OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: s4rs on November 30, 2016, 10:18:41 pm

Title: Help with OpenVPN [Solved]
Post by: s4rs on November 30, 2016, 10:18:41 pm

 I followed the OpenVPN Road Warrior guide and I get connected to the firewall but that's it. I can only ping the bridge0 interface on the router and can go no farther. If I try to ping any other device, nothing.

I setup an any firewall rule on the OpenVPN tab since the example in the Howto was confusing. If you look at the picture it shows 192.168.2.0/24, when I would expect to see 192.168.1.0/24. That said I have no idea how to set that up. It might have been a screen shot of an older version of Opnsense, and I can't figure out how to add an address. I figure that rule is now LAN net. Could someone confirm this?

I checked the client routing table and that looked good and its below. You can see a route to the 192.168.1.0/24 subnet with a gateway of 10.10.0.5. What is curious to me is I can't ping 10.10.0.5, should I be able to?

Client routing table

Code: [Select]

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     173.48.255.1     173.48.255.2     35
        10.10.0.1  255.255.255.255        10.10.0.5        10.10.0.6     25
        10.10.0.4  255.255.255.252         On-link         10.10.0.6    281
        10.10.0.6  255.255.255.255         On-link         10.10.0.6    281
        10.10.0.7  255.255.255.255         On-link         10.10.0.6    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     173.48.255.0    255.255.255.0         On-link      173.48.255.2    291
     173.48.255.2  255.255.255.255         On-link      173.48.255.2    291
   173.48.255.255  255.255.255.255         On-link      173.48.255.2    291
      192.168.1.0    255.255.255.0        10.10.0.5        10.10.0.6     25
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      173.48.255.2    291
        224.0.0.0        240.0.0.0         On-link         10.10.0.6    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      173.48.255.2    291
  255.255.255.255  255.255.255.255         On-link         10.10.0.6    281
===========================================================================
If I ssh to Opnsense I can ping the test maching 192.168.1.163 see below

Code: [Select]

0) Logout                             7) Ping host
 1) Assign Interfaces                  8) Shell
 2) Set interface(s) IP address        9) pfTop
 3) Reset the root password           10) Filter Logs
 4) Reset to factory defaults         11) Restart web interface
 5) Power off system                  12) Upgrade from console
 6) Reboot system                     13) Restore a configuration

Enter an option: 7


Enter a host name or IP address: 192.168.1.163

PING 192.168.1.163 (192.168.1.163): 56 data bytes
64 bytes from 192.168.1.163: icmp_seq=0 ttl=128 time=3.764 ms
64 bytes from 192.168.1.163: icmp_seq=1 ttl=128 time=6.272 ms
64 bytes from 192.168.1.163: icmp_seq=2 ttl=128 time=3.188 ms

attached is a picture of my Openvpn firewall rule

The lan, wlan, and bridge adapters all have a allow rule just like this.

Here is my OpenVPN client log

Code: [Select]

ov 30 19:18:00 openvpn[29096]: greg/173.48.255.2:51788 send_push_reply(): safe_cap=940
Nov 30 19:17:58 openvpn[29096]: greg/173.48.255.2:51788 MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Nov 30 19:17:58 openvpn[29096]: 173.48.255.2:51788 [greg] Peer Connection Initiated with [AF_INET]173.48.255.2:51788
Nov 30 19:17:58 openvpn: user 'greg' authenticated
Nov 30 18:29:44 openvpn[29096]: Initialization Sequence Completed
Nov 30 18:29:44 openvpn[29096]: UDPv4 link remote: [undef]
Nov 30 18:29:44 openvpn[29096]: UDPv4 link local (bound): [AF_INET]173.48.255.4:1194
Nov 30 18:29:43 openvpn[29096]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1602 10.10.0.1 10.10.0.2 init
Nov 30 18:29:43 openvpn[29096]: /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up
Nov 30 18:29:43 openvpn[29096]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 30 18:29:43 openvpn[29096]: TUN/TAP device /dev/tun1 opened
Nov 30 18:29:43 openvpn[29096]: TUN/TAP device ovpns1 exists previously, keep at program end
Nov 30 18:29:43 openvpn[29096]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Nov 30 18:29:43 openvpn[29096]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Nov 30 18:29:43 openvpn[29096]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 30 18:29:43 openvpn[28838]: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 30 18:29:43 openvpn[28838]: OpenVPN 2.3.13 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov 14 2016
and finally my Viscosity log

