Hi All,
I’m setting up OpenVPN on FreeBSD 10.3 and ran into a problem which I can’t resolve despite following documentation and reading up on guides etc. Here’s what the setup and what happens:
2. Machine A relays the connection to Machine B which houses the OpenVPN server.
3. Machine B assigns an address of say 192.168.1.130/26. Cool – everything works up until this point. The client can ping other clients within the VPN subnet, can ping the gateway, etc.
4. The client now attempts to access Machine C and fails miserably. Pinging anything within the 192.168.1.0/24 network fails with the exception of the gateway and interfaces directly attached to Machine B.
5. The client tries to access the Samba share which is also located on Machine B – fails miserably too.
Now before I explain what I’ve done to date let me say what the rationale for this setup is: I want to be able to provide full, unrestricted access to all local services for remote clients. An ideal solution for me would be to use a bridge/TAP rather than routed/TUN setup – but I’ve got Android VPN clients connecting and TAP is not compatible with Android based on OpenVPN documentation. Given they’re mobile clients, TAP overheads are not ideal either – hence I’m stuck with TUN. Because of that, I also can’t reach the DHCP located on Machine A – this means that I need to assign addresses which could potentially clash with DHCP assigned addresses as DHCP will have no awareness of what’s been assigned to clients by Machine B. This is the reason for the */26 subnet. DHCP on Machine A has been restricted in terms of the pool of addresses it can provide from within the */24 network and Machine B provides them from outside of that range = no overlap.
What I’ve done / tested / configured:
1. Machine A has a static route to the VPN subnet via 192.168.1.2/24
2. Machine B is pushing 192.168.1.0 255.255.255.0 to clients
3. Machine B has the route 192.168.1.0 255.255.255.0 directive in the OpenVPN.conf.
4. I’ve tried using the iroute directive on clients – no change.
5. Machine B has IP forwarding configured (sysctl) and gateway enabled in rc.conf
6. There are no firewalls on any of these machines.
7. Samba on Machine B is serving both BGE1 and TUN interfaces. Still no access.
Am I missing something really obvious? Any extra comments re effectiveness of the setup would be most welcome.
Configs and variables below.
OpenVPN.conf:
Client config / x.ovpn:
# sysctl net.inet.ip.forwarding
# ifconfig
Best regards,
Janusz
I’m setting up OpenVPN on FreeBSD 10.3 and ran into a problem which I can’t resolve despite following documentation and reading up on guides etc. Here’s what the setup and what happens:
- Machine A – 192.168.1.1/24, gateway / router, DHCP provides addresses from the 192.168.1.5 - 192.168.1.64 range
- Machine B (FreeBSD) – 192.168.1.2/24, BGE1
- Machine B (FreeBSD) – 192.168.129/26, TUN0
- Machine C – 192.168.1.5/24, HTTP
2. Machine A relays the connection to Machine B which houses the OpenVPN server.
3. Machine B assigns an address of say 192.168.1.130/26. Cool – everything works up until this point. The client can ping other clients within the VPN subnet, can ping the gateway, etc.
4. The client now attempts to access Machine C and fails miserably. Pinging anything within the 192.168.1.0/24 network fails with the exception of the gateway and interfaces directly attached to Machine B.
5. The client tries to access the Samba share which is also located on Machine B – fails miserably too.
Now before I explain what I’ve done to date let me say what the rationale for this setup is: I want to be able to provide full, unrestricted access to all local services for remote clients. An ideal solution for me would be to use a bridge/TAP rather than routed/TUN setup – but I’ve got Android VPN clients connecting and TAP is not compatible with Android based on OpenVPN documentation. Given they’re mobile clients, TAP overheads are not ideal either – hence I’m stuck with TUN. Because of that, I also can’t reach the DHCP located on Machine A – this means that I need to assign addresses which could potentially clash with DHCP assigned addresses as DHCP will have no awareness of what’s been assigned to clients by Machine B. This is the reason for the */26 subnet. DHCP on Machine A has been restricted in terms of the pool of addresses it can provide from within the */24 network and Machine B provides them from outside of that range = no overlap.
What I’ve done / tested / configured:
1. Machine A has a static route to the VPN subnet via 192.168.1.2/24
2. Machine B is pushing 192.168.1.0 255.255.255.0 to clients
3. Machine B has the route 192.168.1.0 255.255.255.0 directive in the OpenVPN.conf.
4. I’ve tried using the iroute directive on clients – no change.
5. Machine B has IP forwarding configured (sysctl) and gateway enabled in rc.conf
6. There are no firewalls on any of these machines.
7. Samba on Machine B is serving both BGE1 and TUN interfaces. Still no access.
Am I missing something really obvious? Any extra comments re effectiveness of the setup would be most welcome.
Configs and variables below.
OpenVPN.conf:
Code:
port 555
proto udp
dev tun
persist-tun
tls-version-min 1.2
tls-server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/test.crt
key /usr/local/etc/openvpn/keys/test.key
dh /usr/local/etc/openvpn/keys/test.pem
tls-auth /usr/local/etc/openvpn/keys/test.key 0
topology subnet
server 192.168.1.128 255.255.255.192
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway autolocal"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 192.168.1.2"
duplicate-cn
keepalive 10 120
max-clients 10
persist-key
status openvpn-status.log
verb 3
sndbuf 0
rcvbuf 0
mssfix 1300
Code:
dev tun
persist-tun
auth-nocache
<connection>
remote test 555
</connection>
resolv-retry infinite
mute-replay-warnings
verb 3
client
remote-cert-tls server
tls-version-min 1.2
tls-client
remote-cert-eku "TLS Web Server Authentication"
cipher AES-256-CBC
auth SHA256
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
key-direction 1
<tls-auth>
...
</tls-auth>
Code:
net.inet.ip.forwarding: 1
Code:
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 1c:98:ec:0f:4d:75
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::1e98:ecff:fe0f:4d74%tun0 prefixlen 64 scopeid 0x4
inet 192.168.1.129 --> 192.168.1.130 netmask 0xffffffc0
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 46362
Best regards,
Janusz