openVPN not allowing clients to access resources on the LAN
-
I set up my openVPN on my pfSense server so I can access my file server while away from home. Once the VPN server was set up, I was able to connect to the VPN and bring up the control panel on the pfSense box. Lightening fast. I then tried to access my file server's web interface, but it didn't load. I tried to ping the IP of the file server, and it came back very sporadically.
On each ping, I would get a different result.
Ping
Nothing
Nothing
PingThen the next time
Nothing
Nothing
Nothing
PingNever the same thing twice. I tried bringing up the web interface again. It loaded, but very very slowly. Sometimes the logon screen would connect, but when I typed in my credentials, it would never load.
I was thinking the rather old Gig NIC I used for the LAN port might just have been flaky, even though traffic from the LAN had no issues and was very fast. I replaced the card with a brand new Gig card. Exact same results.
Does anyone have any insight?
-
You know, it's just like magic. Nothing works, and you try everything you can think of to make things work - all to no avail. Then you reach out to others to see if they might be able to think of anything that might fix it. As soon as you do, you go back to poking at it. The very first random thing you try turns out to (kind of) fix it.
I went under "Interfaces" and clicked OPT1 (ovpns1) and it was showing as disabled. I enabled it. My VPN immediately disconnected. I was prompted for a login, and then it reconnected. I now wasn't even able to connect to the pfSense web interface from the VPN. In disgust, I went to the local LAN computer and logged into the interface. I disabled the OPT1 again, but nothing changed. Still no web interface on the VPN. Enabled it again and presto everything worked.
Briefly. Now it's back to sporadically connecting, but when it connects it's very fast instead of incredibly slow.
-
@the-rob if it is site to site openvpn tunnel , then you need to enable the virtual interface on both sides and add allow rule.
If you are connecting with remote access openvpn, you need to have an allow rule on openvpn tab.Please clarify how you connect, and maybe i can give a tutorial to make it correct.
-
@bambos It is a client-server VPN. For accessing my files while I'm away from home. I used the wizard and it made the firewall rules.
It connects fine, but the traffic just isn't flowing correctly past the pfSense box. I can connect to the pfSense control panel easily and quickly. Trying to get to the LAN is where the problem arises. Traffic will flow fine, then all of a sudden it stops, then 10-30 seconds later it's going fine again.
It can't be the firewall, because traffic does go through. What's making me scratch my head is that the traffic will just stop for a bit, then pick up again. I have no idea why it's doing that.
-
@the-rob check if it is a matter of unstable internet connection.
monitor the packet loss on the interfaces, VPN and WAN.if you don't see a disconnection of VPN but you experience misbehaviour, also check the health of the file server. Faulty hard disk make retryX1000 times to read correctly causing momentarily not responsiveness.
If there is VPN Tunnel issue, you would see the ballon reconnecting. -
@the-rob
Check the logs on pfSense for hints: System, OpenVPN, firewall. Ensure you have the logging of the default blocks enabled. -
@bambos Internet connection is fine. VPN is nice and stable while accessing the pfSense box. No errors. No packet loss on any interfaces. Only a failure to communicate to resources on the pfSense LAN.
File server is rock solid. I've been using it on the LAN for a couple years now with no issues. Accessing it on the LAN now is still working great. Using it across the VPN is what is the issue.
-
@viragomann Default block logging was enabled.
Nothing showing in the logs. I have even tried accessing the LAN resources and then checking the logs right after to see if anything was added - nothing was.
This is what made me reach out for help. None of the normal diagnostic steps seem to show any issue.
-
For what it's worth, I did a fresh install on different hardware, and I can now access the file server's admin panel across the VPN. I cannot, however, access SMB file shares from the same server. The firewall rule for OpenVPN is set to the defaults of 'forward everything on all ports'.
Any idea what I'm still not getting set properly?
-
@the-rob still strange, most probably something is not ok with the specific file server.
What file server is this ? Can you make an SMB share on another PC for test ? for example use anydesk on a pc on your lan and start smb with a share to test. -
@the-rob said in openVPN not allowing clients to access resources on the LAN:
For what it's worth, I did a fresh install on different hardware
Is this now the default gateway in the LAN / on the SMB server?
How did you try to access the shares? Do you call the server by its IP?
-
@bambos I have not yet tried another file share. I'll set that up and give it a try. I'm confident the file server is working. I can use it with no issues at all on the local network. Across the VPN I get very sporadic response from the web interface, and cannot access the file share at all. It's like the pfSense box isn't actually routing.
-
@viragomann It is the default gateway. I have tried accessing the shares using both ip and NetBIOS name.
using \\192.168.50.50\folder
and \\fileshare\folder -
Oh, the original hardware was a dual core i5 with 4GB of RAM. An old workstation I added a PCI gigabit NIC in.
The new hardware is a rotated out enterprise server. Dual 12-core Xeon with 64 GB of RAM. 4 built-in gigabit NICs.
I wanted to try with dissimilar hardware. Both are behaving about the same. Is there a setting in the OpenVPN that needs to be checked to get the routing working?
-
@bambos No joy on the other machine. For some reason it won't route beyond the VPN server.
-
@the-rob
Try to get it work with IP first to avoid resolving issues.If you cannot access the SMB ensure the host does not block it by its own firewall, which is the default behavior.
To troubleshoot you can use the packet capture utility from the Diagnostic menu on pfSense.
Take a capture on the interface facing to the SMB server and check if requests are going out and if responds are coming back properly.