Weird Problem with OpenVPN and pfsense

I successfully got OpenVPN to work with one computer, and can access resources on the network just fine. I decided to add another OpenVPN computer (and user), and it won’t route traffic from the second OpenVPN computer to the network resources. The only thing I can do is ping the LAN gateway (192.168.0.1). Even stranger is, if I connect with computer #1, computer #2 will start routing traffic.

Computer 1 is connecting with virtual IP 10,0.0.2.

Computer 2 is connecting with virtual IP 10.0.0.3.

However, I don’t see 10.0.0.3 in the routing table even with Computer #2 connected.

Here’s the routing table. 10.0.0.0/24 is the VPN virtual network, and 192.168.0.0/24 is the LAN.

Any assistance would be appreciated.

Take a look at the openvpn logs on the second computer. If you are using the openvpn connect client there is a button at the top right of the application window.

Excellent idea. I compared the OpenVPN Connect logs from Computer 1 and Computer 2, and they are identical other than the virtual IP addresses being 10.0.0.2 and 10.0.0.3 respectively. I especially took a close look at the section labeled “add_routes”.

“add_routes” :
[
{
“address” : “192.168.0.0”,
“gateway” : “”,
“ipv6” : false,
“metric” : -1,
“net30” : false,
“prefix_length” : 24
}
],
“block_ipv6” : false,
“layer” : 3,
“mtu” : 0,
“remote_address” :
{
“address” : “WAN IP”,
“ipv6” : false
},
“reroute_gw” :
{
“flags” : 256,
“ipv4” : false,
“ipv6” : false
},
“route_metric_default” : -1,
“session_name” : “name”,
“tunnel_address_index_ipv4” : 0,
“tunnel_address_index_ipv6” : -1,
“tunnel_addresses” :
[
{
“address” : “10.0.0.3”,
“gateway” : “10.0.0.1”,
“ipv6” : false,
“metric” : -1,
“net30” : false,
“prefix_length” : 24
}
]

I ran another test by importing the profile for computer/user #2 into OpenVPN Connect on Computer #1. I connected using the second profile, which created a virtual IP address of 10.0.0.3. In pfsense, it still doesn’t show the 10.0.0.3 in the routing table.

What about the logs on pfsense itself at Status → Logs → OpenVPN

Here is the log. I first connected with Computer1/User1 and then disconnected. Then about 20 minutes later I connected with Computer2/User2. I am not seeing any difference between the two.

One other thing I noticed is I can ping a device on the remote LAN from Computer 2, and get no response. 15 minutes later, it will respond to a ping. Another 15 minutes later, it is dead again.

Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_VER=3.git::d3f8b18b
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_PLAT=win
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_NCP=2
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_TCPNL=1
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_PROTO=30
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_GUI_VER=OCWindows_3.3.6-2752
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_SSO=webauth,openurl,crtext
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 peer info: IV_BS64DL=1
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1569’, remote=‘link-mtu 1553’
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 WARNING: ‘keysize’ is used inconsistently, local=‘keysize 256’, remote=‘keysize 128’
Apr 11 12:01:05 openvpn 61350 WAN IP:28335 [user1] Peer Connection Initiated with [AF_INET]WAN IP:28335
Apr 11 12:01:05 openvpn 66401 user ‘user1’ authenticated
Apr 11 12:01:05 openvpn 61350 user1/WAN IP:28335 MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
Apr 11 12:01:05 openvpn 66777 openvpn server ‘ovpns1’ user ‘user1’ address ‘WAN IP’ - connected
Apr 11 12:01:06 openvpn 61350 user1/WAN IP:28335 IP packet with unknown IP version=0 seen
Apr 11 12:07:44 openvpn 57632 openvpn server ‘ovpns1’ user ‘user1’ address ‘WAN IP’ - disconnected
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_VER=3.git::d3f8b18b
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_PLAT=win
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_NCP=2
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_TCPNL=1
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_PROTO=30
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_GUI_VER=OCWindows_3.3.7-2979
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_SSO=webauth,openurl,crtext
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 peer info: IV_BS64DL=1
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1569’, remote=‘link-mtu 1553’
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 WARNING: ‘keysize’ is used inconsistently, local=‘keysize 256’, remote=‘keysize 128’
Apr 11 12:20:06 openvpn 61350 WAN IP:34812 [user2] Peer Connection Initiated with [AF_INET]WAN IP:34812
Apr 11 12:20:06 openvpn 48227 user ‘user2’ authenticated
Apr 11 12:20:06 openvpn 61350 user2/WAN IP:34812 MULTI_sva: pool returned IPv4=10.0.0.3, IPv6=(Not enabled)
Apr 11 12:20:06 openvpn 48559 openvpn server ‘ovpns1’ user ‘user2’ address ‘WAN IP’ - connected
Apr 11 12:20:07 openvpn 61350 user2/WAN IP:34812 IP packet with unknown IP version=0 seen

Here is some more info. If I ping the remote LAN gateway, 192.168.0.1 and leave it on continuous ping, the connection will come alive. I can’t figure this out.