OpenVPN - No Lan Connectivity
-
Hey everyone:
I have attached I think every relevant picture I can in my attachments here ;D . I have included my network layout, ipconfig, and log files. If you need anything else let me know. Here is what is going on. All that I want to do is to be able to see the web interface after connecting to the VPN. As you can see from the pictures, pfSense sees my connection and it is registered in the system. For whatever reason I still cannot ping. I am running the newest stable version of pfSense. Does anyone have any recommendations? If any more information is needed please let me know and I will get it up ASAP! I am thinking possible an issue with the fact that I am missing a default gateway but I am not sure
Thank You
![Connected to VPN.PNG](/public/imported_attachments/1/Connected to VPN.PNG)
![Connected to VPN.PNG_thumb](/public/imported_attachments/1/Connected to VPN.PNG_thumb)
![Ping results.PNG](/public/imported_attachments/1/Ping results.PNG)
![Ping results.PNG_thumb](/public/imported_attachments/1/Ping results.PNG_thumb)
[VPN Config.txt](/public/imported_attachments/1/VPN Config.txt) -
Excellent diagram!, now just a few questions…...
All that I want to do is to be able to see the web interface after connecting to the VPN.
Ok, the Web interface of what? your pfSense router, an internal server, a media player?
You have a ping attempt from (I'm presuming from your snapshots) 192.168.1.220 (some unknown device) to 192.168.1.6 (your pfSense router) which fails.
If this 192.168.1.220 device is external to your diagram and connected via OpenVPN to the pfSense network ("Schurrnet") then the ping won't ever work.
Your external network is the same as your internal network ie. 192.168.1.0/24. This is a basic design conflict that is easiest remedied by changed the subnet of either the internal or external network (or both, don't use 192.168.1.0/24 if at all possible). If you then change your OpenVPN server on pfSense to match the new subnet(s) you've got a good chance of making this work.
If I've misinterpreted your setup, explain a little more and I'm sure we can get you going…..
-
Sorry about that let me clarify a little bit. All that I want to do is be able to access the dashboard of my pfSense box. By telling me to change the subnet of my external network do you mean that I need to reconfigure my IP tunnel from 192.168.1.0/24 to something like 192.168.15.0/24? I am confused however, if I change this then when I connect VIA vpn, my IP address would be something like 192.168.15.6. Won't I need to be on the same subnet to communicate?
When I sent the ping 192.168.1.220 was my laptop connected to the VPN. The VPN gave my laptop that IP address.
Thanks for the advice I will make sure to take a look at it.
-
Ok, I see the 192.168.1.220 address on the first OpenVPN tunnel screen.
Can you post a screen shot of your OpenVPN server of pfSense?
Unless you're creating a TAP/Bridged OpenVPN setup (not typical), then you've probably used something in the 192.168.1.x range for your OpenVPN tunnel.
The short answer is don't do that!, it will cause all kinds of grief.Simply change the OpenVPN tunnel address to something completely unused, like 10.20.30.0/24.
The tunnel addresses are only used by OpenVPN to create your encrypted tunnel you don't need (or want) them to be part of your LAN.
Remeber to include your LAN subnet in the "IPv4 Local Network/s" box of the OpenVPN server (if they not already there).The other major gotcha is often the need for a firewall rule under "Firewall->Rules->OpenVPN" allowing all traffic over the tunnel.
And while I remember, watch out for Windows based devices not responding because their firewalls don't like external LAN addresses outside their usual range.
That little problem has made more than one OpenVPN setup look like it was broken when it was in reality working just fine… -
Well first off I do have a TAP/Bridged OpenVPN ;D
Should I change my setup? If so is there an "ideal" (loosely used) setup that I should be following? I know (or at least think) that I a TAP VPN does not require a tunnel Network.
I know that I have the firewall set up correctly but I know that I forgot to include my LAN subnet so I will be fixing that now!
As for the screenshot I am not sure what you are looking for but I would assume that it is my settings so I have them attached here with the updated local networks.
By the way thank you so much for your help!
-
Well first off I do have a TAP/Bridged OpenVPN ;D
Well of course you do!
