pfsense OpenVPN Redirect all Remote Traffic to Local WAN

February 8, 2012

Hey Guys,

I've currently got a OpenVPN setup where I can simply connect to my home pfSense Server from work and use my Local Network.

My Network is on the 10.0.1.0/24 Range

My OpenVPN is on the 10.0.3.0/24 Range

Now I'll be taking a trip to Vancouver soon and I access various sites that require me to have my WAN IP, so connecting from my Hotels WAN will not allow me access, so I've setup a Secondary OpenVPN Server on the 10.0.4.0/24 Range.

Primary VPN uses port 1194

Secondary VPN uses port 1195

I've ticked the "Force all client generated traffic through the tunnel." Option and setup the following advanced commands

"push "redirect-gateway def1";push "dhcp-option DNS 10.0.1.1";verb 1;mute-replay-warnings"

Finally I have Manual NATing enabled so I've setup the following rule

WAN 10.0.4.0/24.

Now I can connect to my VPN without issue, but I do see the following: UDPv4 link local (bound): [undef]:1194 <-- surely this should be 1195?

I cannot ping anything on the WAN but can connect to my LAN. For example, ping 208.67.222.222 returns 100% packet loss but ping 10.0.1.1 returns normaly.

Any ideas on where to go from here?

February 8, 2012

Ok I just tested this with adding

redirect-gateway def1

To my local config - nothing done on the server settings at all

I verified that my outside IP is now showing as the public IP of my openvpn server

And you can just look with a route print on your client to see that it changed the default gateway to go to the openvpn connection

d:\&gt;route print
===========================================================================
Interface List
0x3 ...00 1c 23 53 cf 38 ...... Broadcom NetXtreme 57xx Gigabit Controller - SecuRemote Miniport
0x7 ...00 ff 79 1a 85 63 ...... TAP-Win32 Adapter V9 - SecuRemote Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination		Netmask		  Gateway	   Interface  Metric
		  0.0.0.0		128.0.0.0	   10.0.200.5	  10.0.200.6	   1
	   10.0.200.1  255.255.255.255	   10.0.200.5	  10.0.200.6	   1
	   10.0.200.4  255.255.255.252	   10.0.200.6	  10.0.200.6	   30
	   10.0.200.6  255.255.255.255		127.0.0.1	   127.0.0.1	   30
   10.255.255.255  255.255.255.255	   10.0.200.6	  10.0.200.6	   30
		127.0.0.0		255.0.0.0		127.0.0.1	   127.0.0.1	   1
		128.0.0.0		128.0.0.0	   10.0.200.5	  10.0.200.6	   1
	  192.168.1.0	255.255.255.0	   10.0.200.5	  10.0.200.6	   1
		224.0.0.0		240.0.0.0	   10.0.200.6	  10.0.200.6	   30
	 255.255.255.255  255.255.255.255	   10.0.200.6			   2	   1
  255.255.255.255  255.255.255.255	   10.0.200.6			   8	   1
  255.255.255.255  255.255.255.255	   10.0.200.6			   5	   1
  255.255.255.255  255.255.255.255	   10.0.200.6			   6	   1
  255.255.255.255  255.255.255.255	   10.0.200.6	  10.0.200.6	   1
  255.255.255.255  255.255.255.255	   10.0.200.6			   4	   1
Default Gateway:		10.0.200.5
===========================================================================
Persistent Routes:
  None

I snipped out some routes and some of the other interfaces - but this shows all the routes pointing to my openvpn connection and default.

here is output of ipconfig /all for my openvpn interface on this client

Ethernet adapter ovpn:

		Connection-specific DNS Suffix  . :
		Description . . . . . . . . . . . : TAP-Win32 Adapter V9
		Physical Address. . . . . . . . . : 00-FF-79-1A-85-63
		Dhcp Enabled. . . . . . . . . . . : Yes
		Autoconfiguration Enabled . . . . : Yes
		IP Address. . . . . . . . . . . . : 10.0.200.6
		Subnet Mask . . . . . . . . . . . : 255.255.255.252
		Default Gateway . . . . . . . . . : 10.0.200.5
		DHCP Server . . . . . . . . . . . : 10.0.200.5
		DNS Servers . . . . . . . . . . . : 192.168.1.253
		Lease Obtained. . . . . . . . . . : Wednesday, February 08, 2012 10:18:57 AM
		Lease Expires . . . . . . . . . . : Thursday, February 07, 2013 10:18:57 AM

I think your maybe over complicating it ;)

February 8, 2012

I think you're right. Tell me Mr Budman - what is the easiest way to setup a VPN in pfSense for WAN Forwarding? lol. I'm going to go back and delete all my initial config and wait on your response.

February 8, 2012

The easiest way is to just run the wizard ;)

Here is my config if that helps

Prob going to have to download/save that to make anything out. I run on tcp 443 to make sure the port is open. 1194 udp is a port that may or may not be open depending on where you are. I can tell you for sure its not open at my work ;)

And I can not even go direct out on 443, I have to bounce the openvpn connection off the http proxy. You can setup to use a http proxy in the openvpn gui client.

You happen to know where the actual .conf file is stored on pfsense - happy to post that for you. Just not sure where its at off the top of my head.. And the settings might even be stored in the pfsense config .xml - not exactly sure.

