LAN to access OpenVPN clients
-
Hello.
At the moment I have pfSense hosting myself an OpenVPN server, Remote Access with SSL/TLS + user Auth. My LAN lives on 10.0.0.1/24, my pfSense machine is 10.0.0.1 and DHCP gets everything in the /24 subnet.
My OpenVPN server is setup as follows:
Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Device Mode: tun
Interface: WAN
Port: 3622Enable Authorization of TLS packets is CHECKED
Certificate Depth: One (Client + Server)IPv4 Tunnel network: 10.1.0.0/24
Redirect Gateway: Force all client generated traffic through the tunnel. CHECKED
Concurrent Connections: 1
Compression: Enabled with Adaptive Compression
Interclient communication is CHECKEDDynamic IP CHECKED
Provide a virtual adapter IP address to clients (see Tunnel Network) CHECKED
Provide a default domain name to clients = mydomain.local
Provide DNS list to clients has:
10.0.0.1
8.8.8.8
8.8.4.4That's it.
My UserAuth is setup properly on pfSense. When I connect from my Windows laptop to the server I am prompted for username and password and I can connect to the OpenVPN, routing is added to my client correctly and I pick up IP address 10.1.0.6. I can ping and SSH and access all the machines on my LAN just fine.
However, I have a need for my LAN machines to talk with my OpenVPN clients, as I plan on hosting a cloud server or two outside of my network and I would like my network to be able to talk to these machines through the VPN for security (SQL server(s), primarily). It would be also nice for security purposes if I could have my OpenSSH server on these machines listen on this OpenVPN interface for connections instead of the public IP for added security. Therefore to access the machine at all you would need to be on my VPN.
All the issues I've found people have problem with OpenVPN -> LAN but I have the opposite, LAN -> OpenVPN. Do I need to connect my home servers/machines to the VPN as well, or is there a bridge or alternate way I can do what I need to do?
Thanks for your assistance.
BTW - pfSense version is 2.2.4-RELEASE (amd64). Machine has 3 physical Ethernet ports, one used by WAN, one used by LAN to a switch.
-
Do you have a rule in place at LAN interface to permit access to VPN subnet? If you've still the default allow rule to any there the traffic will be allowed.
Maybe it's an client firewall issue. If it's an windows client access like ping will be disallowed from by default.
-
Thanks for your reply. Forgot about Winblows firewall. I just punched a hole in it and it works. I was only using this machine to test the connection before setting it up on my remote machine. Thanks again.