Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients can only ping, but can't access any of the remote servers

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nsai
      last edited by

      OpenVPN server is configured with VPN subnet 10.10.200.0/24 and pfsense LAN side subnet 172.27.100.0/24.

      OpenVPN connection is establishing and client can ping to servers on LAN side. But cannot get any website. I have allowed traffic to any hosts in firewall rules.

      From the out of tcpdump capture on openvpn and LAN interfaces, it is observed that:

      • TCP SYN packet is sent from openvpn interface to required destination. It is not reaching the LAN interface and TCP retransmission is occuring.
      • But when icmp packets are sent, then LAN port recieves icmp request and reply packets.

      I assume the problem to be in routing the traffic. Can someone help with necessary routing ?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Nsai
        last edited by

        @nsai said in OpenVPN clients can only ping, but can't access any of the remote servers:

        TCP SYN packet is sent from openvpn interface to required destination. It is not reaching the LAN interface and TCP retransmission is occuring.

        Are you talking about the response packet? The request should be seen on LAN interface at least.

        Is the pfSense which is running the OpenVPN server the default gateway in the LAN?

        N 1 Reply Last reply Reply Quote 0
        • N
          Nsai @viragomann
          last edited by

          @viragomann Thanks for replying

          Are you talking about the response packet? The request should be seen on LAN interface at least.

          The TCP request packet is not reaching LAN interface.
          But can access the web console of pfSense using LAN interface IP through VPN.
          ICMP packets to other remote servers pass through LAN interface with source address as pfsense LAN IP.

          Is the pfSense which is running the OpenVPN server the default gateway in the LAN?

          pfSense is not the gateway in the LAN.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Nsai
            last edited by

            @nsai said in OpenVPN clients can only ping, but can't access any of the remote servers:

            pfSense is not the gateway in the LAN.

            So the LAN devices cannot route back packets properly to the VPN clients. They will send respond packets to their default gateway.

            Best practice to solve is to set up a transit network between pfSense and your router if that is possible. pfSense must not have an interface in your LAN.
            On the router you have to add a route for the VPN tunnel network pointing to pfSense.

            Other options are either to add routes on all LAN devices for the VPN tunnel network or do masquerading on pfSense to translate the source address in packets destined to LAN devices into the LAN IP.

            The TCP request packet is not reaching LAN interface.

            Did you check that on pfSense itself? I cannot really believe. If so, there must be something wrong in pfSense oralso pings should not passed. Presumed your firewall rules are allowing all traffic.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.