I can show you my client config

dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote snipped.snipped.net 443
pkcs12 pfsense-TCP-443.p12
tls-auth pfsense-TCP-443-tls.key 1
comp-lzo
verb 4
#redirect-gateway def1

That redirect was just added for my test, and now I have it remarked out - I don't need that function here at work. If I need to tunnel through my vpn connection I just use ssh through my openvpn to my linux box on my private lan ip 192.168.1.7 and use putty as socks proxy for my browser.

February 8, 2012

Wait wait wait, I've already got a working OpenVPN Server, the issue is running a Second OpenVPN Server that will take ALL traffic from my remote PC and put it through the OpenVPN Servers WAN.

So even though i'm in Canada, I get an IP from the UK.

I used the Wizard but it didn't work in this case, like I said, I can browse remote shares no issue and ping everything on the remote network, but nothing on the WAN.

February 8, 2012

Why do you need run 2 copies of the server - just put that redirect in your local config file when you want to route traffic through your vpn connection.

Look at your route on your client when you make your connection - if default is not your openvpn connection then no your not going to route internet traffic through your opevnvpn. All you need to do is tell the client to use the openvpn connection as your default route. Or if you want to get fancy you can route whatever specific networks you want through the vpn and others not.

For example if you only need to use the UK connection for one site, then just route that sites IP through your vpn connection - you don't need to route all traffic through the vpn if you don't want to.

By default the only route you will see is for the network on other side of the vpn connection.

exmaple

Active Routes:
Network Destination		Netmask		  Gateway	   Interface  Metric
	  192.168.1.0	255.255.255.0	   10.0.200.5	  10.0.200.6	   1

But if you want you should just be able to hit the + sign and add a different config listening on different port and set to push the redirect, etc.

Just not seeing why you would need to - just setup whatever routes you want on your local client config.

edit: btw what firewall rules do you have on the openvpn tab? Possible your blocking outside access?

February 9, 2012

Okay,

I deleted the second connection and appended redirect-gateway def1 to my client config.

Server Config looks like this:

And my OpenVPN rules look like this:

Routes on the client looks like this:

PRE-VPN Connection:


C:\Users\cpressland>route print
===========================================================================
Interface List
16...00 ff 81 3d 2e c8 ......TAP-Win32 Adapter V9
13...f0 7b cb a8 3a c3 ......Bluetooth Device (Personal Area Network)
12...00 23 14 8d c2 ac ......Intel(R) Centrino(R) Advanced-N 6200 AGN
11...00 26 b9 d3 0d 42 ......Intel(R) 82577LM Gigabit Network Connection
  1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination	    Netmask		  Gateway	   Interface  Metric
		  0.0.0.0		  0.0.0.0	 172.22.104.1   172.22.105.194	 10
	    127.0.0.0	    255.0.0.0		 On-link		 127.0.0.1    306
	    127.0.0.1  255.255.255.255		 On-link		 127.0.0.1    306
  127.255.255.255  255.255.255.255		 On-link		 127.0.0.1    306
	 172.22.104.0    255.255.252.0		 On-link    172.22.105.194    266
   172.22.105.194  255.255.255.255		 On-link    172.22.105.194    266
   172.22.107.255  255.255.255.255		 On-link    172.22.105.194    266
	    224.0.0.0	    240.0.0.0		 On-link		 127.0.0.1    306
	    224.0.0.0	    240.0.0.0		 On-link    172.22.105.194    266
  255.255.255.255  255.255.255.255		 On-link		 127.0.0.1    306
  255.255.255.255  255.255.255.255		 On-link    172.22.105.194    266
===========================================================================
Persistent Routes:
  None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination	  Gateway
  1    306 ::1/128				  On-link
11    266 fe80::/64			    On-link
11    266 fe80::fd45:a3d8:21fb:9164/128
								    On-link
  1    306 ff00::/8				 On-link
11    266 ff00::/8				 On-link
===========================================================================
Persistent Routes:
  None
[/CODE]

Post VPN Connection:

[CODE]
C:\Users\cpressland>route print
===========================================================================
Interface List
16...00 ff 81 3d 2e c8 ......TAP-Win32 Adapter V9
13...f0 7b cb a8 3a c3 ......Bluetooth Device (Personal Area Network)
12...00 23 14 8d c2 ac ......Intel(R) Centrino(R) Advanced-N 6200 AGN
11...00 26 b9 d3 0d 42 ......Intel(R) 82577LM Gigabit Network Connection
1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.22.104.1 172.22.105.194 10
0.0.0.0 128.0.0.0 10.0.3.9 10.0.3.10 30
10.0.1.0 255.255.255.0 10.0.3.9 10.0.3.10 30
10.0.3.1 255.255.255.255 10.0.3.9 10.0.3.10 30
10.0.3.8 255.255.255.252 On-link 10.0.3.10 286
10.0.3.10 255.255.255.255 On-link 10.0.3.10 286
10.0.3.11 255.255.255.255 On-link 10.0.3.10 286
86.21.116.233 255.255.255.255 172.22.104.1 172.22.105.194 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.0.3.9 10.0.3.10 30
172.22.104.0 255.255.252.0 On-link 172.22.105.194 266
172.22.105.194 255.255.255.255 On-link 172.22.105.194 266
172.22.107.255 255.255.255.255 On-link 172.22.105.194 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.22.105.194 266
224.0.0.0 240.0.0.0 On-link 10.0.3.10 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.22.105.194 266
255.255.255.255 255.255.255.255 On-link 10.0.3.10 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 266 fe80::/64 On-link
16 286 fe80::/64 On-link
16 286 fe80::6153:2b19:538c:b4a3/128
On-link
11 266 fe80::fd45:a3d8:21fb:9164/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
16 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
[/CODE]

February 9, 2012

Additionally, here is the client side OpenVPN log.


