22 replies to this topic

[+BudMan]

do a tracert 8.8.8.8

I don't see any dns being pushed, so how would you resolve say www.neowin.net so that you have an IP to route?

I'm walking out the door for work.. Hop on later to see any more info you have and continue to troubleshoot, and this way I will have remote access to my openvpn server to test.

btw.

Here is my server config just for reference.

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.xxx.xxx
tls-server
server 10.0.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 4
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.253"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float

from /var/etc/openvpn on pfsense server1.conf

[+CPressland]

Okay,

Here is my server config

dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 86.21.116.233
tls-server
server 10.0.3.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 20
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
persist-remote-ip
float

I'm going to continue diagnosing now. *please note I've only just added the DNS option based on comparing with your conf file.

[+CPressland]

Erm, it just started working, I didn't change anything, I just disabled the server and reenabled it. Going to reboot Laptop just to be sure i'm not losing my mind.

[+CPressland]

Yep - After a reboot it still works. You don't think it was literally the OpenVPN daemon just needed restarting do you?! After all that?!

Thanks Budman, this has actually been a very educational experience.

[+BudMan]

To be honest there is nothing in the openvpn server that should of blocked your access to the outside, and pfsense is already setup to nat your connection to the internet, etc. So unless you had some firewall rule blocking access - pfsense should allow openvpn clients to access the internet - comes down to if the client will route traffic through the vpn or not for networks other than what is on the other end of the tunnel.

If I had to guess I would say maybe you were not getting dns before - did you try the tracert before you rebooted? So does your local network have dns? So you were trying to go to say www.whatsmyip.org and it was showing you your local connections nat IP. Or was just not working?

So is the redirect-gateway item working now - or do you have to manually set the default gateway?

Other problem I have seen when trying to do what your doing is the dns server being used through the pfsense not being set to allow the vpn network to query it, ie the 10.0.200 in my case. Depends on what your using for dns on the vpn network.. I use unbound on pfsense so had to create a ACL to allow vpn clients using a 10.0.200.x address to be able to query it.

The good thing is its working!

edit: BTW you by no means need to have your vpn clients use the dns on your pfsense side -- I do that because I use dns to query for my machines on my pfsense network. And her at work you can not directly query dns on this network, have to use the proxy. The local dns will not resolve outside addresses.. So for it to work when I route traffic through my vpn connection I need a dns server that will resolve outside addresses. Like my pfsense box.

[+CPressland]

Oh really? I'm using Unbound also, I didn't realise that it blocked any connections at all. What was the ACL you setup? I assume 10.0.3.0/24 would be sufficient?

I agree it does look to be a DNS Issue, I just can't believe I missed that. I suppose the simplest explanation is usually the correct one.

[+BudMan]

Well since your tunnel network is so close to in number - it might be that falls under the same mask in your acl?



But yeah you have to allow networks to query unbound. If your able to query and don't have it in a ACL, maybe unbound is not working?

I snipped out part of that ipv6 range - because this a global public range and no reason to make that public.

[+CPressland]

Thanks will confirm with my ACL Shortly.