Didn't fix it, unfortunately. I am at a loss. It "connects" but I
can't reach the LAN...
Curtis LaMasters wrote:
If I remember correctly, the first 5 IP's "1-5" are taken by adapters,
vitrual interfaces, etc and the first available IP is .6. That might
be your issue.
Curtis
On Jan 30, 2008 10:43 PM, Gabe Green <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Okay, *almost* got OpenVPN working. I can connect now, but not
reach any hosts on the LAN side of pfSense.
.
Now on the *server* side, this is what I do not get. Our default
LAN is
192.168.111.0/24 <http://192.168.111.0/24>; but I specified
192.168.253.0/24 <http://192.168.253.0/24> in the OpenVPN setup.
DHCP is not enabled on the server-side OpenVPN config.
PfSense side config:
Protocol: UDP
Local port: 1194
Address pool: 192.168.253.0/24 <http://192.168.253.0/24>
Remote Network (blank)
Cryptography: AES-128-CBC (128-bit)
Shared key: same as key specified in client config below
DHCP-Opt: DNS-Server: 192.168.111.108 <http://192.168.111.108>
DHCP-Opt: WINS-Server: 192.168.111.108 <http://192.168.111.108>
DHCP-Opt: NTP-Server: (blank)
DHCP-Opt: NetBIOS node type: m-node
DHCP-Opt: NetBIOS Scope: (blank)
DHCP-Opt: Disable NetBIOS (unchecked)
LZO compression: (checked)
Custom options: (blank)
Client and Client-specific configuration are left blank
At home,
I set my tap1 adaptor to the following static:
192.168.253.5 <http://192.168.253.5>
255.255.255.0 <http://255.255.255.0>
192.168.111.22 <http://192.168.111.22> (pfsense vpn LAN ip, set to
default gateway as per suggestion)
DNS:
192.168.111.108 <http://192.168.111.108> (DNS server for pfSense
LAN; pfSense is not serving up DNS)
I added a WAN firewall rule, at the top, to permit traffic
anywhere on port 1194; from the WAN to the LAN (or anywhere else).
No-go.
My current OVPN config file:
;dev tap
dev tap1
dev-node tap1
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote PFSENSE.WAN.IP.ADDRESS 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
secret static.key
## THIS IS THE SAME KEY AS IN THE PFSENSE OPENVPN CONFIG
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
== LOG FILE FROM OVPN ==
Wed Jan 30 01:15:40 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO]
built on Oct
1 2006
Wed Jan 30 01:15:40 2008 IMPORTANT: OpenVPN's default port number
is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Wed Jan 30 01:15:40 2008 Static Encrypt: Cipher 'AES-128-CBC'
initialized
with 128 bit key
Wed Jan 30 01:15:40 2008 Static Encrypt: Using 160 bit message
hash 'SHA1'
for HMAC authentication
Wed Jan 30 01:15:40 2008 Static Decrypt: Cipher 'AES-128-CBC'
initialized
with 128 bit key
Wed Jan 30 01:15:40 2008 Static Decrypt: Using 160 bit message
hash 'SHA1'
for HMAC authentication
Wed Jan 30 01:15:40 2008 LZO compression initialized
Wed Jan 30 01:15:40 2008 TAP-WIN32 device [tap1] opened:
\\.\Global\{7249534D-3F7F-4D7F-95EF-F25FF13C1887}.tap
Wed Jan 30 01:15:40 2008 TAP-Win32 Driver Version 8.4
Wed Jan 30 01:15:40 2008 TAP-Win32 MTU=1500
Wed Jan 30 01:15:40 2008 Successful ARP Flush on interface [4]
{7249534D-3F7F-4D7F-95EF-F25FF13C1887}
Wed Jan 30 01:15:40 2008 Data Channel MTU parms [ L:1593 D:1450
EF:61 EB:135
ET:32 EL:0 AF:3/1 ]
Wed Jan 30 01:15:40 2008 Local Options hash (VER=V4): 'ea48dbff'
Wed Jan 30 01:15:40 2008 Expected Remote Options hash (VER=V4):
'ea48dbff'
Wed Jan 30 01:15:40 2008 UDPv4 link local: [undef]
Wed Jan 30 01:15:40 2008 UDPv4 link remote: REMOTEWANIP:1194
Wed Jan 30 01:15:50 2008 Peer Connection Initiated with
REMOTEWANIP:1194
Wed Jan 30 01:15:50 2008 WARNING: 'dev-type' is used inconsistently,
local='dev-type tap', remote='dev-type tun'
Wed Jan 30 01:15:50 2008 WARNING: 'link-mtu' is used inconsistently,
local='link-mtu 1593', remote='link-mtu 1561'
Wed Jan 30 01:15:50 2008 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1532', remote='tun-mtu 1500'
Wed Jan 30 01:15:50 2008 WARNING: 'ifconfig' is present in remote
config but
missing in local config, remote='ifconfig 192.168.253.2
<http://192.168.253.2> 192.168.253.1 <http://192.168.253.1>'
Wed Jan 30 01:15:51 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=1
a=0 u/d=up
Wed Jan 30 01:15:51 2008 Initialization Sequence Completed
It "connects", but I can't reach any host on the 192.168.111.0/24
<http://192.168.111.0/24> LAN!
Help, anyone?
Thanks,
Gabe
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
--
Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
