OpenVPN Connected / LAN Gateway Reachable / LAN Clients not so much

cfitz

I’ve been banging my head on this one for about a week now. Need some help.

My OpenVPN client connects with no issue. Once connected, I can reach the LAN gateway, but no other devices on the LAN.

LAN – 10.131.0.0 (pfSense is 10.131.0.1)
OpenVPN – 10.132.6.0 (pfSense is 10.132.6.1)

Once connected, I can ping 10.132.6.1, 10.131.0.1, 8.8.8.8. I can not ping 10.131.0.11 which is a server on the network. I have confirmed I can ping that server when connected directly to the LAN.

I’ve set this up a couple of times with the wizard and tried several things mentioned in other posts. No luck though. Anyone have any ideas?

Here is some supplementary info:

Trying this with the Windows client exported from pfSense.

Server Config:
vpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
multihome
tls-server
server 10.132.6.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user hbkbkbkjbjkc2U= false server1 33900" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ville-VPN' 1"
lport 33900
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 10.131.0.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet

Client Config:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote (Our WAN IP) 1194 udp
verify-x509-name "ville-VPN" name
auth-user-pass
pkcs12 pfSense-udp-1194-cf.p12
tls-auth pfSense-udp-1194-cf-tls.key 1
remote-cert-tls server

Route Print:
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.43.1  192.168.43.121    50
      10.131.0.0    255.255.255.0      10.132.6.1      10.132.6.2    35
      10.132.6.0    255.255.255.0        On-link        10.132.6.2    291
      10.132.6.2  255.255.255.255        On-link        10.132.6.2    291
    10.132.6.255  255.255.255.255        On-link        10.132.6.2    291
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
    192.168.43.0    255.255.255.0        On-link    192.168.43.121    306
  192.168.43.121  255.255.255.255        On-link    192.168.43.121    306
  192.168.43.255  255.255.255.255        On-link    192.168.43.121    306
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
        224.0.0.0        240.0.0.0        On-link        10.132.6.2    291
        224.0.0.0        240.0.0.0        On-link    192.168.43.121    306
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
  255.255.255.255  255.255.255.255        On-link        10.132.6.2    291
  255.255.255.255  255.255.255.255        On-link    192.168.43.121    306

viragomann

Is the pfSense running the vpn server the default gateway on the LAN device?

Check if the system firewall of the server itself blocks the access.

cfitz

Awesome. I could ping the server from the internal LAN, so I didn't think much about the Windows firewall. After turning that Windows firewall off to test, I could access the server over the VPN just fine. I turned the firewall back on and added a rule allowing incoming traffic from my OpenVPN IP range. We're all good now. Thanks for the help!