Thu Feb 09 10:17:52 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Thu Feb 09 10:17:52 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Feb 09 10:17:52 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Thu Feb 09 10:17:52 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 09 10:17:52 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Thu Feb 09 10:17:52 2012 LZO compression initialized
Thu Feb 09 10:17:52 2012 UDPv4 link local (bound): [undef]:1194
Thu Feb 09 10:17:52 2012 UDPv4 link remote: 86.21.116.233:1194
Thu Feb 09 10:17:52 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 09 10:17:54 2012 [Road_Warrior_Server_Cert] Peer Connection Initiated with 86.21.116.233:1194
Thu Feb 09 10:17:57 2012 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728}.tap
Thu Feb 09 10:17:57 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.3.10/255.255.255.252 on interface {813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728} [DHCP-serv: 10.0.3.9, lease-time: 31536000]
Thu Feb 09 10:17:57 2012 Successful ARP Flush on interface [16] {813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728}
Thu Feb 09 10:18:02 2012 Initialization Sequence Completed
[/CODE]

As of right now, I can ping everything on my Local Network from Home like 10.0.1.5 (Local File Server), RDP into everything etc, but I cannot get an Internet Connection.

And here is my OpenVPN Config File.

[CODE]
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 86.21.116.233 1194
tls-remote Road Warrior Server Cert
auth-user-pass pass.txt
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzo
redirect-gateway def1
[/CODE]

February 9, 2012

Well no **** you can not -- where is your default route??

your 0.0.0.0 route is 172.22.104.1

That is who your going to talk to for any network you do not have a specific route too.

I would suggest you add the verb 4 like I have or even 5 so we can get some more detail from your log. Once I get to work today I will post my log of connecting.

February 9, 2012

As Requested verb5:


