbin/ifconfig ovpns1 192.168.200.1 192.168.200.2 mtu 1500 netmask 255.255.255.255 up
Feb 25 17:27:58 	openvpn[39438]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.200.1 192.168.200.2 init
Feb 25 17:27:58 	openvpn[40767]: UDPv4 link local (bound): [AF_INET]127.0.0.1:1723
Feb 25 17:27:58 	openvpn[40767]: UDPv4 link remote: [undef]
Feb 25 17:27:58 	openvpn[40767]: Initialization Sequence Completed

[Bart]

Also Michael,

I think the OpenVPN wizard took care of allowing the traffic. I have an active firewall rule (tab "WAN") that reads:

• Protocol=IPv4 UDP
  Source=*, Port=*
  Destination=WAN addresses, Port=1723 (PPTP)
  Gateway=*
  Queue=none
  Schedule=(blank)

Under tab "OpenVPN", it also added a Pass rule for protocol IPv4*, with * under source and destination (including ports).

[Bart]

Update - I have successfully connected from a remote network to our OpenVPN server!
Aside from asking my ISP to set the port 1723 forward to UDP, the following moves proved to be crucial:

• Server setting: Localhost to WAN.
  Client config: I had to manually set our external IP-adress as destination (with port 1723).

I also set Certificate Depth back to its default value of 1, which didn’t have any effect, as far as I could see.

However, I have a new problem: I am unable to connect to any devices in our local network.

IPv4 Local Network is set to 192.168.0.0/24. This is in fact our local network, for which our pfSense LAN is the gateway (192.168.0.1). Our NAS for example, is located at 192.168.0.6.

IPv4 Tunnel Network is set to 192.168.200.0/24. I tried setting this to several values within the 192.168.0.xxx range, but was unable to connect succcesfully to our VPN server each time. Hence the current setting. This causes my PC to receive 192.168.200.6, and I assume that why I’m unable to connect to any 192.168.0.xxx devices. The setting “Provide a virtual adapter IP address to clients” was enabled by default, but disabling it doesn’t seem to have any effect. My PC is always being assigned that same IP address by the VPN server.

I have tried:

• Setting Local Network from 192.168.0.1/24 to 192.168.0.0/24. I noticed no difference, and so I left it at 0.0, seeing that 0.1 is actually our gateway.
  Enabling “Allow communication between clients connected to this server”. Disabled by default, so enabling seemed like a good move. Made no difference. (Still enabled.)

Note that the following settings are currently disabled, as they were by default:

• Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)
  Provide a default domain name to clients
  Provide a DNS server list to clients
  Provide a NTP server list to clients
  Enable NetBIOS over TCP/IP

What am I doing wrong?

[maikcat]

However, I have a new problem: I am unable to connect to any devices in our local network.

ok , lets see what we can do about it...

IPv4 Tunnel Network is set to 192.168.200.0/24

good choice,you need a DIFFERENT ip network range related to your lan one.

This causes my PC to receive 192.168.200.6,

this is the correct behaviour

and I assume that why I’m unable to connect to any 192.168.0.xxx devices

you assume wrong

Setting Local Network from 192.168.0.1/24 to 192.168.0.0/24. I noticed no difference, and so I left it at 0.0, seeing that 0.1 is actually our gateway.

leave it to 0.0/24

Enabling “Allow communication between clients connected to this server”

this is client-to-client directive irrelevant for now...

What am I doing wrong?

probably nothing...

check the following:

1)if your clients recieve a route for your internal lan
2)if any firewall rules block traffic (for testing is a good practice to disable your firewall)

Michael.

[Traffic]

Sorry to chime in here as I am sure Michael will help you best but ..

#1:

Server log:
Code:
Feb 25 14:10:06 openvpn[9763]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013

You will want to update this:

Fri Feb 27 14:03:24 2015 us=644306 OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014

#2:

Server log:
Code:
Feb 23 17:37:23 openvpn[69654]: 192.168.0.13:51336 TLS Auth Error: Auth Username/Password verification failed for peer

which is present in all your server logs .. just to make sure this is not over looked.

