OpenVPN on Bridged WAN access LAN?
-
I've got a firewall with a WAN on 1/2 a class "C" range that is bridged with OPT. I've also got a LAN (managed by a different firewall) that I've connected to LAN on this firewall.
WAN <– bridge --> DMZ
|
|---- <lan 24="" 192.168.2.12="">From the LAN network, I can access the firewall to configure it (which was the original reason for the LAN interface).I have a VPN already on the other firewall, but wanted to make this a backup. So I setup OpenVPN on the WAN -- and it connects just fine, but from the VPN I cannot access the LAN. Pushing the route (push "route 192.168.2.0 255.255.255.0") doesn't work...which doesn't surprise me.
So can I route WAN/VPN clients to the LAN? Is this possible? How would I accomplish this?
Thanks!
-Patrick</lan>
-
Can you give a few more information?
PKI/PSK?
client config
server config
client log when connecting
server log when connecting
did you assign the interface or are you using the autogenerated rules? -
Sure….
First off, there's no problem connecting to the VPN. It works just fine...I can shell into the firewall over the VPN to the LAN address (192.168.2.12) and from there hop over to other systems on the LAN side.
However I can't go directly from the remote system over the VPN to any other system on the LAN besides the firewall.
I'm using PKI.
TCP protocol, port 1194
address pool 192.168.100.0/24
Local network: 192.168.2.0/24 (this is the LAN I want to access)
push "dhcp-option DNS 192.168.2.70";push "dhcp-option DNS 192.168.2.10";push "dhcp-option WINS 192.168.2.10"Besides the actual keys, that's about it for the server config.
Client config's pretty vanilla...no push options and again, it connects just fine and I can navigate in a limited fashion.
I'm not familiar with the "autogenerated rules" ?? I've setup numerous OpenVPN instances on multiple versions of pfSense though I've never encountered autogenerated rules. Are you referring to the firewall rules?? The firewall is wide open when I test this to rule out FW issues.
I'm thinking this is purely a routing issue and that I either need to do something in the routing configs (though not sure what that could be -- no static routes seem to help) or use a virtual IP or something?
Thanks!
-
You have two routing issues.
- For the LAN, none of those hosts know how to get back to your OpenVPN client network. You need a route on whatever the default gateway on that subnet is.
- for the bridged interface, whatever is the default gateway for those hosts isn't routing the OpenVPN client network back to the right place.
-
^ What he said.
If you want a "backup" VPN server that's routed, it would have to assume the role of default gateway. With pfSense you can use CARP for multiple firewalls, but if your other firewall isn't pfSense, you probably can't do that.
If you use bridged VPN, it shouldn't matter because the clients will get an address on your LAN, so no worries about routing.