Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to access LAN machines over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 5 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      divsys
      last edited by

      What do your firewall rules under pfsense look like?

      In particular, do you have a rule to allow traffic under the OVPN tab?

      If you can, post your LAN, and OVPN rules.

      -jfp

      1 Reply Last reply Reply Quote 0
      • P Offline
        phearbot
        last edited by

        Here are the firewall rules.  I had it add the one for openvpn from the wizard.

        Firewall.PNG
        Firewall.PNG_thumb
        OpenVPN.PNG
        OpenVPN.PNG_thumb

        1 Reply Last reply Reply Quote 0
        • P Offline
          phearbot
          last edited by

          Also, here are the OpenVPN settings I am using.  I tried with and without the option to "Allow communication between clients connected to this server" and it didn't seem to make a difference.  Also, I tried connecting my LAN machine to the  VPN, and even when both were on VPN they couldn't see each other.

          vpn1.PNG
          vpn1.PNG_thumb
          vpn2.PNG
          vpn2.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • D Offline
            divsys
            last edited by

            The first oddity I noticed is that you are using port 443 for you OpenVPN server on pfSense.  Normally this would default to 1194 although you can change it to another port if you wish.  Using 443 is likely to cause some confusion for your PC as this is the standard HTTPS port.

            "Allow communication between clients connected to this server" is for devices on the Outside of your network (two laptops in a coffee shop connecting to your home LAN able to see each other). It doesn't sound like you need this, as your gaming machine is at home on the local LAN and your remote machine comes in through OpenVPN.

            In another thread, I did post a little primer for setting up a RoadWarrior VPN, which I think you are close to in your setup: https://forum.pfsense.org/index.php?topic=76763.msg418769#msg418769 It might help out a little.

            -jfp

            1 Reply Last reply Reply Quote 0
            • P Offline
              phearbot
              last edited by

              Thanks! I'll be home soon and I'll give a look through that.  The reason I'm using 443 is because where I work I am behind a firewall that only allows 80 and 443 out.

              1 Reply Last reply Reply Quote 0
              • P Offline
                phearbot
                last edited by

                So I looked through that and that's configured pretty much the same way the video showed, and the way I have it set up.  Does anyone have a non-pfsense suggestion even?  I've been using pfsense for 2 years and this is the only problem I've never been able to get past.  Having spent the last 4 days on it I'm losing my mind lol.

                1 Reply Last reply Reply Quote 0
                • B Offline
                  biggsy
                  last edited by

                  under Advanced did you push a route to your LAN?  Like:

                  My mistake - long day.  You don't need that.  I have something like it to get to my DMZ from the tunnel.

                  [s]push "route 192.168.1.0 255.255.255.0"[/s]
                  

                  Are are you on the same subnet at work as you are on your LAN at home?

                  Try to avoid using common subnets like 192.168.2.0 for your tunnel network.  Use something obscure like 172.23.24.0/24

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann
                    last edited by

                    I have made research that the "redirect gateway" function doesn't work as expected.
                    So I recommend to uncheck this function and enter your local network beneath at "IPv4 Local Network/s". Routes to network entered here are pushed to clients.

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      phearbot
                      last edited by

                      viragomann, I really appreciate the suggestion.  I thought for sure this would be it because that's something that wasn't done in the video. Unfortunately, I unchecked it and am getting the same behavior, except my traffic still comes out of my IP.

                      Also, I don't know pretty much anything about routes, but I did a route print and in there was the following line:

                      192.168.1.0  255.255.255.0  192.168.2.5  192.168.2.6  30

                      While I don't understand the last 3 columns, it seems to me that the first two would indicate the route exists, right?  The IP I'm trying to ping is currently 192.168.1.103, so I don't see why it wouldn't work.  Am I barking up the wrong tree?

                      Update: Also, doing a tracert, hop 1 goes to 192.168.2.1, and then it stops there.  It doesn't go any further.

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        The route looks correctly. What the columns show, can be seen in headline of the IPv4 Routing table: destination, mask, gateway, interface, metric

                        Metric is the priority for this route. That means if there are more than one route entries for the same destination the system take the one with the lower metric value.
                        So to you have a further route for the network 192.168.1.0  255.255.255.0 or another one which includes this network?

                        I have no idea where the host IP 192.168.2.1 in tracert comes from. If everything is configured correctly your system shouldn't know this IP.

                        It's not easy to give help with such less informations. We should know all networks configured on any interface of your system and the whole output of route print.

                        As biggsy mentioned it is recommended to assign a rarely used subnet to the VPN tunnel and to your home network to avoid conflicts.

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          marvosa
                          last edited by

                          Post your server1.conf.

                          What network is the client on?

                          Also, we can troubleshoot the tunnel, but all the work may be moot because looking at your endgame… you may have setup the wrong solution.  If you want your clients on the same network as your lan you need to go bridged instead of routed.  Using a routed and forcing the clients down the tunnel (Redirect Gateway) just forces all traffic down the tunnel it won't put your clients on the same subnet as your lan.

                          If what you're trying to accomplish (Steam In-Home Streaming) relies on broadcasts or the VPN client to be on the same subnet as your lan, a routed solution is not going to work.

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            phearbot
                            last edited by

                            Marvosa, you're right I very well may be using the wrong solution.  If there is a better way to go about it I am completely open to it, and in fact if there's a way to have anything that connects to my VPN just be directly on the same subnet that's what I want but haven't found a way to do so yet.  Thanks again, and here is the server1.conf. (I removed my public IP, but everything else is untouched.)

                            Edit:  After looking into what you said, I'm pretty sure I do just want it bridged.  I don't want them to be segregated in any way.  I'm tinkering with it trying to set the "Device Mode" to "tap" without much luck yet.

                            dev ovpns1
                            dev-type tun
                            tun-ipv6
                            dev-node /dev/tun1
                            writepid /var/run/openvpn_server1.pid
                            #user nobody
                            #group nobody
                            script-security 3
                            daemon
                            keepalive 10 60
                            ping-timer-rem
                            persist-tun
                            persist-key
                            proto udp
                            cipher AES-128-CBC
                            up /usr/local/sbin/ovpn-linkup
                            down /usr/local/sbin/ovpn-linkdown
                            client-connect /usr/local/sbin/openvpn.attributes.sh
                            client-disconnect /usr/local/sbin/openvpn.attributes.sh
                            local <my public="" ip="" is="" here="">tls-server
                            server 192.168.2.0 255.255.255.0
                            client-config-dir /var/etc/openvpn-csc
                            username-as-common-name
                            auth-user-pass-verify /var/etc/openvpn/server1.php via-env
                            tls-verify /var/etc/openvpn/server1.tls-verify.php
                            lport 443
                            management /var/etc/openvpn/server1.sock unix
                            max-clients 10
                            push "route 192.168.1.0 255.255.255.0"
                            ca /var/etc/openvpn/server1.ca
                            cert /var/etc/openvpn/server1.cert
                            key /var/etc/openvpn/server1.key
                            dh /etc/dh-parameters.1024
                            tls-auth /var/etc/openvpn/server1.tls-auth 0
                            comp-lzo</my>

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.