How to access local IPs
-
I have set up OpenVPN as per https://www.youtube.com/watch?v=VdAHVSTl1ys
I can connect to the VPN and browse but I can't access any IPs on the internal network.
How do I set things up so that I can be routed from my VPN 192.168.5.0 to my normal internal ip range 192.168.10.1?
-
The OpenVPN server is handled as an additional interface in pfSense. So you have to go to Firewall > Rules > OpenVPN in GUI and add appropriate rules to allow access you want.
-
The firewall is fully open .. it looks like a routing issue to me.
-
Post your server1.conf.
-
Maybe have a look at "Firewall" -> "NAT" -> "outbound" tab, if there is an autocreated rule for the openVPN server?
-
No NAT rules
Server1.conf
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.1.10
tls-server
server 192.168.5.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float -
In your Outbound Nat rule list, has it selected "Automatic" at the top, or manual?
-
Automatic….
-
A couple things:
1. You are double NATing. Have you checked the settings on the edge device?
1a. Personally, I'd move away from double NATing, it's just one more link in the chain that you need to troubleshoot. Or at least get off the 192.168.1.x subnet, it's just going to cause issues down the road.2. It appears you do not have a "Peer Certificate Authority" configured. You will want to add that.
3. Add an any/any rule to the openvpn tab. This appears to be done.
4. Turn off the software firewall on your internal resources while testing, so we can rule that piece out. At this point, do pings still fail? How does a traceroute look?
5. What subnet is the client on when testing?
-
Oh, wait, I just thought of something.. Just to check, when you are running your VPN client are you running it as Administrator? This kind of sounds like the actual routes are being set on the client pc. If you are running it as an admin, would you mind posting a traceroute output going from the client to a machine on the other side of your vpn?