Also, you can set the following custom options on the server (advanced options) which may help you diagnose problems:

Code: Select all

log /var/log/server_name.log; verb 4; keepalive 10 30 # This overrides def: keepalive 10 60; 

You could also set verb 4 in your client config to help .. and I presume your client config does have a --remote option as it is not shown.

Finally:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
  
  Just to make sure you do not run into a routing conflict.

[Bart]

Michael,

1) Below you can find ipconfig and route print info when connected to our OpenVPN server. Does this answer your first question? If not, can you tell me what you need?
"LAN-verbinding 6" = TAP-Windows Adapter V9 created by OpenVPN
"LAN-verbinding 2" = Adapter used to connect to the internet.

2) I was unable to find a way to disable the entire firewall module of our pfSense. Its configured rules, however, are as follows.
These are all pass rules, except for the Block bogon rule. All are enabled.

Code: Select all

ID 	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
FLOATING TAB:
(NONE)
WAN TAB:
	* 	Reserved/not assigned by IANA 	* 	* 	* 	* 	* 	* 	Block bogon networks
	IPv4 TCP/UDP 	79.132.241.18 	* 	* 	* 	* 	none 	  	PBX. Toegevoegd door Bart 23/2/2015  
 	IPv4 UDP 	* 	* 	WAN address 	1723 (PPTP) 	* 	none 	  	OpenVPN wizard  
LAN TAB:
	*	*	*	LAN Adress	44380	*		*	none		Anti-Lockout Rule
  	IPv4 * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow LAN to any rule  
  	IPv6 * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow LAN IPv6 to any rule
OPenVPN TAB:
	IPv4 * 	* 	* 	* 	* 	* 	none 	  	OpenVPN wizard

I have noticed something else today. I was assuming our VPN connection would give me the external IP of our HQ's local network as outgoing IP. When I looked it up while connected to our VPN server, however, my outgoing IP turned out to be the external IP of my home network.
We need the external IP of our HQ network as outgoing IP for a specific application. Is this possible?

Code: Select all

Microsoft Windows [versie 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle rechten voorbehouden.

C:\Users\Administrator>ipconfig

Windows IP-configuratie


Ethernet-adapter voor LAN-verbinding 6:

   Verbindingsspec. DNS-achtervoegsel:
   Link-local IPv6-adres . . . . . . : fe80::40a6:6823:d4cf:8d5b%32
   IPv4-adres. . . . . . . . . . . . : 192.168.200.6
   Subnetmasker. . . . . . . . . . . : 255.255.255.252
   Standaardgateway. . . . . . . . . :

Ethernet-adapter voor LAN-verbinding 2:

   Verbindingsspec. DNS-achtervoegsel:
   Link-local IPv6-adres . . . . . . : fe80::49c4:3d96:9050:a03b%18
   IPv4-adres. . . . . . . . . . . . : 192.168.42.247
   Subnetmasker. . . . . . . . . . . : 255.255.255.0
   Standaardgateway. . . . . . . . . : 192.168.42.129

Tunnel-adapter voor isatap.{0A379483-36CA-4B2F-BD98-5015865FFECC}:

   Mediumstatus. . . . . . . . . . . : medium ontkoppeld
   Verbindingsspec. DNS-achtervoegsel:

Tunnel-adapter voor isatap.{1FACFA0A-6E5E-4C33-86A0-983FA7E7F6A4}:

   Mediumstatus. . . . . . . . . . . : medium ontkoppeld
   Verbindingsspec. DNS-achtervoegsel:

Tunnel-adapter voor Teredo Tunneling Pseudo-Interface:

   Verbindingsspec. DNS-achtervoegsel:
   IPv6-adres. . . . . . . . . . . . : 2001:0:5ef5:79fb:14c2:eae:3f57:d508
   Link-local IPv6-adres . . . . . . : fe80::14c2:eae:3f57:d508%15
   Standaardgateway. . . . . . . . . : ::

