OpenVPN cannot browse lan

mewhalen

I configured what I believe to be a correct vpn solution.  The client connects fine, however from my client i cannot ping or browse my lan.  here is my client config:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194 
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca nvc_ca.crt
cert NVC.crt
key NVC.key
comp-lzo
pull
verb 3

Server config:
Remote access SSL/TLS
UDP
tun
wan
1194
Cryptographic Settings_____________
nvc_ca
nvc
1024
BF-CBD(128)
no hardware crypto
One(client+server)
Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.
Client Settings_____________
Provide a virtual adapter IP address to clients (see Tunnel Network)

Any guidance would be greatly appreciated.

Eric

Nachtfalke

You must set the correct firewall rules for your client on the FIREWALL -> OpenVPN tab
Best way: Create one allow any to any rule in the firewall

Your hosts on the LAN behind pfsense must allow traffic (firewall) from the OpenVPN network.
Best way: Disable firewall on the destination host for testing.
Test if you can do RDP if ping does not work.

mewhalen

I confirmed my firewall rules;
OpenVPN Interface
Action - pass
disabled - false
interface - openvpn
protocol - any
source - any
destination - any

WAN interface (Static2)
action - pass
disabled - false
interface - Static2
protocol - udp
source - any
destination - and
destination port - 1194

I can ping the pfsense box from the client, but I cannot ping or browse the lan.

Thanks.

johnpoz

And where do you push the route to your lan?  And your tunnel is part of your lan network.. Why in the world would you set your lan for 10.0.0.0/8 ??  Or in your client tell it default route is down the tunnel

redirect-gateway def1

here is config from my server from /var/etc/openvpn/server1.conf

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.xx.xx
tls-server
server 10.0.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN local.lan"
push "dhcp-option DNS 192.168.1.253"
push "dhcp-option NTP 192.168.1.40"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float

Only thing that needs to be hidden is my public IP there.

here is client

dev tun
persist-tun
persist-key
proto tcp-client
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 24.13.xx.xx 443
#tls-remote pfsense-openvpn
pkcs12 pfsense-TCP-443.p12
tls-auth pfsense-TCP-443-tls.key 1
remote-cert-tls server
comp-lzo
verb 3

Notice in the server were I push the route

I can access anything on my lan without any issues.  And even can resolve them by name because I push my local dns to my clients.

D:>ping i5-w7.local.lan

Pinging i5-w7.local.lan [192.168.1.100] with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=127ms TTL=127
Reply from 192.168.1.100: bytes=32 time=118ms TTL=127

I use tcp 443, because udp 1194 is rarely open at a remote location outbound, and if there is internet 443 is going to be open.  I also bounce this access off my http proxy at work, because they don't allow direct internet access.

marvosa

Here's one issue:

Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.

Your tunnel needs to be outside of your LAN.