OpenVPN to Lan
-
You should not need to use "push route" statements any more in pfSense 2.1. Put your LAN subnet in Local Network/s in the OpenVPN Server GUI settings. Then the push route stuff will be done automagically for you.
You probably also want to give the clients a DNS server that is on your LAN so they can lookup names in your local domain - otherwise they will have to type the actual IP addresses of services on the LAN.Edit: You can put a comma-separated list of subnets in Local Network/s and Remote Network/s so even if you have multiple local LANs that you want the clients to reach, you can list them all and the client will be told all the routes.
can you please explain the steps to do this ? as i am new to Pfsense ?
you mean create a rules on the firewall on the VPN NIC ? -
It should all be stuff in the OpenVPN server GUI. I have attached a screenshot of an OpenVPN "Road Warrior" server I was using for testing.
IPv4 Local Network/s - this server had the whole of 10.49.0.0/16 and 10.51.0.0/16 reachable behind it, so I listed both of those.
DNS Default Domain - put your internal domain name here, then the clients will "become part of it".
DNS Servers - put the IP address of the DNS server on your network. In this case, I put the address of pfSense itself because it was running DNS Forwarder.On the OpenVPN firewall rules tab, make sure to have rules that allow traffic to the various subnets/IPs… that you want to be reached in "IPv4 Local Network/s" and to the DNS server you specify.
-
Dear Phil,
thank you so much for your continue help, i've tried exactly what you suggested however when the client is connected it still provide the tunnel ip and not the Lan ip, like this i can't reach the Servers behind ip over the VPN !
any more suggestions?
i really like the producte and wanna move from Vyatta to PFSENSE, and need to have the VPN part working,
thank youthank you so much
-
On the client, what routes does it have when the VPN is connected?
e.g. On Windows, "route print".
Can you reach the servers by using the server IP address?
What IP subnet is the client on?
(It cannot be somewhere that also uses 192.168.1.0/24, because that needs to be routed across the VPN) -
On the client, what routes does it have when the VPN is connected?
e.g. On Windows, "route print".
Can you reach the servers by using the server IP address?
What IP subnet is the client on?
(It cannot be somewhere that also uses 192.168.1.0/24, because that needs to be routed across the VPN)Dear Phil,
thank you for your continu support,
when the client is connected with the VPN recieve those routing :H:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : pfsense.lan Link-local IPv6 Address . . . . . : fe80::e9c9:759c:f3f2:2f77%16 IPv4 Address. . . . . . . . . . . : 192.168.100.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::bc7f:5607:b5db:bfa%12 IPv4 Address. . . . . . . . . . . : 192.168.178.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.178.1 Tunnel adapter isatap.pfsense.lan: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : pfsense.lan Tunnel adapter Local Area Connection* 9: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{5029CD45-C9E4-4FD6-8BDF-BEE9F45411A7}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . :the IP is different than the VPN tunnel IP,
when i am connected on VPN i cant reach the PFSENSE or ping thought the IP ( ping 192.168.1.1 comes back with time out ). -
Your ipconfig looks fine - 192.168.100.6 is the normal IP given to the first client in this tunnel. You should be able to "ping 192.168.100.1" - the other end of the tunnel.
Also post the output of "route print" - then we can see if the client has learned the route to your LAN.
We haven't talked about Firewall Rules either - on tghe server-end pfSense Firewall Rules, OpenVPN tab you need a rule that allows traffic from the client (tunnel network) to LANnet. -
Your ipconfig looks fine - 192.168.100.6 is the normal IP given to the first client in this tunnel. You should be able to "ping 192.168.100.1" - the other end of the tunnel.
Also post the output of "route print" - then we can see if the client has learned the route to your LAN.
We haven't talked about Firewall Rules either - on tghe server-end pfSense Firewall Rules, OpenVPN tab you need a rule that allows traffic from the client (tunnel network) to LANnet.Dear Phil,
the 192.168.100.0/24 is been giving just to build the tunnel, i want my client to get the IP from my LAN so i will be able to connect to my LAN network 192.168.6.0/24
here you have the route print=========================================================================== Interface List 16...00 ff 82 7e 19 be ......TAP-Windows Adapter V9 12...00 0c 29 bc 40 c3 ......vmxnet3 Ethernet Adapter 1...........................Software Loopback Interface 1 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.8 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.100.4 255.255.255.252 On-link 192.168.100.6 286 192.168.100.6 255.255.255.255 On-link 192.168.100.6 286 192.168.100.7 255.255.255.255 On-link 192.168.100.6 286 192.168.178.0 255.255.255.0 On-link 192.168.178.8 261 192.168.178.8 255.255.255.255 On-link 192.168.178.8 261 192.168.178.255 255.255.255.255 On-link 192.168.178.8 261 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.178.8 261 224.0.0.0 240.0.0.0 On-link 192.168.100.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.178.8 261 255.255.255.255 255.255.255.255 On-link 192.168.100.6 286 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.178.1 Default =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 12 261 fe80::/64 On-link 16 286 fe80::/64 On-link 12 261 fe80::bc7f:5607:b5db:bfa/128 On-link 16 286 fe80::e9c9:759c:f3f2:2f77/128 On-link 1 306 ff00::/8 On-link 12 261 ff00::/8 On-link 16 286 ff00::/8 On-link =========================================================================== Persistent Routes: ``` None its appreate my Client that are connected with VPN recieved the virtual IP not my LAN IPWed Jan 22 01:16:15 2014 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\pfSense-udp-1194-VPNUSER2.log: Access is denied. (errno=5)
Wed Jan 22 01:16:15 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Wed Jan 22 01:16:21 2014 Control Channel Authentication: using 'pfSense-udp-1194-VPNUSER2-tls.key' as a OpenVPN static key file
Wed Jan 22 01:16:21 2014 UDPv4 link local (bound): [undef]
Wed Jan 22 01:16:21 2014 UDPv4 link remote: [AF_INET]XX.XXXX.XX.XX:1194
Wed Jan 22 01:16:21 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan 22 01:16:22 2014 [HassVPN] Peer Connection Initiated with [AF_INET]XX.XXXX.XX.XX:1194
Wed Jan 22 01:16:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 22 01:16:25 2014 open_tun, tt->ipv6=0
Wed Jan 22 01:16:25 2014 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{827E19BE-09E0-42EB-BB12-FBC95F53EDB7}.tap
Wed Jan 22 01:16:25 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {827E19BE-09E0-42EB-BB12-FBC95F53EDB7} [DHCP-serv: 10.10.10.5, lease-time: 31536000] -
Couple of things here:
- Your routing table has:
192.168.100.4 255.255.255.252 On-link 192.168.100.6 286 192.168.100.6 255.255.255.255 On-link 192.168.100.6 286 192.168.100.7 255.255.255.255 On-link 192.168.100.6 286but the client log has the message:
Wed Jan 22 01:16:25 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {827E19BE-09E0-42EB-BB12-FBC95F53EDB7} [DHCP-serv: 10.10.10.5, lease-time: 31536000]Why is one saying 192.168.100.* and the other 10.10.10.* ?
