Solved

PFSense OpenVPN push route problem

Posted on 2011-09-15
4
1,817 Views
Last Modified: 2012-05-12
Can somebody please explain whats going wrong with my push route command. Setup is fairly simple. WAN = x.x.x.x LAN = 10.79.10.0/24 and I used 10.79.40.0/24 for the OpenVPN subnet. I then did a push route for the 10.79.10.0/24 subnet. The OpenVPN clients can connect and get an IP address in the .40 subnet but they cannot ping address in the local (.10) subnet.

Here is my server config

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher AES-256-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.79.40.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.79.10.0 255.255.255.0"
lport 1194
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo

Any thoughts?
0
Comment
Question by:nccguys
  • 2
  • 2
4 Comments
 
LVL 1

Expert Comment

by:CODVM
ID: 36546570
What's you client SO ? Can you please show me the routing table ?

To show the routing table on windows do:

route print

To show the routing table on linux do:

route -n
0
 

Author Comment

by:nccguys
ID: 36550696
Shouldn't be a firewall issue. Since this is in a test environment, both the WAN and LAN interfaces are completely open. (any any any etc) Just to summarize:

WAN:                        X.X.X.X             Currently its a private address in a test environment but I tested on a WAN address with same results. (ie, fear of NAT and routing issues with private addresses)
LAN:                         10.79.10.0/24    Local network on LAN port.
OpenVPN subnet        10.79.40.0/24    The empty subnet used for OpenVPN clients connecting in.

What seems different with OpenVPN as compared to an IPSec or PPTP in PFSense is there is no interface associated with OpenVPN so I have no way of doing any firewall rules for the .40.0/24 OpenVPN subnet.

Here are several externally hosted screenshots that should really help out with troubleshooting:

http://host.atomiklan.com/1.png             (Shows the OpenVPN server front page)
http://host.atomiklan.com/2.png             (Shows the OpenVPN detailed configurations)
http://host.atomiklan.com/3.png             (Shows the LAN firewall rules)
http://host.atomiklan.com/4.png             (Shows the WAN firewall rules()
http://host.atomiklan.com/5.png             (Shows an IP config command on the client computer that is connected to the OpenVPN server)
http://host.atomiklan.com/6.png             (Shows the OpenVPN client log window upon successful connection)
http://host.atomiklan.com/7.png             (Shows the routing table on the Client computer)
http://host.atomiklan.com/8.png             (Shows the routing table on the OpenVPN server)
http://host.atomiklan.com/8.png             (Shows IP address assigned to the Client upon successful connection)
0
 
LVL 1

Accepted Solution

by:
CODVM earned 250 total points
ID: 36559336
See the warnings in the client log. Your link-mtu, cipher and keysize are wrong. You must correct this. Everything else seems to be OK.
0
 

Author Closing Comment

by:nccguys
ID: 36585341
Cryptography mis-configured

Push route command is successful. Layer 3 communication now successful. Thank you everyone for helping.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now