OpenVPN Server No LAN Access
-
Well after days of reading and no success thought I would post for some assistance please. I have OpenVPN server and PIA OpenVPN working and connecting fine. The issue is from the OpenVPN Server side, if I authenticate to the OpenVPN Server, the client connects fine and I can ping the pfSense LAN/GW interface of 192.168.1.1, but no other hosts on the internal LAN (192.168.1.0/20). The OpenVPN Server assigns a network of 192.168.200.0/24 just fine, but without a GW. I have checked all the hosts and made sure the firewall was disabled. As I mentioned before I can connect to PIA just fine as well from the internal LAN without issue, just connecting remotely via OpenVPN server I can’t touch anything on the internal LAN/192.168.1.0/24, just the pfSense box/192.168.1.1.
Here is the topology:
Local LAN 192.168.1.0/24
OpenVPN Server 192.168.200.0/24
PIAVPN 10.10.10.0/24Interfaces and NAT rules below:
Firewall NAT Rules:
-
Do you have a firewall rule on your openvpn server tab that allows traffic from your openvpn server network to your LAN?
-
Below is what I have and does not address the issue…
-
Consider that that firewall rule doesn't allow pings. Ping uses ICMP protocol, while you've allowed only TCP and UDP.
Is the route to the remote LAN set on the client? Check the clients routing table.
-
Below is the routing table from the client:
===========================================================================
Interface List
15…a4 34 d9 3f 7c f4 ......Microsoft Wi-Fi Direct Virtual Adapter
16...00 ff ec 41 31 f6 ......TAP-Windows Adapter V9
4...a4 34 d9 3f 7c f3 ......Intel(R) Dual Band Wireless-AC 8260
2...a4 34 d9 3f 7c f7 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
9...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling AdapterIPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.114 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 192.168.1.1 192.168.200.2 36
192.168.1.0 255.255.255.0 192.168.200.1 192.168.200.2 35
192.168.43.0 255.255.255.0 On-link 192.168.43.114 306
192.168.43.114 255.255.255.255 On-link 192.168.43.114 306
192.168.43.255 255.255.255.255 On-link 192.168.43.114 306
192.168.200.0 255.255.255.0 On-link 192.168.200.2 291
192.168.200.2 255.255.255.255 On-link 192.168.200.2 291
192.168.200.255 255.255.255.255 On-link 192.168.200.2 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.43.114 306
224.0.0.0 240.0.0.0 On-link 192.168.200.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.43.114 306
255.255.255.255 255.255.255.255 On-link 192.168.200.2 291Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
4 306 fe80::/64 On-link
16 291 fe80::/64 On-link
16 291 fe80::d38:4e49:ea36:ab4e/128
On-link
4 306 fe80::4164:372a:c03a:2c76/128
On-link
1 331 ff00::/8 On-link
4 306 ff00::/8 On-link
16 291 ff00::/8 On-linkPersistent Routes:
None -
Since you can access hosts in the internet via PIA from LAN devices, I assume the pfSense running the VPN server and client is the default gateway in the LAN/192.168.1.0/24. So the routing at this site should be working.
How do you try to access the LAN device?
Maybe the LAN device itself blocks the access. Do you have a webserver there or something like that, which is accessible from outside for testing? If not try do deactivate the system firewall on the destination host. -
How do you try to access the LAN device?
I use my laptop and connect to the internet via Verizon, then authenticate with the OpenVPN client to the OpenVPN server/pfSense. I then try and access internal hosts, such as my NAS (192.168.1.22), Plex, and RDP without success. I can however drop to a console and ping the OpenVPN Server and connect to the web interface of pfSense.All firewalls are diabled on the internal LAN hosts, like I said I have been working on this for days :(
-
For troubleshooting use packet capture from the pfSense Diagnostic menu.
Select the LAN interface and try to access a LAN device from the VPN client. To get a better result, also set a protocol and port (e.g. RDP). So you can see if packet go out the LAN interface and if you get responses from the destination device.
-
Should OpenVPN Server assign a GW, when I look at the interfaces on the client the correct IP is assigned, usually 192.168.200.2 but no GW.
-
No, as long you don't want to route any traffic over it (also access to internet addresses), there is no gateway needed.
For accessing the remote LAN the route is set on the client, that's all which is needed for that.
-
Narrowed down the issue to PFBlockerNG, disable that service and I can access the internal LAN via OpenVPN Server…Will need to read up on PFBlockerNG.