Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server No LAN Access

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      guyp2k
      last edited by

      Well after days of reading and no success thought I would post for some assistance please. I have OpenVPN server and PIA OpenVPN working and connecting fine. The issue is from the OpenVPN Server side, if I authenticate to the OpenVPN Server, the client connects fine and I can ping the pfSense LAN/GW interface of 192.168.1.1, but no other hosts on the internal LAN (192.168.1.0/20). The OpenVPN Server assigns a network of 192.168.200.0/24 just fine, but without a GW. I have checked all the hosts and made sure the firewall was disabled. As I mentioned before I can connect to PIA just fine as well from the internal LAN without issue, just connecting remotely via OpenVPN server I can’t touch anything on the internal LAN/192.168.1.0/24, just the pfSense box/192.168.1.1.

      Here is the topology:

      Local LAN 192.168.1.0/24
      OpenVPN Server 192.168.200.0/24
      PIAVPN 10.10.10.0/24

      Interfaces and NAT rules below:

      Firewall NAT Rules:

      Interfaces.JPG
      Interfaces.JPG_thumb
      NAT.JPG
      NAT.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • D Offline
        dsp3
        last edited by

        Do you have a firewall rule on your openvpn server tab that allows traffic from your openvpn server network to your LAN?

        1 Reply Last reply Reply Quote 0
        • G Offline
          guyp2k
          last edited by

          Below is what I have and does not address the issue…

          FW.JPG
          FW.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            Consider that that firewall rule doesn't allow pings. Ping uses ICMP protocol, while you've allowed only TCP and UDP.

            Is the route to the remote LAN set on the client? Check the clients routing table.

            1 Reply Last reply Reply Quote 0
            • G Offline
              guyp2k
              last edited by

              Below is the routing table from the client:

              ===========================================================================
              Interface List
              15…a4 34 d9 3f 7c f4 ......Microsoft Wi-Fi Direct Virtual Adapter
              16...00 ff ec 41 31 f6 ......TAP-Windows Adapter V9
                4...a4 34 d9 3f 7c f3 ......Intel(R) Dual Band Wireless-AC 8260
                2...a4 34 d9 3f 7c f7 ......Bluetooth Device (Personal Area Network)
                1...........................Software Loopback Interface 1
                9...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter

              IPv4 Route Table

              Active Routes:
              Network Destination        Netmask          Gateway      Interface  Metric
                        0.0.0.0          0.0.0.0    192.168.43.1  192.168.43.114    50
                      127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
                      127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
                127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                    192.168.1.0    255.255.255.0      192.168.1.1    192.168.200.2    36
                    192.168.1.0    255.255.255.0    192.168.200.1    192.168.200.2    35
                  192.168.43.0    255.255.255.0        On-link    192.168.43.114    306
                192.168.43.114  255.255.255.255        On-link    192.168.43.114    306
                192.168.43.255  255.255.255.255        On-link    192.168.43.114    306
                  192.168.200.0    255.255.255.0        On-link    192.168.200.2    291
                  192.168.200.2  255.255.255.255        On-link    192.168.200.2    291
                192.168.200.255  255.255.255.255        On-link    192.168.200.2    291
                      224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
                      224.0.0.0        240.0.0.0        On-link    192.168.43.114    306
                      224.0.0.0        240.0.0.0        On-link    192.168.200.2    291
                255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                255.255.255.255  255.255.255.255        On-link    192.168.43.114    306
                255.255.255.255  255.255.255.255        On-link    192.168.200.2    291

              Persistent Routes:
                None

              IPv6 Route Table

              Active Routes:
              If Metric Network Destination      Gateway
                1    331 ::1/128                  On-link
                4    306 fe80::/64                On-link
              16    291 fe80::/64                On-link
              16    291 fe80::d38:4e49:ea36:ab4e/128
                                                  On-link
                4    306 fe80::4164:372a:c03a:2c76/128
                                                  On-link
                1    331 ff00::/8                On-link
                4    306 ff00::/8                On-link
              16    291 ff00::/8                On-link

              Persistent Routes:
                None

              1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann
                last edited by

                Since you can access hosts in the internet via PIA from LAN devices, I assume the pfSense running the VPN server and client is the default gateway in the LAN/192.168.1.0/24. So the routing at this site should be working.

                How do you try to access the LAN device?
                Maybe the LAN device itself blocks the access. Do you have a webserver there or something like that, which is accessible from outside for testing? If not try do deactivate the system firewall on the destination host.

                1 Reply Last reply Reply Quote 0
                • G Offline
                  guyp2k
                  last edited by

                  How do you try to access the LAN device?
                      I use my laptop and connect to the internet via Verizon, then authenticate with the OpenVPN client to the OpenVPN server/pfSense. I then try and access internal hosts, such as my NAS (192.168.1.22), Plex, and RDP without success. I can however drop to a console and ping the OpenVPN Server and connect to the web interface of pfSense.

                  All firewalls are diabled on the internal LAN hosts, like I said I have been working on this for days :(

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann
                    last edited by

                    For troubleshooting use packet capture from the pfSense Diagnostic menu.

                    Select the LAN interface and try to access a LAN device from the VPN client. To get a better result, also set a protocol and port (e.g. RDP). So you can see if packet go out the LAN interface and if you get responses from the destination device.

                    1 Reply Last reply Reply Quote 0
                    • G Offline
                      guyp2k
                      last edited by

                      Should OpenVPN Server assign a GW, when I look at the interfaces on the client the correct IP is assigned, usually 192.168.200.2 but no GW.

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        No, as long you don't want to route any traffic over it (also access to internet addresses), there is no gateway needed.

                        For accessing the remote LAN the route is set on the client, that's all which is needed for that.

                        1 Reply Last reply Reply Quote 0
                        • G Offline
                          guyp2k
                          last edited by

                          Narrowed down the issue to PFBlockerNG, disable that service and I can access the internal LAN via OpenVPN Server…Will need to read up on PFBlockerNG.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.