Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connection from OpenVPN Client LAN to OpenVPN server

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      In client configuration at IPv4 or IPv6 Remote Network enter the networks at server side you want to reach.
      So if the tunnel is up pfSense will add routes to this networks.

      1 Reply Last reply Reply Quote 0
      • J
        jiunnyik
        last edited by

        It doesn't work

        My Centos OpenVPN server has 10.11.12.1

        My pfsense OpenVPN client has 10.11.12.6 and LAN 192.168.18.0/24

        I tried to put 10.11.12.0/24 into IPv4 remote Network, but my LAN client unable to reach / ping 10.11.12.1

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          I'll try to replicate.

          Your OpenVPN tunnel is 10.11.12.0/24.
          The server has 10.11.12.1.
          And you just want to reach the server? For that there's no need to add routes if the OpenVPN client (pfSense) is the default gateway. It's in the same subnet.
          Try a ping from pfSense to the server.

          1 Reply Last reply Reply Quote 0
          • J
            jiunnyik
            last edited by

            pfSense can ping to server and vice versa

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              So if the pfSense box (OpenVPN client) is the default gateway for the host behind the ping should also work from there.

              If not, make a packet capture at pfSense (Diagnostic menu) on OpenVPN interface an filter for ICMP to see what's going on there.

              1 Reply Last reply Reply Quote 0
              • J
                jiunnyik
                last edited by 

                
05:45:21.769837 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 1, length 64
05:45:22.769083 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 2, length 64
05:45:23.768987 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 3, length 64
05:45:24.769018 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 4, length 64
05:45:25.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 5, length 64
05:45:26.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 6, length 64
05:45:27.768991 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 7, length 64
05:45:28.769023 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 8, length 64
05:45:29.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 9, length 64
05:45:30.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 10, length 64
05:45:31.768995 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 11, length 64
05:45:32.769028 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 12, length 64
05:45:33.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 13, length 64
05:45:34.768978 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 14, length 64
05:45:35.768999 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 15, length 64
05:45:36.769031 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 16, length 64
05:45:37.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 17, length 64
05:45:38.769096 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 18, length 64
05:45:39.769002 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 19, length 64
05:45:40.769035 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 20, length 64
05:45:41.769068 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 21, length 64

                This is the test result

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  There are only seen ICMP requests, no responds.
                  The common way to fix this is to add a route for clients LAN to the server. I think you know, but don't want this.

                  If you want to solve it from client side, you have to add an outbound NAT rule to the clients OpenVPN interface, translating the source address to clients address. This is not recommended, cause this way, you just see at server side requests coming from client address instead of the real LAN hosts address.

                  To do so, go to Firewall > NAT > Outbound. If your outbound NAT does automatic rule generation, select Hybrid or manual and hit save at first.
                  Then add a new rule by +:
                  Interface: OpenVPN
                  Protocol: any
                  Source: the clients LAN network or any
                  Destination: any
                  Translation: Interface address

                  If you have more than one VPN client or also a server running, you have to assign an interface to the vpn client at first and use this in the NAT rule above, if you haven't already!

                  1 Reply Last reply Reply Quote 0
                  • J
                    jiunnyik
                    last edited by

                    It works. Thanks

                    What is the settings for vpn client interface when I running both server and client on the same pfsense ?

                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      As mentioned, you have to assign an interface in Interfaces > (assign) to each openvpn instance.
                      At "Available network ports" select ovpnc1 for the client and click +, open the new interface, check Enabled, give it an appropriate name and save it.
                      Do the same for the OpenVPN server using ovpns1 network port.

                      In outbound NAT use the new interfaces instead of OpenVPN.
                      For server, you might not need an outbound NAT rule.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jiunnyik
                        last edited by

                        This works perfectly as what I want.

                        Thank you viragomann

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.