OpenVPN connects, can't get to lan network
-
The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.
But two other wrong things I've found in your config:
-
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
-
Your VPN tunnel network has a public IP range. You should change this to a private range.
-
-
The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.
But two other wrong things I've found in your config:
-
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
-
Your VPN tunnel network has a public IP range. You should change this to a private range.
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
What do you mean, I seem to be made of bricks today. So, what I have set is a problem? Or it's okay?
Your VPN tunnel network has a public IP range. You should change this to a private range.
My tunnel is 172.50.48.0/24, isn't that private?
What would you suggest other than that? Something that won't bork other settingsThanks for your help thus far!
-
-
My tunnel is 172.50.48.0/24, isn't that private?
No, obviously…
NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1 Parent: NET172 (NET-172-0-0-0-0) NetType: Direct Allocation OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI) RegDate: 2012-09-18 Updated: 2012-09-18 Ref: http://whois.arin.net/rest/net/NET-172-32-0-0-1
-
My tunnel is 172.50.48.0/24, isn't that private?
No, obviously…
NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1 Parent: NET172 (NET-172-0-0-0-0) NetType: Direct Allocation OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI) RegDate: 2012-09-18 Updated: 2012-09-18 Ref: http://whois.arin.net/rest/net/NET-172-32-0-0-1
Ah!
Okay. Easy change.
172.24.48.0\24 it is. -
Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.
What do you mean, I seem to be made of bricks today. So, what I have set is a problem? Or it's okay?
For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.
Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.
-
For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.
Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.
Ah yeah, I had it to that, and then started trying some other stuff around.
I've changed it back. (Thanks for that sanity check that I was right the first time!)Now, my vpn connects, and from the test machine DNS fails to resolve.
I tried providing DNS server list to clients from the client settings in the server config (8.8.8.8, 8.8.4.4) But it still fails.
I then tried to have them route to my DHCP server at 10.10.0.2 and that also fails.Client logs had this to say:
Wed Dec 09 16:56:32 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 172.24.48.0/172.24.48.2/255.255.255.0 [SUCCEEDED] Wed Dec 09 16:56:32 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.24.48.2/255.255.255.0 on interface {8E8DE95B-B134-4001-A110-B08D646A4D45} [DHCP-serv: 172.24.48.254, lease-time: 31536000] Wed Dec 09 16:56:32 2015 Successful ARP Flush on interface [47] {8E8DE95B-B134-4001-A110-B08D646A4D45} Wed Dec 09 16:56:32 2015 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065) Wed Dec 09 16:56:37 2015 Initialization Sequence Completed
Thoughts?
-
You know, there are well known test tools for DNS. "It fails" is useless description.
-
I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.
If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.
-
You know, there are well known test tools for DNS. "It fails" is useless description.
Thanks.
@viragomann:I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.
If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.
I checked redirect gateway, and I can get to the internet on the test machine, but it still won't let me on the lan.
What would you suggest for a good route to apply?The end goal is just to get them to be able to access the lan.
-
If you can reach Internet over the VPN you should also be able to access the LAN subnet at server side, as long as firewall rules do not prohibit this.
For routing the LAN net, you only need to push 10.1.1.0/24 to the client (if /24 is your LAN mask).
The pfSense box running the vpn server is the default gateway in its network? If it isn't, you need appropriate routes for the vpn tunnel or do NAT.
Maybe the LAN host you want to access, does not permit access form different subnet, like Windows firewall do by default.
-
So I got this working finally.
Turns out, for my DNS servers, I needed to put my DHCP server there.
This allowed the DNS to get resolved.
Thanks for your help folks.