OpenVPN: connecting to LAN subnet

Nachtfalke

Didn't use the wizard for that so I had to manually add these routes in my environment.
If the route exists and the firewall rule allows the traffic then there is another problem.

Check the firewall on the destination host on LAN subnet - better disable the firewall for testing.

Do you run the OpenVPN client on a Windows 7 machine ? If yes - run it "As administrator". But you probably did that because it added the route.

KM

Here is a copy of my route table. I'm not sure if this is right or not.

IPv4
Destination Gateway        Netif
default 142.177.. em0
10.0.0.0/24 link#2                em1
10.0.0.1 link#2                lo0
10.0.10.0/24 10.0.10.2 ovpns1
10.0.10.1 link#8         lo0
10.0.10.2 link#8         ovpns1
127.0.0.1 link#4         lo0
142.177../22 link#1 em0
142.177.. link#1 lo0

KM

While playing around I found something interesting. As I mentioned pfsense is running as a VM inside an ESXi host. From the VPN connected computer (10.0.10.6) I can ping 10.0.0.1 which is pfsense, but I can also ping 10.0.0.2, which is the esxi host, but none of the machines past that. I just thought this was odd.

KM

Some more interesting things:
On a hunch I decided to add a route from one of the devices on the 10.0.0.0 subnet to the 10.0.10.0 subnet to see if that would help. Previously a ping from 10.0.10.6 to 10.0.0.5 (for example) resulted in a request timeout and a ping from 10.0.0.9 to 10.0.10.6 resulted in a destination unreachable reply.

So, on my 10.0.0.9 machine I opened a command prompt with the following command: route ADD 10.0.10.0 MASK 255.255.255.0 10.0.0.1 METRIC 266
To my surprise this allowed pings to pass both ways. I'll keep you updated, but I'm not really sure why this would make a difference given the routes already present on the machines.

marvosa

Post server config and post client routing table once connected.

A screen shot of the firewall rule from openvpn tab would also be helpful.

Nachtfalke

@KM:
As marvosa said, please post the client routing tabel. On Windows you can find this with "netstat -rn"

Metu69salemi

or with```
route print

KM

This is after a reboot of the machine. The route is gone because I didn't add it as persistent. The default gateway is set as 10.0.0.1 on this machine in the adapter config settings.

route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0        10.0.0.1        10.0.0.9    266
        10.0.0.0        255.0.0.0        On-link          10.0.0.9    266
        10.0.0.9  255.255.255.255        On-link          10.0.0.9    266
  10.255.255.255  255.255.255.255        On-link          10.0.0.9    266
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link          10.0.0.9    266
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link          10.0.0.9    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.0.0.1  Default
===========================================================================

KM

This is after OpenVPN client is connected:

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0        10.0.0.1        10.0.0.9    266
        10.0.0.0        255.0.0.0        On-link          10.0.0.9    266
        10.0.0.0    255.255.255.0        10.0.10.5        10.0.10.6    30
        10.0.0.9  255.255.255.255        On-link          10.0.0.9    266
        10.0.10.1  255.255.255.255        10.0.10.5        10.0.10.6    30
        10.0.10.4  255.255.255.252        On-link        10.0.10.6    286
        10.0.10.6  255.255.255.255        On-link        10.0.10.6    286
        10.0.10.7  255.255.255.255        On-link        10.0.10.6    286
  10.255.255.255  255.255.255.255        On-link          10.0.0.9    266
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link        10.0.10.6    286
        224.0.0.0        240.0.0.0        On-link          10.0.0.9    266
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link        10.0.10.6    286
  255.255.255.255  255.255.255.255        On-link          10.0.0.9    266

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.0.0.1  Default

marvosa

Please post your tunnel settings.  Are you routed or bridged?

phil.davis

This line looks like a problem:

10.0.0.0        255.0.0.0         On-link          10.0.0.9    266

Your 10.0.0.9 interface (on your server, if I understood the descriptions correctly) is thinking that it is sitting on a 10.0.0.0/8 network. So when it replies to any 10.n.n.n addresses, it will think it can reach them directly on its local LAN. It should be in the 10.0.0.0/24 network. Then it will send packets for 10.0.10.0/24 network addresses to the router.