C:\Users\Administrator>route print
===========================================================================
Interfacelijst
 32...00 ff 0a 37 94 83 ......TAP-Windows Adapter V9
 18...9e 75 b0 e6 e6 2a ......Remote NDIS based Internet Sharing Device #2
  1...........................Software Loopback Interface 1
 30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 54...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 routetabel
===========================================================================
Actieve routes:
Netwerkadres             Netmasker          Gateway        Interface Metric
          0.0.0.0          0.0.0.0   192.168.42.129   192.168.42.247     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0    192.168.200.5    192.168.200.6     20
     192.168.42.0    255.255.255.0         On-link    192.168.42.247    266
   192.168.42.247  255.255.255.255         On-link    192.168.42.247    266
   192.168.42.255  255.255.255.255         On-link    192.168.42.247    266
    192.168.200.0    255.255.255.0    192.168.200.5    192.168.200.6     20
    192.168.200.4  255.255.255.252         On-link     192.168.200.6    276
    192.168.200.6  255.255.255.255         On-link     192.168.200.6    276
    192.168.200.7  255.255.255.255         On-link     192.168.200.6    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.200.6    276
        224.0.0.0        240.0.0.0         On-link    192.168.42.247    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.200.6    276
  255.255.255.255  255.255.255.255         On-link    192.168.42.247    266
===========================================================================
Permanente routes:
  Netwerkadres             Netmask  Gateway-adres    Metric
          0.0.0.0          0.0.0.0      192.168.0.1       1
===========================================================================

IPv6 routetabel
===========================================================================
Actieve routes:
 Indien metrische netwerkbestemming      Gateway
 15     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 15     58 2001::/32                On-link
 15    306 2001:0:5ef5:79fb:14c2:eae:3f57:d508/128
                                    On-link
 32    276 fe80::/64                On-link
 18    266 fe80::/64                On-link
 15    306 fe80::/64                On-link
 15    306 fe80::14c2:eae:3f57:d508/128
                                    On-link
 32    276 fe80::40a6:6823:d4cf:8d5b/128
                                    On-link
 18    266 fe80::49c4:3d96:9050:a03b/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    306 ff00::/8                 On-link
 32    276 ff00::/8                 On-link
 18    266 ff00::/8                 On-link
===========================================================================
Permanente routes:
  Geen

C:\Users\Administrator>

[Bart]

Hello Traffic,

All help is welcome!

I'll look into updating the server to the latest build. I installed OpenVPN earlier this month using System > Packages in my pfSense control panel. I actually didn't check if the package listed there is the latest.

Server log: "TLS Auth Error: Auth Username/Password verification failed for peer" - I may have mistyped my user name or password a few times. I have made a lot of connection attempts

The following line has been added to "Advanced configuration" on our OpenVPN server.

Code: Select all

log /var/log/server_name.log; verb 4; keepalive 10 30 # This overrides def: keepalive 10 60; 

verb 4 has been added to my client config as well. My entire client config is now as follows. I think the remote command is there, unless you are referring to something else?

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 85.234.195.91 1723 udp
lport 0
verify-x509-name "VPNserver cert" name
auth-user-pass
pkcs12 openvpn-udp-1723-VPNbarts.p12
tls-auth openvpn-udp-1723-VPNbarts-tls.key 1
ns-cert-type server
comp-lzo
verb 4

Now that these lines have been added, do you guys need an update of both logs?

On the possibility of routing conflicts:
My home network does indeed use the same subnet address as our HQ's network. (0)
The ipconfig info I posted in my previous post was taken while using tethered (USB) access from my phone. (As I was at our HQ at that time and needed to access our VPN server externally.) As you can see, the tethered connection uses subnet 42.
So now I'm not sure whether this is a problem or not, as I have had just as little success from my home network (subnet 0) as from my tethered connection (subnet 42). Do you recommended changing our HQ's subnet? For example to 192.168.5.xxx?
This is probably a dumb question, but doesn't the IPv4 Tunnel Network setting on our server (192.168.200.0/24) prevent routing conflicts?

[Traffic]

The following line has been added to "Advanced configuration" on our OpenVPN server.
Code:
log /var/log/server_name.log; verb 4; keepalive 10 30 # This overrides def: keepalive 10 60;

please don't simply copy/paste the instructions .. take a closer look and learn what they mean:-
server_name.log might best reflect the name of your host for example.

On the possibility of routing conflicts:
My home network does indeed use the same subnet address as our HQ's network. (0)
..
Do you recommended changing our HQ's subnet? For example to 192.168.5.xxx?