Thu Feb 09 13:40:51 2012 us=900000 Current Parameter Settings:
Thu Feb 09 13:40:51 2012 us=900000   config = 'pfsense-udp-1194.ovpn'
Thu Feb 09 13:40:51 2012 us=900000   mode = 0
Thu Feb 09 13:40:51 2012 us=900000   show_ciphers = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   show_digests = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   show_engines = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   genkey = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   key_pass_file = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   show_tls_ciphers = DISABLED
Thu Feb 09 13:40:51 2012 us=900000 Connection profiles [default]:
Thu Feb 09 13:40:51 2012 us=900000   proto = udp
Thu Feb 09 13:40:51 2012 us=900000   local = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   local_port = 1194
Thu Feb 09 13:40:51 2012 us=900000   remote = '86.21.116.233'
Thu Feb 09 13:40:51 2012 us=900000   remote_port = 1194
Thu Feb 09 13:40:51 2012 us=900000   remote_float = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   bind_defined = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   bind_local = ENABLED
Thu Feb 09 13:40:51 2012 us=900000   connect_retry_seconds = 5
Thu Feb 09 13:40:51 2012 us=900000   connect_timeout = 10
Thu Feb 09 13:40:51 2012 us=900000   connect_retry_max = 0
Thu Feb 09 13:40:51 2012 us=900000   socks_proxy_server = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   socks_proxy_port = 0
Thu Feb 09 13:40:51 2012 us=900000   socks_proxy_retry = DISABLED
Thu Feb 09 13:40:51 2012 us=900000 Connection profiles END
Thu Feb 09 13:40:51 2012 us=900000   remote_random = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   ipchange = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   dev = 'tun'
Thu Feb 09 13:40:51 2012 us=900000   dev_type = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   dev_node = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   lladdr = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   topology = 1
Thu Feb 09 13:40:51 2012 us=900000   tun_ipv6 = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   ifconfig_local = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   ifconfig_remote_netmask = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   ifconfig_noexec = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   ifconfig_nowarn = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   shaper = 0
Thu Feb 09 13:40:51 2012 us=900000   tun_mtu = 1500
Thu Feb 09 13:40:51 2012 us=900000   tun_mtu_defined = ENABLED
Thu Feb 09 13:40:51 2012 us=900000   link_mtu = 1500
Thu Feb 09 13:40:51 2012 us=900000   link_mtu_defined = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   tun_mtu_extra = 0
Thu Feb 09 13:40:51 2012 us=900000   tun_mtu_extra_defined = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   fragment = 0
Thu Feb 09 13:40:51 2012 us=900000   mtu_discover_type = -1
Thu Feb 09 13:40:51 2012 us=900000   mtu_test = 0
Thu Feb 09 13:40:51 2012 us=900000   mlock = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   keepalive_ping = 0
Thu Feb 09 13:40:51 2012 us=900000   keepalive_timeout = 0
Thu Feb 09 13:40:51 2012 us=900000   inactivity_timeout = 0
Thu Feb 09 13:40:51 2012 us=900000   ping_send_timeout = 0
Thu Feb 09 13:40:51 2012 us=900000   ping_rec_timeout = 0
Thu Feb 09 13:40:51 2012 us=900000   ping_rec_timeout_action = 0
Thu Feb 09 13:40:51 2012 us=900000   ping_timer_remote = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   remap_sigusr1 = 0
Thu Feb 09 13:40:51 2012 us=900000   explicit_exit_notification = 0
Thu Feb 09 13:40:51 2012 us=900000   persist_tun = ENABLED
Thu Feb 09 13:40:51 2012 us=900000   persist_local_ip = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   persist_remote_ip = DISABLED
Thu Feb 09 13:40:51 2012 us=900000   persist_key = ENABLED
Thu Feb 09 13:40:51 2012 us=900000   mssfix = 1450
Thu Feb 09 13:40:51 2012 us=900000   resolve_retry_seconds = 1000000000
Thu Feb 09 13:40:51 2012 us=900000   username = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   groupname = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   chroot_dir = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   cd_dir = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=900000   writepid = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=962000   up_script = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=962000   down_script = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=962000   down_pre = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   up_restart = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   up_delay = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   daemon = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   inetd = 0
Thu Feb 09 13:40:51 2012 us=962000   log = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   suppress_timestamps = DISABLED
Thu Feb 09 13:40:51 2012 us=962000   nice = 0
Thu Feb 09 13:40:51 2012 us=962000   verbosity = 5
Thu Feb 09 13:40:51 2012 us=962000   mute = 0
Thu Feb 09 13:40:51 2012 us=962000   gremlin = 0
Thu Feb 09 13:40:51 2012 us=962000   status_file = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=962000   status_file_version = 1
Thu Feb 09 13:40:51 2012 us=962000   status_file_update_freq = 60
Thu Feb 09 13:40:51 2012 us=962000   occ = ENABLED
Thu Feb 09 13:40:51 2012 us=962000   rcvbuf = 0
Thu Feb 09 13:40:51 2012 us=978000   sndbuf = 0
Thu Feb 09 13:40:51 2012 us=978000   sockflags = 0
Thu Feb 09 13:40:51 2012 us=978000   fast_io = DISABLED
Thu Feb 09 13:40:51 2012 us=978000   lzo = 7
Thu Feb 09 13:40:51 2012 us=978000   route_script = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=978000   route_default_gateway = '[UNDEF]'
Thu Feb 09 13:40:51 2012 us=978000   route_default_metric = 0
Thu Feb 09 13:40:51 2012 us=978000   route_noexec = DISABLED
Thu Feb 09 13:40:51 2012 us=978000   route_delay = 5
Thu Feb 09 13:40:51 2012 us=978000   route_delay_window = 30
Thu Feb 09 13:40:51 2012 us=978000   route_delay_defined = ENABLED
Thu Feb 09 13:40:51 2012 us=978000   route_nopull = DISABLED
Thu Feb 09 13:40:51 2012 us=978000   route_gateway_via_dhcp = DISABLED
Thu Feb 09 13:40:51 2012 us=978000   max_routes = 100
Thu Feb 09 13:40:51 2012 us=978000   allow_pull_fqdn = DISABLED
Thu Feb 09 13:40:51 2012 us=978000   [redirect_default_gateway local=0]
