VPN -> LAN (OK) | LAN -> VPN (OFF) need both working
-
Ok. So you should be able to ping the VPN client IP in the tunnel subnet but the client itself would have to allow it. Is that also pfSense? If so you would need a firewall rule there.
To ping a subnet behind the client you need routes and iroutes. That means adding them as remote networks in the server setup and adding Client Specific Overrides for the client with that subnet defined:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#create-client-specific-overridesSteve
-
@stephenw10 Okay, but I don't want clients to be visible on my network just to ping, I need them to talk to everything, from ping to remote access, everything in fact
-
@BRQ_michael But this step by step is just to add in case PFSENSE was a client of another OpenVPN server, no?
-
No that's the server side for an SSL/TLS site to site which is what you have.
Is the client end here also pfSense?
-
@stephenw10 No, it's a computer
-
So how is it routing traffic from the subnet behind it? You enabled some software routing on the 'computer'?
-
@stephenw10 I don't understand the question sorry, I'm on a computer on the pfsense local network and that's why I can access it, to test I disconnect from the company's LAN network, connect from my cell phone data and do the tests connected to openvpn, if it is What you wanted to know from the question, I ended up not understanding.
-
You said you need to be able to access the VPN clients from LAN is that not true?
-
@stephenw10 exactly, this is what I need, I need my local LAN to talk to the Clients of my OPENVPN server
-
OK so you are testing by pinging from, for example, 192.168.140.57 to 50.50.50.5 ?
In that case the client at 50.50.50.5 must allow the ping traffic. For example Windows firewall will block that.
-
@stephenw10 Exactly, but for example, it's not just ping that doesn't allow it, I try to access my folders, and also transfer something, and my Windows firewall has been dead for ages, completely disabled.
-
Right but we just use ping as a test because it will usually be allowed.
So what error does it return?
-
@stephenw10 The order has timed out.
-
OK, run the ping from a host on LAN then check the state table. Filter by the target IP address and make sure you see the states present.
You should see one state on LAN and one on OpenVPN.
-
@stephenw10 Done, no ping
-
So no states created on any interface?
Was the ping running while you checked the states? The states will close quickly after the ping stops, like maybe 30s.
-
@stephenw10 Exactly, Totally unavailable LAN -> VPN
-
Hmm, then check the firewall logs. Is that blocked on LAN?
If not check the routing table on the LAN client running the ping. Is it somehow trying to ping directly? Like maybe is still has a VPN connection active and isn't even trying to use the LAN?
-
@stephenw10 Nothing appears in the logs when I try to ping.
It's not possible that this is something that abnormal, I don't even make settings other than what comes by default in PFSENSE -
If the LAN host is pinging something in the 50.50.50.X subnet and it is using pfSense as it's default gateway that traffic will arrive at the LAN interface. So it will either be blocked or passed and open a state.
Try running a packet capture on the LAN filtered by the target IP (50.50.50.X) and then running the ping from the LAN host. If those pings don't arrive at the LAN then there is some routing issue on the LAN host.