Never use 192.168.0.0/24 or 1.0/24 for your sever LAN (if possible) .. how you choose to follow this is upto you, routing conflicts will plague you otherwise.

I was assuming our VPN connection would give me the external IP of our HQ's local network as outgoing IP. When I looked it up while connected to our VPN server, however, my outgoing IP turned out to be the external IP of my home network

Enable: Redirect Gateway [X] Force all client generated traffic through the tunnel .. See --redirect-gateway in The Manual v23x to understand this option.

[Bart]

The option "Redirect Gateway [X] Force all client generated traffic through the tunnel" caused my client to be unable to connect to the server, so I had to disable it again.

When a client connects via bridging to a remote network, it is assigned an IP address that is part of the remote physical ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally.
Source:
https://community.openvpn.net/openvpn/w ... figuration

Isn't this what I need, then? Michael's last post led me to believe I was on the right track, though, and I have been using tun so far.

To be able to switch from tun to tap, I need to be able to edit the server config file. How do I access it?

[Traffic]

I suggest you remain using TUN mode and getting your client to connect successfully before you try TAP mode.

The option "Redirect Gateway [X] Force all client generated traffic through the tunnel" caused my client to be unable to connect to the server, so I had to disable it again.

you will need this for

I was assuming our VPN connection would give me the external IP of our HQ's local network as outgoing IP.

but let us get the client connected properly first.

doesn't the IPv4 Tunnel Network setting on our server (192.168.200.0/24) prevent routing conflicts?

No .. this is the routing conflict:

My home network does indeed use the same subnet address as our HQ's network. (0)

by (0) I presume you mean 192.168.0.0/24 .. if so you will absolutely want to change your server LAN ..

[Bart]

Ok, our HQ's network has been changed from 192.168.0.0 to 192.168.5.0. This should prevent any routing conflicts.
Server setting "IPv4 Local Network" has been changed accordingly. (To 5.0)
("Force all client generated traffic through tunnel" still disabled.)

No change. I can connect to the server, but see no devices in our HQ's network.

[Bart]

When connected, in my client's route table, I see the following route:
Network adress = 192.168.5.0 (HQ's local network, which I need to access through VPN tunnel)
Netmask = 255.255.255.0 (correct for HQ local network)
Gateway = 192.168.200.5 (192.168.200.0 is tunnel network, so I presume this is in fact the tunnel network's gateway.)
Interface = 192.168.200.6 (Client's IP in tunnel network)
Metric = 20

Shouldn't the Gateway value in this route read 192.168.5.1, which is the actual gateway for our local network? (pfSense LAN)

Now that I think about it, ipconfig on my connected client shows no value for gateway for 192.168.200.6. Also netmask for 192.168.200.6 is 255.255.255.252. Is this normal?

[Bart]

The route described is added by the Local Network setting (server side). Leaving this setting blank prevents the route from showing up in the client's routing table.

[Traffic]

When connected, in my client's route table, I see the following route:
Network adress = 192.168.5.0 (HQ's local network, which I need to access through VPN tunnel)
Netmask = 255.255.255.0 (correct for HQ local network)
Gateway = 192.168.200.5 (192.168.200.0 is tunnel network, so I presume this is in fact the tunnel network's gateway.)
Interface = 192.168.200.6 (Client's IP in tunnel network)
Metric = 20

Shouldn't the Gateway value in this route read 192.168.5.1, which is the actual gateway for our local network? (pfSense LAN)

Also netmask for 192.168.200.6 is 255.255.255.252. Is this normal?

See --topology net30 in The Manual v23x

pfsense - OpenVPN - Client Settings:

Topology [X] Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).

HQ's network has been changed from 192.168.0.0 to 192.168.5.0. This should prevent any routing conflicts.

Good !

Server setting "IPv4 Local Network" has been changed accordingly. (To 5.0)

Explain ..

[Bart]

Solved it. I have been configuring an IPSEC server on our pfSense for the past few days, which now does everything we need it to. I realize this might not be the solution we were aiming for here, but I gotta say I'm just glad we got it working. Thank you for your help, Traffic!

[Traffic]

Thank you for your help

and Michael

Mod: Candidate for closure ..