If I remember correctly, the first 5 IP's "1-5" are taken by adapters,
vitrual interfaces, etc and the first available IP is .6. That might be
your issue.
Curtis
On Jan 30, 2008 10:43 PM, Gabe Green <[EMAIL PROTECTED]> wrote:
> Okay, *almost* got OpenVPN working. I can connect now, but not reach any
> hosts on the LAN side of pfSense.
> .
>
> Now on the *server* side, this is what I do not get. Our default LAN is
> 192.168.111.0/24; but I specified 192.168.253.0/24 in the OpenVPN setup.
> DHCP is not enabled on the server-side OpenVPN config.
>
> PfSense side config:
> Protocol: UDP
> Local port: 1194
> Address pool: 192.168.253.0/24
> Remote Network (blank)
> Cryptography: AES-128-CBC (128-bit)
> Shared key: same as key specified in client config below
> DHCP-Opt: DNS-Server: 192.168.111.108
> DHCP-Opt: WINS-Server: 192.168.111.108
> DHCP-Opt: NTP-Server: (blank)
> DHCP-Opt: NetBIOS node type: m-node
> DHCP-Opt: NetBIOS Scope: (blank)
> DHCP-Opt: Disable NetBIOS (unchecked)
> LZO compression: (checked)
> Custom options: (blank)
>
> Client and Client-specific configuration are left blank
>
> At home,
> I set my tap1 adaptor to the following static:
>
> 192.168.253.5
> 255.255.255.0
> 192.168.111.22 (pfsense vpn LAN ip, set to default gateway as per
> suggestion)
>
> DNS:
> 192.168.111.108 (DNS server for pfSense LAN; pfSense is not serving up
> DNS)
>
> I added a WAN firewall rule, at the top, to permit traffic anywhere on
> port 1194; from the WAN to the LAN (or anywhere else). No-go.
>
> My current OVPN config file:
> ;dev tap
> dev tap1
>
> dev-node tap1
>
> # Are we connecting to a TCP or
> # UDP server? Use the same setting as
> # on the server.
> ;proto tcp
> proto udp
>
> # The hostname/IP and port of the server.
> # You can have multiple remote entries
> # to load balance between the servers.
> remote PFSENSE.WAN.IP.ADDRESS 1194
> ;remote my-server-2 1194
>
> # Choose a random host from the remote
> # list for load-balancing. Otherwise
> # try hosts in the order specified.
> ;remote-random
>
> # Keep trying indefinitely to resolve the
> # host name of the OpenVPN server. Very useful
> # on machines which are not permanently connected
> # to the internet such as laptops.
> resolv-retry infinite
>
> # Most clients don't need to bind to
> # a specific local port number.
> nobind
>
> # Downgrade privileges after initialization (non-Windows only)
> ;user nobody
> ;group nobody
>
> # Try to preserve some state across restarts.
> persist-key
> persist-tun
>
> # If you are connecting through an
> # HTTP proxy to reach the actual OpenVPN
> # server, put the proxy server/IP and
> # port number here. See the man page
> # if your proxy server requires
> # authentication.
> ;http-proxy-retry # retry on connection failures
> ;http-proxy [proxy server] [proxy port #]
>
> # Wireless networks often produce a lot
> # of duplicate packets. Set this flag
> # to silence duplicate packet warnings.
> ;mute-replay-warnings
> secret static.key
>
> ## THIS IS THE SAME KEY AS IN THE PFSENSE OPENVPN CONFIG
>
> ;ns-cert-type server
>
> # If a tls-auth key is used on the server
> # then every client must also have the key.
> ;tls-auth ta.key 1
>
> # Select a cryptographic cipher.
> # If the cipher option is used on the server
> # then you must also specify it here.
> cipher AES-128-CBC
>
> # Enable compression on the VPN link.
> # Don't enable this unless it is also
> # enabled in the server config file.
> comp-lzo
>
> # Set log file verbosity.
> verb 3
>
> # Silence repeating messages
> ;mute 20
>
>
> == LOG FILE FROM OVPN ==
> Wed Jan 30 01:15:40 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on
> Oct
> 1 2006
> Wed Jan 30 01:15:40 2008 IMPORTANT: OpenVPN's default port number is now
> 1194, based on an official port number assignment by IANA. OpenVPN
> 2.0-beta16 and earlier used 5000 as the default port.
> Wed Jan 30 01:15:40 2008 Static Encrypt: Cipher 'AES-128-CBC' initialized
> with 128 bit key
> Wed Jan 30 01:15:40 2008 Static Encrypt: Using 160 bit message hash 'SHA1'
> for HMAC authentication
> Wed Jan 30 01:15:40 2008 Static Decrypt: Cipher 'AES-128-CBC' initialized
> with 128 bit key
> Wed Jan 30 01:15:40 2008 Static Decrypt: Using 160 bit message hash 'SHA1'
> for HMAC authentication
> Wed Jan 30 01:15:40 2008 LZO compression initialized
> Wed Jan 30 01:15:40 2008 TAP-WIN32 device [tap1] opened:
> \\.\Global\{7249534D-3F7F-4D7F-95EF-F25FF13C1887}.tap
> Wed Jan 30 01:15:40 2008 TAP-Win32 Driver Version 8.4
> Wed Jan 30 01:15:40 2008 TAP-Win32 MTU=1500
> Wed Jan 30 01:15:40 2008 Successful ARP Flush on interface [4]
> {7249534D-3F7F-4D7F-95EF-F25FF13C1887}
> Wed Jan 30 01:15:40 2008 Data Channel MTU parms [ L:1593 D:1450 EF:61
> EB:135
> ET:32 EL:0 AF:3/1 ]
> Wed Jan 30 01:15:40 2008 Local Options hash (VER=V4): 'ea48dbff'
> Wed Jan 30 01:15:40 2008 Expected Remote Options hash (VER=V4): 'ea48dbff'
> Wed Jan 30 01:15:40 2008 UDPv4 link local: [undef]
> Wed Jan 30 01:15:40 2008 UDPv4 link remote: REMOTEWANIP:1194
> Wed Jan 30 01:15:50 2008 Peer Connection Initiated with REMOTEWANIP:1194
> Wed Jan 30 01:15:50 2008 WARNING: 'dev-type' is used inconsistently,
> local='dev-type tap', remote='dev-type tun'
> Wed Jan 30 01:15:50 2008 WARNING: 'link-mtu' is used inconsistently,
> local='link-mtu 1593', remote='link-mtu 1561'
> Wed Jan 30 01:15:50 2008 WARNING: 'tun-mtu' is used inconsistently,
> local='tun-mtu 1532', remote='tun-mtu 1500'
> Wed Jan 30 01:15:50 2008 WARNING: 'ifconfig' is present in remote config
> but
> missing in local config, remote='ifconfig 192.168.253.2 192.168.253.1'
> Wed Jan 30 01:15:51 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0
> u/d=up
> Wed Jan 30 01:15:51 2008 Initialization Sequence Completed
>
>
> It "connects", but I can't reach any host on the 192.168.111.0/24 LAN!
>
> Help, anyone?
>
> Thanks,
> Gabe
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com