-
There is no route back to the LAN. How are you making the client conf file? The route should get pushed from the Local Network/s box in the server GUI page. Post the server settings (conf or a shot of the server GUI page).
-
If you want the client to get an actual LAN IP address then you have to use "tap" mode on OpenVPN. If you do that then lots of LAN broadcast traffic will flow across the VPN to you. Personally I always use "tun" mode and have routing to my LAN. Then I use DNS names (or IP addresses for real nerds) to access stuff on the LAN. With "tun" you don't get the broadcast traffic, but also you don't get Windows-style browsing for lAN resources (file shares, printers…) - you have to already know the names or IPs of the resources.
-
Couple of things here:
- Your routing table has:
192.168.100.4 255.255.255.252 On-link 192.168.100.6 286 192.168.100.6 255.255.255.255 On-link 192.168.100.6 286 192.168.100.7 255.255.255.255 On-link 192.168.100.6 286but the client log has the message:
Wed Jan 22 01:16:25 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {827E19BE-09E0-42EB-BB12-FBC95F53EDB7} [DHCP-serv: 10.10.10.5, lease-time: 31536000]Why is one saying 192.168.100.* and the other 10.10.10.* ?
-
There is no route back to the LAN. How are you making the client conf file? The route should get pushed from the Local Network/s box in the server GUI page. Post the server settings (conf or a shot of the server GUI page).
-
If you want the client to get an actual LAN IP address then you have to use "tap" mode on OpenVPN. If you do that then lots of LAN broadcast traffic will flow across the VPN to you. Personally I always use "tun" mode and have routing to my LAN. Then I use DNS names (or IP addresses for real nerds) to access stuff on the LAN. With "tun" you don't get the broadcast traffic, but also you don't get Windows-style browsing for lAN resources (file shares, printers…) - you have to already know the names or IPs of the resources.
hi Phil sorry for the confession,
I've changed the VPN ip that why you see two different subnets, the 192.168.100.0 is the same 10.10.10.0, thought to change the subnet for the VPN tunnel could make a different,
2- the client config is made with open VPN import ultility to the WAN after that I change the config file External ip to my phisuque IP, because between PF and the internet there is my ISP Gateway, and the ports are already forwarded 500, 5400 UDP
3 - I want the client to get the LAN IP address because it just one user who is going to use the VPN to access the LAN, I believe Tun mode is already selected on my VPN configuration,i believe the problem is not the ISP Gateway but configuration on the PF, because the tunnel mades up and the client receive a IP,
i am supposed to do some routing here?
thank you so much for your help,
-
3 - I want the client to get the LAN IP address because it just one user who is going to use the VPN to access the LAN, I believe Tun mode is already selected on my VPN configuration
For the client to get real LAN IP, you have to use tap mode.
But the tun mode should also work - if you want to keep trying to make tun mode work, then post the OpenVPN server settings. Somehow the client is not getting the route - until that is fixed it definitely won't work.
-
3 - I want the client to get the LAN IP address because it just one user who is going to use the VPN to access the LAN, I believe Tun mode is already selected on my VPN configuration
For the client to get real LAN IP, you have to use tap mode.
But the tun mode should also work - if you want to keep trying to make tun mode work, then post the OpenVPN server settings. Somehow the client is not getting the route - until that is fixed it definitely won't work.
Dear Phil,
the below is the confi file of the VPN I used on the client laptop to connect to the office,
P.S I changed the external IP and log in name :dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote XX.XXX.XX.X 1194 udp lport 0 verify-x509-name "HassVPN" name auth-user-pass pkcs12 pfSense-udp-1194-jjansen.p12 tls-auth pfSense-udp-1194-jjansen-tls.key 1 ns-cert-type server comp-lzoDear Philp,
i managed to fix the issue !
first i had to create a rule to allow the connection between the Lan and OPENVPN, like this it routed the connection from the virtual tunnel to the LANthank you so much for your help !