Thu Feb 09 13:40:52 2012 us=9000   management_addr = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   management_port = 0
Thu Feb 09 13:40:52 2012 us=9000   management_user_pass = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   management_log_history_cache = 250
Thu Feb 09 13:40:52 2012 us=9000   management_echo_buffer_size = 100
Thu Feb 09 13:40:52 2012 us=9000   management_write_peer_info_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   management_client_user = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   management_client_group = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   management_flags = 0
Thu Feb 09 13:40:52 2012 us=9000   shared_secret_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=9000   key_direction = 2
Thu Feb 09 13:40:52 2012 us=9000   ciphername_defined = ENABLED
Thu Feb 09 13:40:52 2012 us=9000   ciphername = 'BF-CBC'
Thu Feb 09 13:40:52 2012 us=9000   authname_defined = ENABLED
Thu Feb 09 13:40:52 2012 us=9000   authname = 'SHA1'
Thu Feb 09 13:40:52 2012 us=9000   prng_hash = 'SHA1'
Thu Feb 09 13:40:52 2012 us=25000   prng_nonce_secret_len = 16
Thu Feb 09 13:40:52 2012 us=25000   keysize = 0
Thu Feb 09 13:40:52 2012 us=25000   engine = DISABLED
Thu Feb 09 13:40:52 2012 us=25000   replay = ENABLED
Thu Feb 09 13:40:52 2012 us=25000   mute_replay_warnings = DISABLED
Thu Feb 09 13:40:52 2012 us=25000   replay_window = 64
Thu Feb 09 13:40:52 2012 us=25000   replay_time = 15
Thu Feb 09 13:40:52 2012 us=25000   packet_id_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=25000   use_iv = ENABLED
Thu Feb 09 13:40:52 2012 us=25000   test_crypto = DISABLED
Thu Feb 09 13:40:52 2012 us=25000   tls_server = DISABLED
Thu Feb 09 13:40:52 2012 us=25000   tls_client = ENABLED
Thu Feb 09 13:40:52 2012 us=25000   key_method = 2
Thu Feb 09 13:40:52 2012 us=25000   ca_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=25000   ca_path = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=25000   dh_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=25000   cert_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=25000   priv_key_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   pkcs12_file = 'pfsense-udp-1194.p12'
Thu Feb 09 13:40:52 2012 us=40000   cryptoapi_cert = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   cipher_list = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   tls_verify = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   tls_export_cert = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   tls_remote = 'Road'
Thu Feb 09 13:40:52 2012 us=40000   crl_file = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=40000   ns_cert_type = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=40000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_ku[i] = 0
Thu Feb 09 13:40:52 2012 us=56000   remote_cert_eku = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=56000   tls_timeout = 2
Thu Feb 09 13:40:52 2012 us=56000   renegotiate_bytes = 0
Thu Feb 09 13:40:52 2012 us=56000   renegotiate_packets = 0
Thu Feb 09 13:40:52 2012 us=56000   renegotiate_seconds = 3600
Thu Feb 09 13:40:52 2012 us=56000   handshake_window = 60
Thu Feb 09 13:40:52 2012 us=56000   transition_window = 3600
Thu Feb 09 13:40:52 2012 us=56000   single_session = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   push_peer_info = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   tls_exit = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   tls_auth_file = 'pfsense-udp-1194-tls.key'
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=72000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_protected_authentication = DISABLED
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=87000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_private_mode = 00000000
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=103000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_cert_private = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_pin_cache_period = -1
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_id = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=118000   pkcs11_id_management = DISABLED
Thu Feb 09 13:40:52 2012 us=118000   server_network = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   server_netmask = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   server_bridge_ip = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   server_bridge_netmask = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   server_bridge_pool_start = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   server_bridge_pool_end = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_defined = DISABLED
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_start = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_end = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_netmask = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=134000   ifconfig_pool_persist_refresh_freq = 600
Thu Feb 09 13:40:52 2012 us=134000   n_bcast_buf = 256
Thu Feb 09 13:40:52 2012 us=134000   tcp_queue_limit = 64
Thu Feb 09 13:40:52 2012 us=134000   real_hash_size = 256
Thu Feb 09 13:40:52 2012 us=134000   virtual_hash_size = 256
Thu Feb 09 13:40:52 2012 us=150000   client_connect_script = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=150000   learn_address_script = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=150000   client_disconnect_script = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=150000   client_config_dir = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=150000   ccd_exclusive = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   tmp_dir = 'C:\Users\CPRESS~1\AppData\Local\Temp\'
Thu Feb 09 13:40:52 2012 us=150000   push_ifconfig_defined = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   push_ifconfig_local = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=150000   push_ifconfig_remote_netmask = 0.0.0.0
Thu Feb 09 13:40:52 2012 us=150000   enable_c2c = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   duplicate_cn = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   cf_max = 0
Thu Feb 09 13:40:52 2012 us=150000   cf_per = 0
Thu Feb 09 13:40:52 2012 us=150000   max_clients = 1024
Thu Feb 09 13:40:52 2012 us=150000   max_routes_per_client = 256
