Print Page - OpenVPN connection done, but no LAN connection

Good morning guys, I'm a new bie about OpenVPN. I followed a lot of tutorials and did read a lot of posts to setup my Endian Firewall OpenVPN but I for sure did some mistakes... maybe routing??!! I don't know. The main issue consist of connections to LAN hosts missing:

sh-3.2# ping 192.168.0.30
PING 192.168.0.30 (192.168.0.30): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable

Let me introduce my facility:

Endian Firewall Community release 3.0.5beta1
Firewall->VPN Firewall Settings Disabled ;
Single user "keysman" configured;
Username: keysman
Password: *********
Certificate configuration: Don't change
Enabled: checked
OpenVPN settings;
Authentication-type: PSK (username / password)
Port: 1984
Device Type: TAP
Protocol UDP;
Bridged: Checked
Bridged to: GREEN
Dynamic IP pool start: 192.168.0.240
Dynamic IP pool end: 192.168.0.250
Client to Client connections: Not allowed
Push these networks: checked
Networks: 192.168.0.0./24
;

Running Tunnelclick on my Mac I can connect (I think) to the VPN and even on the server side it seems a successfully connection.
Logs on client:
2017-07-10 14:27:45 *Tunnelblick: openvpnstart starting OpenVPN
2017-07-10 14:27:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-07-10 14:27:46 *Tunnelblick: Established communication with OpenVPN
2017-07-10 14:27:46 MANAGEMENT: CMD 'pid'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state on'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state'
2017-07-10 14:27:46 MANAGEMENT: CMD 'bytecount 1'
2017-07-10 14:27:46 MANAGEMENT: CMD 'hold release'
2017-07-10 14:27:50 MANAGEMENT: CMD 'username "Auth" "keysman"'
2017-07-10 14:27:50 MANAGEMENT: CMD 'password [...]'
2017-07-10 14:27:50 WARNING: No server certificate verification method has been enabled.
2017-07-10 14:27:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-07-10 14:27:50 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-07-10 14:27:50 UDPv4 link local: [undef]
2017-07-10 14:27:50 UDPv4 link remote: [AF_INET]194.183.83.122:1194
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,WAIT,,,
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,AUTH,,,
2017-07-10 14:27:50 TLS: Initial packet from [AF_INET]194.183.83.122:1194, sid=732a5403 b8cc8d25
2017-07-10 14:27:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-07-10 14:27:51 VERIFY OK: depth=1, C=IT, O=efw, CN=efw CA
2017-07-10 14:27:51 VERIFY OK: depth=0, C=IT, O=efw, CN=194.183.83.122
2017-07-10 14:27:52 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
2017-07-10 14:27:52 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
2017-07-10 14:27:52 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2017-07-10 14:27:52 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2017-07-10 14:27:52 [194.183.83.122] Peer Connection Initiated with [AF_INET]194.183.83.122:1194
2017-07-10 14:27:53 MANAGEMENT: >STATE:1499689673,GET_CONFIG,,,
2017-07-10 14:27:54 SENT CONTROL [194.183.83.122]: 'PUSH_REQUEST' (status=1)
2017-07-10 14:27:54 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.254,route 192.168.0.0 255.255.255.0,route-gateway 192.168.0.254,ping 5,ping-restart 30,ifconfig 192.168.0.240 255.255.255.0'
2017-07-10 14:27:54 OPTIONS IMPORT: timers and/or timeouts modified
2017-07-10 14:27:54 OPTIONS IMPORT: --ifconfig/up options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route-related options modified
2017-07-10 14:27:54 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
2017-07-10 14:27:54 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-07-10 14:27:54 Opened utun device utun1
2017-07-10 14:27:54 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-07-10 14:27:54 MANAGEMENT: >STATE:1499689674,ASSIGN_IP,,192.168.0.240,
2017-07-10 14:27:54 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-07-10 14:27:54 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-07-10 14:27:54 /sbin/ifconfig utun1 192.168.0.240 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
2017-07-10 14:27:54 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1542 192.168.0.240 255.255.255.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
NOTE: No network configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
WARNING: Will NOT disable IPv6 settings.
DNS servers '8.8.8.8 192.168.44.1' were set manually
DNS servers '8.8.8.8 192.168.44.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.up.tunnelblick.sh
**********************************************
2017-07-10 14:27:56 *Tunnelblick: No 'connected.sh' script to execute
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,ADD_ROUTES,,,
2017-07-10 14:27:56 /sbin/route add -net 192.168.0.0 192.168.0.254 255.255.255.0
add net 192.168.0.0: gateway 192.168.0.254
2017-07-10 14:27:56 Initialization Sequence Completed
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,CONNECTED,SUCCESS,192.168.0.240,194.183.x.y