Honestly, I have never gotten a TAP setup working but that's mostly because I gave up years back when it was still a fairly hit and miss prospect.
Earlier (much) versions of pfSense weren't as nice about setting up the OpenVPN servers and clients under TAP (at least in my experience).
The net effect was that I exclusively used TUN setups and they have worked very well for me with a wide variety of different devices.
I know one example where they provide a better solution is in links with Android phones. Many (all?) Android phones will not allow a TAP interface to be created, but TUN works fine.What you have currently is a small step away from working with TUN.
It may be an equally small step via TAP, but you'll have to hunt on the forums (or someone may jump in). -
Well you have me convinced then. What should I edit to get this switched around. It seems that if I will have better compatibility with TUN then I should probably switch over!
-
On the OpenVPN server settings page:
Change "Device Mode" to TUN
Change "DH parameters length" to 2048 bit (may not be necessary, just me being anal)
Add "IPv4 Tunnel network" - 10.20.30.0/24 (only used for OpenVPN tunnels, can be anything that doesn't conflict with your networks)
Add "IPv4 Local Network/s" - 192.168.1.0/24 (this is the network(s) in your internal LAN that will be available to the OpenVPN connected device.Restart your OpenVPN server.
Re-export the client package for your remote PC and reinstall it.
Connect the remote device and test.All is well, life is good (hopefully)…
-
I wish I had better news to report but it still isnt working. I configured the settings and got it back up and running which is good. I got my client connected which is also good! I attached several screenshots that may be relevant. First off there is the status of OpenVPN showing my client is connected, next are the various logs(Firewall and OpenVPN), and lastly my firewall rule for the WAN. However here is the progress:
If you look at the firewall log, pretty damn close to when I joined the VPN I noticed on the LAN interface that it is blocking packets. That led me to check my firewall rules. OpenVPN configured the WAN rule but I do not have one on LAN. However, the port that OpenVPN uses is not the port that is usually used. Any advice? I think that all I need to do is add a rule for OpenVPN as a LAN exception but not quite sure on the port.
![VPN Connection.PNG](/public/imported_attachments/1/VPN Connection.PNG)
![VPN Connection.PNG_thumb](/public/imported_attachments/1/VPN Connection.PNG_thumb)
-
The OpenVPN status screen is an excellent sign, you're VPN settings are right.
The single WAN rule is correct as shown.
I didn't see any sign of a firewall rule on the OpenVPN interface.
You need an "allow all" rule on that interface to make sure any traffic across OpenVPN is not blocked.The LAN rules aren't needed, but you might also consider removing the previous "bridge0" interface.
I believe the firewall blocking you're seeing is from traffic re-directs through that interface.
Unless you have an urgent need for it, that interface is only going to muddy the install.The simplest test I usually do is try and ping the pfSense server's LAN address from the client.
If the OpenVPN tunnel is up and an OpenVPN allow all rule in place, that invariably works.
Next, try to connect to other internal LAN devices via ping and/or Web login, ftp, what-have-you.You're close - trust me ;)
-
After another night of jacking with it, it is frustrating me. However I think I am closer. Do I need to push a default gateway. Usually on these networks its 192.168.1.1/24 mine, however, is 192.168.1.6/24. The client gets connected to the VPN but the traffic doesn't go anywhere. I would imagine this is because it doesn't know where to go. Is there a command I need to push this?
-
No pushing of gateways is required, that gets handled automatically when the client connects to the OpenVPN server.
You can watch the process in action.
Go to the OpenVPN client icon, rgt-click->Edit Config then add the line "Verb 5" to the end of the config file and save it.
Reconnect the client to the OpenVPN server and "View Log" on the client after it connects.
You'll have a whole bunch of excess verbage, but near the end you'll see some lines like:"C:\Windows\system32\route.exe ADD 192.168.x.x MASK 255.255.255.0 10.x.x.x"
These lines execute the Windows ROUTE command to tell your client how to send traffic to the OpenVPN server's network.
What subnets are you now using for:
- pfSense LAN?
- OpenVPN tunnel?
- Remote PC's LAN?
These three items must all be unique networks as we said earlier.