Thu Feb 09 13:40:52 2012 us=150000   auth_user_pass_verify_script = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=150000   auth_user_pass_verify_script_via_file = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   ssl_flags = 0
Thu Feb 09 13:40:52 2012 us=150000   client = ENABLED
Thu Feb 09 13:40:52 2012 us=150000   pull = ENABLED
Thu Feb 09 13:40:52 2012 us=150000   auth_user_pass_file = 'pass.txt'
Thu Feb 09 13:40:52 2012 us=150000   show_net_up = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   route_method = 0
Thu Feb 09 13:40:52 2012 us=150000   ip_win32_defined = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   ip_win32_type = 3
Thu Feb 09 13:40:52 2012 us=150000   dhcp_masq_offset = 0
Thu Feb 09 13:40:52 2012 us=150000   dhcp_lease_time = 31536000
Thu Feb 09 13:40:52 2012 us=150000   tap_sleep = 0
Thu Feb 09 13:40:52 2012 us=150000   dhcp_options = DISABLED
Thu Feb 09 13:40:52 2012 us=150000   dhcp_renew = DISABLED
Thu Feb 09 13:40:52 2012 us=165000   dhcp_pre_release = DISABLED
Thu Feb 09 13:40:52 2012 us=165000   dhcp_release = DISABLED
Thu Feb 09 13:40:52 2012 us=165000   domain = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=165000   netbios_scope = '[UNDEF]'
Thu Feb 09 13:40:52 2012 us=165000   netbios_node_type = 0
Thu Feb 09 13:40:52 2012 us=165000   disable_nbt = DISABLED
Thu Feb 09 13:40:52 2012 us=165000 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Thu Feb 09 13:40:52 2012 us=165000 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Feb 09 13:40:52 2012 us=165000 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Thu Feb 09 13:40:52 2012 us=165000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 09 13:40:52 2012 us=352000 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Thu Feb 09 13:40:52 2012 us=352000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 09 13:40:52 2012 us=352000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 09 13:40:52 2012 us=352000 LZO compression initialized
Thu Feb 09 13:40:52 2012 us=352000 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 09 13:40:52 2012 us=352000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 09 13:40:52 2012 us=368000 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 09 13:40:52 2012 us=368000 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Feb 09 13:40:52 2012 us=368000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Feb 09 13:40:52 2012 us=368000 Local Options hash (VER=V4): '504e774e'
Thu Feb 09 13:40:52 2012 us=368000 Expected Remote Options hash (VER=V4): '14168603'
Thu Feb 09 13:40:52 2012 us=368000 UDPv4 link local (bound): [undef]:1194
Thu Feb 09 13:40:52 2012 us=368000 UDPv4 link remote: 86.21.116.233:1194
Thu Feb 09 13:40:52 2012 us=384000 TLS: Initial packet from 86.21.116.233:1194, sid=d7c340a1 23ca60a6
Thu Feb 09 13:40:52 2012 us=384000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 09 13:40:52 2012 us=462000 VERIFY OK: depth=1, <snipped>
Thu Feb 09 13:40:52 2012 us=462000 VERIFY X509NAME OK: <snipped>
Thu Feb 09 13:40:52 2012 us=462000 VERIFY OK: depth=0, <snipped>
Thu Feb 09 13:40:52 2012 us=540000 Replay-window backtrack occurred [1]
Thu Feb 09 13:40:52 2012 us=540000 Replay-window backtrack occurred [2]
Thu Feb 09 13:40:52 2012 us=977000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 09 13:40:52 2012 us=977000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 09 13:40:52 2012 us=977000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 09 13:40:52 2012 us=977000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 09 13:40:53 2012 us=8000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Feb 09 13:40:53 2012 us=23000 [Road_Warrior_Server_Cert] Peer Connection Initiated with 86.21.116.233:1194
Thu Feb 09 13:40:55 2012 us=67000 SENT CONTROL [Road_Warrior_Server_Cert]: 'PUSH_REQUEST' (status=1)
Thu Feb 09 13:40:55 2012 us=83000 PUSH: Received control message: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 10.0.3.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.3.10 10.0.3.9'
Thu Feb 09 13:40:55 2012 us=83000 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 09 13:40:55 2012 us=83000 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 09 13:40:55 2012 us=83000 OPTIONS IMPORT: route options modified
Thu Feb 09 13:40:55 2012 us=98000 ROUTE default_gateway=172.22.104.1
Thu Feb 09 13:40:55 2012 us=129000 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728}.tap
Thu Feb 09 13:40:55 2012 us=145000 TAP-Win32 Driver Version 9.9
Thu Feb 09 13:40:55 2012 us=145000 TAP-Win32 MTU=1500
Thu Feb 09 13:40:55 2012 us=145000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.3.10/255.255.255.252 on interface {813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728} [DHCP-serv: 10.0.3.9, lease-time: 31536000]
Thu Feb 09 13:40:55 2012 us=145000 Successful ARP Flush on interface [16] {813D2EC8-AC96-4AF8-9FB7-7F1B6AC69728}
Thu Feb 09 13:41:00 2012 us=979000 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Thu Feb 09 13:41:00 2012 us=979000 C:\WINDOWS\system32\route.exe ADD 86.21.116.233 MASK 255.255.255.255 172.22.104.1
Thu Feb 09 13:41:00 2012 us=995000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Thu Feb 09 13:41:00 2012 us=995000 Route addition via IPAPI succeeded [adaptive]
Thu Feb 09 13:41:00 2012 us=995000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.3.9
Thu Feb 09 13:41:00 2012 us=995000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Feb 09 13:41:00 2012 us=995000 Route addition via IPAPI succeeded [adaptive]
Thu Feb 09 13:41:00 2012 us=995000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.3.9
Thu Feb 09 13:41:01 2012 us=11000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Feb 09 13:41:01 2012 us=11000 Route addition via IPAPI succeeded [adaptive]
Thu Feb 09 13:41:01 2012 us=11000 C:\WINDOWS\system32\route.exe ADD 10.0.1.0 MASK 255.255.255.0 10.0.3.9
Thu Feb 09 13:41:01 2012 us=11000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Feb 09 13:41:01 2012 us=11000 Route addition via IPAPI succeeded [adaptive]
Thu Feb 09 13:41:01 2012 us=26000 C:\WINDOWS\system32\route.exe ADD 10.0.3.1 MASK 255.255.255.255 10.0.3.9
Thu Feb 09 13:41:01 2012 us=26000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Feb 09 13:41:01 2012 us=26000 Route addition via IPAPI succeeded [adaptive]
Thu Feb 09 13:41:01 2012 us=26000 Initialization Sequence Completed
[/CODE]

