Unable to ping from OpenVPN endpoint to LAN network
-
Normally I am pretty good at setting this stuff. Mind you I am a little rusty. But this one has me stumped.
My LAN can ping the OpenVPN interface on the router. But I cannot ping any VPN hosts. Also the VPN host while still connected cannot ping anything except itself. It can't even ping the router VPN endpoint.
-
You might not be able to ping the VPN tunnel interfaces. That is normal.
Instead of giving gobbledygook like this:
My LAN can ping the OpenVPN interface on the router. But I cannot ping any VPN hosts. Also the VPN host while still connected cannot ping anything except itself. It can't even ping the router VPN endpoint.
Give us something we can work with. Specific IP addresses, interface addresses, interfaces, etc.
I have NO IDEA what you are talking about when you say "VPN endpoint."
-
Ok I have made a huge leap in troubleshooting progress. I am now able to ping from my VPN client which is my laptop (10.1.0.2) to my desktop (10.0.0.101) on my LAN. Sadly my way of accomplishing this was to erase my OpenVPN server and client configurations and reload them. After re-configuring the OpenVPN server I noticed that it refused to start the service. I took a look at the log file and found it was stating it could create the interface it needed to host the server (ovpns1).
Part of the previous issue looks OpenVPN was not able to get access to the Windows routing table to add the VPN route. I ran the client in admin mode and it was able to add the route.
As it stands right now my laptop (10.1.0.2) is able to ping anything on 10.0.0.0/24 subnet. the issue now is nothing on 10.0.0.0/24 can ping my laptop over the VPN.
I have checked the firewall logs and I am no longer seeing any issues with the firewall actively blocking my ping attempts.
When I do a traceroute from my desktop the trace makes it to the gateway (10.0.0.1, pfSense) but stops after that.
C:\Users\Ian>tracert 10.1.0.2 Tracing route to 10.1.0.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms gateway.solignis.com [10.0.0.1] 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.Here is the ping test from my desktop (10.0.0.101);
C:\Users\Ian>ping 10.1.0.2 -t Pinging 10.1.0.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out.Here is the traceroute from my laptop when connected to the VPN;
C:\WINDOWS\system32>tracert 10.0.0.101 Tracing route to SPACECRATE [10.0.0.101] over a maximum of 30 hops: 1 99 ms 57 ms 52 ms 10.1.0.1 2 54 ms 53 ms 63 ms SPACECRATE [10.0.0.101] Trace complete.Here is the ping test from my laptop when connected to the VPN;
C:\WINDOWS\system32>ping 10.0.0.101 Pinging 10.0.0.101 with 32 bytes of data: Reply from 10.0.0.101: bytes=32 time=65ms TTL=127 Reply from 10.0.0.101: bytes=32 time=68ms TTL=127 Reply from 10.0.0.101: bytes=32 time=51ms TTL=127 Reply from 10.0.0.101: bytes=32 time=50ms TTL=127 Ping statistics for 10.0.0.101: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 68ms, Average = 58msI have attached my current firewall rules.
-
Check the firewall on your laptop.
In most cases, the assets on the main, server LAN will not have to make connections to the client.
-
Disable the goddamn Windows "firewall" before testing.
-
Hello ianc1215, I'm also stuck with the OpenVPN connected but unable to ping any hosts or gateways. You wrote:
I found out what I was going wrong with the firewall. There was no explicit allow all so if it did not match it blocked it.
Could you specify closer for which interface you created this rule? I checked my rooting on the host already and it should work.
Kind regards, MisterIX.
-
Disable the goddamn Windows "firewall" before testing.
Sigh…. I disabled the Windows firewall and it worked. I have never had trouble with it in the past I wonder why now.
Anyhow thanks everyone for the help.
-
Because the crappy thing blocks ping from anything but the subnet it's currently on by default… Source of immense waste of time.
-
Hello ianc1215, I'm also stuck with the OpenVPN connected but unable to ping any hosts or gateways. You wrote:
I found out what I was going wrong with the firewall. There was no explicit allow all so if it did not match it blocked it.
Could you specify closer for which interface you created this rule? I checked my rooting on the host already and it should work.
Kind regards, MisterIX.
I needed to make allow all rules on both the OpenVPN and LAN interfaces. The way that the firewall works is block all traffic that does not match. Well once you run out of rules any traffic gets kicked to the curb. However once you have had all of your traffic go through the block rules you setup generally there is a rule at the end that allows all traffic that made it that far to go on through. I was missing that, once I added it the firewall was no longer getting in the way.
-
Except that's not how it works.
In general, once traffic is allowed into an interface it is allowed out without specific rules on the outbound interface.
This is the case unless you have specified floating rules on an interface with a direction of any or out.
-
I was referring to new connections not existing connections. Yes if a connection is allowed in then generally its allowed out unless a rule prevents it. The way I have always understood it is new connections work on a first match basis, if it does not match then it does not go through. The reason you have the allow any at the end of a firewall statement is allow anything that did not get blocked prior. I have very little experience with pf but I imagine most firewalls share common logic.
-
Thank you very much, for your answers. I have to open a new post though, as my windwos firewall is turned off (details in new post), VPN connection seems stable, allow all rule is set under OpenVPN, but i cannot ping or otherwise reach a client in my target network.
Best regards, Mister IX.
