Another "can't access my LAN" situation.
-
What do your Firewall rules look like on the OpenVPN tab?
-
The OpenVPN Tab under Firewall –> Rules was created at the end of the OpenVPN wizard, so is reporting an allow any rule.
-
What do the firewalls on the HOSTs your trying to ping look like.. This is such a common issue!! Out of the box windows for example is not going to answer ping from different network. What firewall profile are you in, private public? Same goes for linux running local firewall.
edit: Would show you a picture of the windows default icmp rule - but seems attachments not working
here I will link to it
When pinging other type devices like camera's do they even have a gateway setup.. Can not ping something from a remote segment if doesn't know the gateway to get off its segment.
-
I found the solution! ;D
Here is my new server.conf. I simply added
route 192.168.20.0 255.255.255.0in the Advanced configuration box of the OpenVPN configuration.
Then I enabled in System: Advanced: Firewall and NAT
NAT Reflection mode for port forwards –> Enable pure NAT
and (in System: Advanced: Firewall and NAT too)
Enable automatic outbound NAT for Reflection –> Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.
dev ovpns1
dev-type tunable
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local [WAN ADDRESS HERE]
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet
route 192.168.20.0 255.255.255.0 -
Glad to hear you're up and running :)
Interesting note about needing to set NAT reflection, that's not something I would normally have suggested with OpenVPN. The "route 192.168.20.0 255.255.255.0" option also doesn't look like a typical req't.
My experience has been that the OpenVPN "Road Warrior" type installs are pretty easy. Normally the biggest issues are with getting the certificates setup correctly.
How did you install the client on the iPad? I usually install the OpenVPN client export package to make sure things get setup on the clients properly.
Anyway, I'm not one to argue with success!
-
I followed this excellent tutorial
http://www.derman.com/blogs/OpenVPN-Server-Setup
-
You clearly do not need to route your tunnel network.. So that is not fixing your issue of no ping..
You do not need nat reflection - so while you think you fixed something with those setting.. They have nothing to do with what your original issue was - its more likely the restart of the openvpn service fixed the problem vs those settings. They have nothing to do with using vpn – they are not in your guide you linked too that is for sure ;)
I don't have them setup and I access and ping resources via a vpn connection pretty much every single day.
Just Saying ;)
-
I've just disabled
route 192.168.20.0 255.255.255.0
restarted the VPN and… it doesn't work anymore. Put it back in and... it works.
-
Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.
I wonder what that would do?
-
Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.
I wonder what that would do?
Sorry, would you mind to elaborate? Thanks! :)