February 9, 2012

well this doesn't look right

Thu Feb 09 13:40:55 2012 us=98000 ROUTE default_gateway=172.22.104.1

I will be headed to the office in about an hour -- when I get in I will connect in and see what mine shows.

Just try changing your default route on the client with the route command to 10.0.3.9

Off the top of my head I believe

route add 0.0.0.0 mask 0.0.0.0 10.0.3.9

You prob have to delete your old route, and or change it to point to the 10.0.3.9 which is the interface on the other end of your tunnel.

edit:

I assume you are on windows 7, and your running the openvpn gui elevated with full admin rights/

February 9, 2012

Okay, here is it after running the route command I got the following:


C:\Windows\system32>route add 0.0.0.0 mask 0.0.0.0 10.0.3.9
The route addition failed: The object already exists.
[/CODE]

I have full Admin Rights on this Win 7 Laptop, but is it possible a GPO on the domain is effecting this?

February 9, 2012

Well I just tried connecting through 3G just to rule out a Firewall issue in the office. Same difference.

Can ping machines on my network 10.0.1.0/24 but cannot ping anything WAN.

February 9, 2012

Again what is your ROUTE?? You would never go down the tunnel to ping anything on the internet if your route does not tell you to go there.

do a tracert 8.8.8.8 and see where you go - from your route table your not going to go down the tunnel. From your route table your going to go to that 172.22.104.1 address if there is no specific route to the network.

like I said you might have to delete or change the route - you normally do not have 2 default routes.. Which is what

The route addition failed: The object already exists.

is saying.

edit: doesn't matter if your full admin or not - unless you run elevated prompt as admin, your not admin. Same with say the openvpn gui -- if your just running it as your account it does not have admin rights. You need to run it elevated with admin rights.

edit2: So again from your route table and the output of your openvpn connection that says

Thu Feb 09 13:40:55 2012 us=98000 ROUTE default_gateway=172.22.104.1

Your box is going to talk to that IP if your trying to talk to some IP that you don't have a specific route too. Now you do have a route for your 10.0.1 network. Right here

10.0.1.0 255.255.255.0 10.0.3.9 10.0.3.10

This tells your machine hey if you want to talk to anything on the 10.0.1.0/24 to send it to 10.0.3.9 using your interface 10.0.3.10.

But if your wanting to talk to say neowin.net on 74.204.71.247 -- where is that going to go, you don't have a route for that IP.. So it goes to your default route - which is currently that 172.22.104.1, so NO Its not going to go down your vpn connection to get there.

February 9, 2012

Right so, post connecting to OpenVPN I have the following setup:


C:\Windows\system32>route print
===========================================================================
Interface List
16...00 ff 81 3d 2e c8 ......TAP-Win32 Adapter V9
13...f0 7b cb a8 3a c3 ......Bluetooth Device (Personal Area Network)
12...00 23 14 8d c2 ac ......Intel(R) Centrino(R) Advanced-N 6200 AGN
11...00 26 b9 d3 0d 42 ......Intel(R) 82577LM Gigabit Network Connection
  1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
32...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination	    Netmask		  Gateway	   Interface  Metric
		  0.0.0.0		  0.0.0.0	 172.22.104.1   172.22.105.194	 10
		  0.0.0.0		  0.0.0.0		 10.0.3.9	    10.0.3.10	 31
		  0.0.0.0	    128.0.0.0		 10.0.3.9	    10.0.3.10	 30
		 10.0.1.0    255.255.255.0		 10.0.3.9	    10.0.3.10	 30
		 10.0.3.1  255.255.255.255		 10.0.3.9	    10.0.3.10	 30
		 10.0.3.8  255.255.255.252		 On-link		 10.0.3.10    286
	    10.0.3.10  255.255.255.255		 On-link		 10.0.3.10    286
	    10.0.3.11  255.255.255.255		 On-link		 10.0.3.10    286
    86.21.116.233  255.255.255.255	 172.22.104.1   172.22.105.194	 10
	    127.0.0.0	    255.0.0.0		 On-link		 127.0.0.1    306
	    127.0.0.1  255.255.255.255		 On-link		 127.0.0.1    306
  127.255.255.255  255.255.255.255		 On-link		 127.0.0.1    306
	    128.0.0.0	    128.0.0.0		 10.0.3.9	    10.0.3.10	 30
	 172.22.104.0    255.255.252.0		 On-link    172.22.105.194    266
   172.22.105.194  255.255.255.255		 On-link    172.22.105.194    266
   172.22.107.255  255.255.255.255		 On-link    172.22.105.194    266
	    224.0.0.0	    240.0.0.0		 On-link		 127.0.0.1    306
	    224.0.0.0	    240.0.0.0		 On-link    172.22.105.194    266
	    224.0.0.0	    240.0.0.0		 On-link		 10.0.3.10    286
  255.255.255.255  255.255.255.255		 On-link		 127.0.0.1    306
  255.255.255.255  255.255.255.255		 On-link    172.22.105.194    266
  255.255.255.255  255.255.255.255		 On-link		 10.0.3.10    286
===========================================================================
Persistent Routes:
  None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination	  Gateway
  1    306 ::1/128				  On-link
11    266 fe80::/64			    On-link
16    286 fe80::/64			    On-link
16    286 fe80::6153:2b19:538c:b4a3/128
								    On-link
11    266 fe80::fd45:a3d8:21fb:9164/128
								    On-link
  1    306 ff00::/8				 On-link
11    266 ff00::/8				 On-link
16    286 ff00::/8				 On-link
===========================================================================
Persistent Routes:
  None
[/CODE]

So I delete the top level route.

