Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN can only connect to HTTPS on gateway

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 1.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @CatSpecial202
      last edited by

      @CatSpecial202
      Is this pfSense device the default gateway in all VLANs?

      You say, you can ping from one VLAN to the other one? Can you ping any device from a VPN client?

      Consider that most devices block access from outside of their own subnet.

      CatSpecial202C 2 Replies Last reply Reply Quote 0
      • CatSpecial202C Offline
        CatSpecial202 @viragomann
        last edited by

        @viragomann

        Yes, I can ping each gateway on each VLAN and also the devices. I was also able to connect to synology through HTTPs on one of the VLANs.

        I cannot ping devices on the VLAN that has firewall HTTPS access. The gateway on this vlan does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall https.

        V 1 Reply Last reply Reply Quote 0
        • CatSpecial202C Offline
          CatSpecial202 @viragomann
          last edited by

          @viragomann

          How would the traffic be hitting my switch GUI from the tunnel IP? My switch GUI is accessed from a VLAN. Does the VPN tunnel come out untagged? Can I tag the traffic?

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @CatSpecial202
            last edited by

            @CatSpecial202 said in OpenVPN can only connect to HTTPS on gateway:

            I cannot ping devices on the VLAN that has firewall HTTPS access.

            Can you be more clear, please? What do you mean with "devices that has firewall HTTPS access".

            The gateway on this vlan does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall https.

            With gateway, you mean the interface IP of pfSense, correct?

            If you can ping the pfSense interface IP, but not other devices the reason could be, that the devices does not use pfSense as default gateway. That's why I requested this.
            But it could also be, that the destination devices themself blocks access from outside of their subnet.

            ow would the traffic be hitting my switch GUI from the tunnel IP?

            You just need to push the route for this VLAN to the VPN clients by adding the subnet to the "local networks" in the OpenVPN server settings. In case, you have "redirect gateway" enabled, this is not necessary.

            My switch GUI is accessed from a VLAN. Does the VPN tunnel come out untagged?

            No, the tagging is done by pfSense on outgoing traffic on the interface. This has nothing to do with VPN at all.

            CatSpecial202C 1 Reply Last reply Reply Quote 0
            • CatSpecial202C Offline
              CatSpecial202 @viragomann
              last edited by CatSpecial202

              @viragomann I apologize for my poorly worded original explanation, and thank you for helping me out.

              Can you be more clear, please? What do you mean with "devices that has firewall HTTPS access".

              The devices that I cannot connect to their HTTPS on the sub-net respond to ping. The issue is accessing HTTPS on these devices that are on this same sub-net.

              The gateway on this VLAN does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall HTTPS.

              This particular sub-net that I'm having trouble accessing is my management VLAN. I can access my firewall GUI while connected to OpenVPN on this sub-net which is the gateway address. However, I'm having issues accessing the HTTPS servers that are on this same management sub-net. The gateway (firewall) on the same VLAN is accessible via HTTPS when accessed from the tunnel, so the problem seems specific to these devices.

              ...that the destination devices themself blocks access from outside of their subnet.

              Yes, this must be the problem. I tested another HTTPS server last night and I was able access it from the same sub-net that I cannot access my switch/AP GUIs. The issue seems to stem from accessing my Cisco switches and my Aruba APs.

              What do I need to do within these devices to allow access from my OpenVPN tunnel? Is it that the traffic is hitting devices from the tunnel IP?

              thank you for your help!

              the otherT V 2 Replies Last reply Reply Quote 0
              • the otherT Offline
                the other @CatSpecial202
                last edited by

                @CatSpecial202 hey there,
                It is then no pfsense related problem it seems.
                You use a tunnel with its own ip range. Your vpn client gets an ip out of that range trying to connect to ie your cisco switch.
                Did you set your switch so it accepts that ip (range)...?

                I use soho cisco. First I desperately tried accessing the management gui from another vlan, tried all kinds of rules on pfsense. Well, had nothing to do with that. Instead, i had to configure those sg 250s the right way.

                the other

                pure amateur home user, no business or professional background
                please excuse poor english skills and typpoz :)

                CatSpecial202C 1 Reply Last reply Reply Quote 0
                • CatSpecial202C Offline
                  CatSpecial202 @the other
                  last edited by

                  @the-other Okay. That was my thinking. Do you have any links or guides you can recommend on how to set that up? What is the option called in cisco?

                  the otherT 1 Reply Last reply Reply Quote 0
                  • the otherT Offline
                    the other @CatSpecial202
                    last edited by

                    @CatSpecial202 well, if (!) I remember correctly, for getting access from another subnet, I had to configure under IP configuration > IPv4 interface...i think. There I gave one of the subnets an IP out of subnets range (ie vlan 10 ip 192.168.10.3/24).
                    If i remember correctly that was the only way to make the switch reachable from other subnets, giving it an access ip from needed subnet.

                    Why would you need to get access to your switch or ap from far away via vpn? Usually those things are configured once and then just run...once in a while an update. Except for business I don't see any use (for my needs)...

                    the other

                    pure amateur home user, no business or professional background
                    please excuse poor english skills and typpoz :)

                    the otherT 1 Reply Last reply Reply Quote 0
                    • the otherT Offline
                      the other @the other
                      last edited by

                      Another thought came up...
                      Did you allow access to the switch via https in the first step? Is it possible at home from same subnet? Or isn't that working?

                      the other

                      pure amateur home user, no business or professional background
                      please excuse poor english skills and typpoz :)

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann @CatSpecial202
                        last edited by

                        @CatSpecial202 said in OpenVPN can only connect to HTTPS on gateway:

                        Yes, this must be the problem. I tested another HTTPS server last night and I was able access it from the same sub-net that I cannot access my switch/AP GUIs. The issue seems to stem from accessing my Cisco switches and my Aruba APs.

                        Is pfSense the default gateway on these devices?
                        This was my very first question here, but you didn't clarify.

                        Are the concerned devices even accessible from another local subnet, presumed you allow it on pfSense?

                        If not check the network settings on the devices, gateway and network mask.

                        If the settings are correct and there is no way to allow access from outside on them you can masquerade the traffic on pfSense to circumvent their access restrictions.

                        CatSpecial202C 1 Reply Last reply Reply Quote 0
                        • CatSpecial202C Offline
                          CatSpecial202 @viragomann
                          last edited by

                          @viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.