Code: [Select]

State changed to Creating...
Nov 30 1:48:53 PM: State changed to Disconnected
Nov 30 2:17:14 PM: State changed to Connecting
Nov 30 2:17:14 PM: Viscosity Windows 1.6.7 (1468)
Nov 30 2:17:14 PM: Running on Microsoft Windows 10 Pro
Nov 30 2:17:14 PM: Bringing up interface...
Nov 30 2:17:15 PM: Checking reachability status of connection...
Nov 30 2:17:15 PM: Connection is reachable. Starting connection attempt.
Nov 30 2:17:15 PM: OpenVPN 2.3.13 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov  4 2016
Nov 30 2:17:15 PM: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Nov 30 2:17:53 PM: Control Channel Authentication: using 'C:\Program Files\Common Files\Viscosity\OpenVPNConfig\greg\1\ta.key' as a OpenVPN static key file
Nov 30 2:17:53 PM: UDPv4 link local (bound): [undef]
Nov 30 2:17:53 PM: UDPv4 link remote: [AF_INET]173.48.255.4:1194
Nov 30 2:17:53 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 30 2:17:54 PM: [SSLVPN Server Certificate] Peer Connection Initiated with [AF_INET]173.48.255.4:1194
Nov 30 2:17:56 PM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 30 2:17:56 PM: open_tun, tt->ipv6=0
Nov 30 2:17:56 PM: TAP-WIN32 device [My SSL VPN Server] opened: \\.\Global\{4C29BFA5-6B43-42BF-8C0E-8035685E30D2}.tap
Nov 30 2:17:56 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.0.6/255.255.255.252 on interface {4C29BFA5-6B43-42BF-8C0E-8035685E30D2} [DHCP-serv: 10.10.0.5, lease-time: 31536000]
Nov 30 2:17:56 PM: Successful ARP Flush on interface [38] {4C29BFA5-6B43-42BF-8C0E-8035685E30D2}
Nov 30 2:18:01 PM: Initialization Sequence Completed
Nov 30 2:18:02 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
Server - 173.48.255.1:53; Lookup Type - Any; Domains - fios-router.home.
Lastly the connection only lasted an hour even though I had set the timeout value to 0. I saw in a post you need to set this value on the client. I have no idea where in Viscosity to set this. If I edit the profile I see nothing.

Title: Re: Help with OpenVPN
Post by: s4rs on November 30, 2016, 11:59:44 pm

Couple of more observations. If I use an all any rule I can ping .254, the bridge0 interface. I figured out how to add the lan subnet, you need to select single host/single network from the list. I missed it before. When I add 192.168.1.0/24 as the source and the rest any I can't ping .254.

Also If I run a wireshark trace on the box I am pinging when I have the any rule active I see the request but no reply. The routing table looks fine I have an entry 0.0.0.0 0.0.0.0 192.168.1.254..

Title: Re: Help with OpenVPN
Post by: s4rs on December 01, 2016, 02:18:51 am

I think something is broken or the HowTo is missing something in Opnsense 16.7.9. I reset the router back to factory default. I figured I would try the setup without the bridge interface to see if that helped. Walked through the howto and the same result. The OpenVPN Firewall rule 192.168.1.0/24 * * * didn't work, I had to use * across the board. I could only ping the Lan interface and nothing on the network.

Let me know if you want config files or anything..

Title: Re: Help with OpenVPN [Solved]
Post by: s4rs on December 01, 2016, 05:43:42 pm

I did a search last night on openvpn road warrior in this forum and found another post with the exact same issue. It turns out the VPN tunnel was always working. Today I tested RDP and that worked perfectly. According to the other post the ping issue is with Windows firewall not allowing pings from outside subnets. I turned off Windows Firewall and pings now work.

My only comment now is with the howto and setting OpenVPN's firewall rule to 192.168.2.0/24. I think it should be 1.0/24. However even setting the rule to 192.168.1.0/24 packets aren't passing. In fact I tried all the rules in the list other than * and none of them work.

Any comments welcome.