[CODE]
route delete 0.0.0.0 mask 0.0.0.0 172.22.104.1
OK!
[/CODE]

Which brings me to the following setup:

[CODE]
C:\Windows\system32>route print
===========================================================================
Interface List
16...00 ff 81 3d 2e c8 ......TAP-Win32 Adapter V9
13...f0 7b cb a8 3a c3 ......Bluetooth Device (Personal Area Network)
12...00 23 14 8d c2 ac ......Intel(R) Centrino(R) Advanced-N 6200 AGN
11...00 26 b9 d3 0d 42 ......Intel(R) 82577LM Gigabit Network Connection
1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
32...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.3.9 10.0.3.10 31
0.0.0.0 128.0.0.0 10.0.3.9 10.0.3.10 30
10.0.1.0 255.255.255.0 10.0.3.9 10.0.3.10 30
10.0.3.1 255.255.255.255 10.0.3.9 10.0.3.10 30
10.0.3.8 255.255.255.252 On-link 10.0.3.10 286
10.0.3.10 255.255.255.255 On-link 10.0.3.10 286
10.0.3.11 255.255.255.255 On-link 10.0.3.10 286
86.21.116.233 255.255.255.255 172.22.104.1 172.22.105.194 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.0.3.9 10.0.3.10 30
172.22.104.0 255.255.252.0 On-link 172.22.105.194 266
172.22.105.194 255.255.255.255 On-link 172.22.105.194 266
172.22.107.255 255.255.255.255 On-link 172.22.105.194 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.22.105.194 266
224.0.0.0 240.0.0.0 On-link 10.0.3.10 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.22.105.194 266
255.255.255.255 255.255.255.255 On-link 10.0.3.10 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 266 fe80::/64 On-link
16 286 fe80::/64 On-link
16 286 fe80::6153:2b19:538c:b4a3/128
On-link
11 266 fe80::fd45:a3d8:21fb:9164/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
16 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
[/CODE]

Now, I cannot see any issues there at all, albeit from my limited knowledge of how this works. But this brings me to believe the issue is OpenVPN Server Side, not OpenVPN Client Side.

February 9, 2012

do a tracert 8.8.8.8

I don't see any dns being pushed, so how would you resolve say www.neowin.net so that you have an IP to route?

I'm walking out the door for work.. Hop on later to see any more info you have and continue to troubleshoot, and this way I will have remote access to my openvpn server to test.

btw.

Here is my server config just for reference.

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.xxx.xxx
tls-server
server 10.0.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 4
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.253"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float

from /var/etc/openvpn on pfsense server1.conf

February 9, 2012

Okay,

Here is my server config


dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 86.21.116.233
tls-server
server 10.0.3.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 20
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
persist-remote-ip
float
[/CODE]

I'm going to continue diagnosing now. *please note I've only just added the DNS option based on comparing with your conf file.

February 9, 2012

Erm, it just started working, I didn't change anything, I just disabled the server and reenabled it. Going to reboot Laptop just to be sure i'm not losing my mind.

February 9, 2012

Yep - After a reboot it still works. You don't think it was literally the OpenVPN daemon just needed restarting do you?! After all that?!

Thanks Budman, this has actually been a very educational experience.

February 9, 2012

To be honest there is nothing in the openvpn server that should of blocked your access to the outside, and pfsense is already setup to nat your connection to the internet, etc. So unless you had some firewall rule blocking access - pfsense should allow openvpn clients to access the internet - comes down to if the client will route traffic through the vpn or not for networks other than what is on the other end of the tunnel.

If I had to guess I would say maybe you were not getting dns before - did you try the tracert before you rebooted? So does your local network have dns? So you were trying to go to say www.whatsmyip.org and it was showing you your local connections nat IP. Or was just not working?

So is the redirect-gateway item working now - or do you have to manually set the default gateway?

Other problem I have seen when trying to do what your doing is the dns server being used through the pfsense not being set to allow the vpn network to query it, ie the 10.0.200 in my case. Depends on what your using for dns on the vpn network.. I use unbound on pfsense so had to create a ACL to allow vpn clients using a 10.0.200.x address to be able to query it.

The good thing is its working! ;)

edit: BTW you by no means need to have your vpn clients use the dns on your pfsense side -- I do that because I use dns to query for my machines on my pfsense network. And her at work you can not directly query dns on this network, have to use the proxy. The local dns will not resolve outside addresses.. So for it to work when I route traffic through my vpn connection I need a dns server that will resolve outside addresses. Like my pfsense box.

February 10, 2012

Oh really? I'm using Unbound also, I didn't realise that it blocked any connections at all. What was the ACL you setup? I assume 10.0.3.0/24 would be sufficient?

I agree it does look to be a DNS Issue, I just can't believe I missed that. I suppose the simplest explanation is usually the correct one.

February 10, 2012

Well since your tunnel network is so close to in number - it might be that falls under the same mask in your acl?

But yeah you have to allow networks to query unbound. If your able to query and don't have it in a ACL, maybe unbound is not working?

I snipped out part of that ipv6 range - because this a global public range and no reason to make that public.

February 10, 2012

Thanks will confirm with my ACL Shortly.

Sign In

pfsense OpenVPN Redirect all Remote Traffic to Local WAN

Recommended Posts

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

CPressland

Link to comment

Share on other sites

Recently Browsing 0 members

Similar Content

Posts

Recent Achievements

Popular Contributors

Tell a friend