Logs on Endian:
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: OpenVPN 2.3.6 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 9 2015
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.01
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: WARNING: file "/var/efw/vpn/ca/certs/194.183.83.122key.pem" is group or others accessible
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: TUN/TAP device tap0 opened
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: /usr/local/bin/dir.d-exec /etc/openvpn/ifup.server.d/ tap0 1500 1574 init
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: GID set to openvpn
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UID set to openvpn
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UDPv4 link local (bound): [undef]
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UDPv4 link remote: [undef]
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: ifconfig_pool_read(), in="keysman,192.168.0.240", TODO: IPv6
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: succeeded -> ifconfig_pool_set()
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: Initialization Sequence Completed
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "dev-type" is used inconsistently, local="dev-type tap", remote="dev-type tun"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1542"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1500"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 [keysman] Peer Connection Initiated with [AF_INET]158.148.95.15:63569 (via [AF_INET]194.183.x.y%ppp0)
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: keysman/158.148.95.15:63569 MULTI_sva: pool returned IPv4=192.168.0.240, IPv6=(Not enabled)
OpenVPN   2017-07-10 13:58:46
openvpn[2643]: keysman/158.148.95.15:63569 send_push_reply(): safe_cap=940

The configuration on the client is the following:

client
dev tun
proto udp
remote 194.183.x.y 1194
auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
comp-lzo
verb 3

Please have a look at attached images for VPN/Client settings and logs. Again I think connection was successfull because throwing ifconfig and netstat statements on the client I get the following:

sh-3.2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
   inet 127.0.0.1 netmask 0xff000000
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether d0:e1:40:89:cc:98
   inet6 fe80::1021:a68e:860:6bda%en0 prefixlen 64 secured scopeid 0x4
   inet 192.168.43.222 netmask 0xffffff00 broadcast 192.168.43.255
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
   options=60<TSO4,TSO6>
   ether 32:00:16:8d:20:00
   media: autoselect <full-duplex>
   status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=63<RXCSUM,TXCSUM,TSO4,TSO6>
   ether 32:00:16:8d:20:00
   Configuration:
      id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
      maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
      root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
      ipfilter disabled flags 0x2
   member: en1 flags=3<LEARNING,DISCOVER>
    ifmaxaddr 0 port 5 priority 0 path cost 0
   nd6 options=201<PERFORMNUD,DAD>
   media: <unknown type>
   status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
   ether 02:e1:40:89:cc:98
   media: autoselect
   status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
   ether aa:bf:33:b7:59:8c
   inet6 fe80::a8bf:33ff:feb7:598c%awdl0 prefixlen 64 scopeid 0x8
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
   inet6 fe80::ba77:3719:8f70:6c86%utun0 prefixlen 64 scopeid 0x9
   nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
   inet 192.168.0.240 --> 255.255.255.0 netmask 0xffffffff

Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.43.1 UGSc 196 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 6 27494 lo0
169.254 link#4 UCS 0 0 en0
192.168.0 192.168.0.254 UGSc 0 0 en0
192.168.43 link#4 UCS 1 0 en0
192.168.43.1/32 link#4 UCS 1 0 en0
192.168.43.1 2:1a:11:f2:1e:1 UHLWIir 196 24 en0 1194
192.168.43.222/32 link#4 UCS 1 0 en0
192.168.43.222 d0:e1:40:89:cc:98 UHLWI 0 1 lo0
192.168.43.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
224.0.0/4 link#4 UmCS 2 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 12 en0
255.255.255.0 192.168.0.240 UH 0 0 utun1
255.255.255.255/32 link#4 UCS 0 0 en0

Please help me to understand what kind of mistake I'm doing. If I forgot some details please ask me for them

Cheers

Christian

EFW Support

Support => VPN Support => Topic started by: keysman75 on Monday 10 July 2017, 11:37:14 pm