Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access devices on LAN from VPN client

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 6 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marvosa
      last edited by

      From what I can tell, your server1.conf is incomplete and missing the directives that will give you access to your LAN.  Did you intentionally truncate your config?  If not, that would be why nothing's working.

      1 Reply Last reply Reply Quote 0
      • R Offline
        reilos
        last edited by

        @marvosa:

        From what I can tell, your server1.conf is incomplete and missing the directives that will give you access to your LAN.  Did you intentionally truncate your config?  If not, that would be why nothing's working.

        Ah yes correct. Copy-paste error I think. I've updated the original post, thanks.

        1 Reply Last reply Reply Quote 0
        • R Offline
          reilos
          last edited by

          @viragomann:

          That's okay. Since you haven't set the VPN as default route, there should not be a default gateway for the TAP device.

          But, the problem I can see, thanks you've posted your whole client network settings, is that your LAN behind the VPN server uses the same network address range as your wireless LAN your client resides. That won't work. You should change one of these networks to another IP range.

          Isn't the wireless LANs IP assigned when i connect to the VPN? I connected via my 4G phone connection, which is of course not in a private network and i also tried from the office, which is also in another network range. So i'm not sure what you are suggesting actually  ???

          1 Reply Last reply Reply Quote 0
          • R Offline
            reilos
            last edited by

            Any other ideas anyone?

            1 Reply Last reply Reply Quote 0
            • M Offline
              marvosa
              last edited by

              It's already been said, but your tunnel network is the same as the LAN on the remote end and the LAN on your end is the same as the wireless subnet on the remote end.  That is not going to work reliably.  In a routed solution, all of the subnets on both ends have to be unique.

              • First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

              • Second, change the subnets on whichever side is easiest to change.  Also, I would stay away from 192.168.1.1/24 on either side… it's too common and will break your routing at some point

              So, provided you have the firewalll rules in place to allow the traffic, once your subnets are unique and you modify the server-side openvpn config accordingly, I don't see anything would prevent traffic from getting to it's destination at that point.

              1 Reply Last reply Reply Quote 0
              • D Offline
                divsys
                last edited by

                Agreeing with everything suggested so far (especially - get off of 192.168.1.x ).
                One other potential issue - check the devices you're attempting to access don't have firewall(s)/filtering enabled that prevents access from the OpenVPN tunnel (10.0.1.0/24).

                Happens very often with the Windoze builtin firewall, but I've seen similar issues with managed switches and other servers.

                Worth a look

                -jfp

                1 Reply Last reply Reply Quote 0
                • R Offline
                  reilos
                  last edited by

                  @marvosa:

                  First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

                  Check

                  @marvosa:

                  Second, change the subnets on whichever side is easiest to change.

                  Check
                  (tried from ip 100.96.xxx.xxx)

                  Can still only access the pfsense GUI, nothing else  :-[

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

                    Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

                    Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • R Offline
                      reilos
                      last edited by

                      @Derelict:

                      Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

                      Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

                      Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

                      I've posted all screenshots and config files, as far as I can see, everything mentioned above is in there. Everything in there is correct, right? Or not? I have no other firewall or gateway in place, and I CAN connect to 192.168.1.1 which is the pfsense box. So I would think I should be able to reach the other devices in that subnet too. I also see nothing blocking in the firewall logs.
                      I just can't wrap my head around this somehow…

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        If it was all there it would be working. Look again, hop by hop.

                        AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • R Offline
                          reilos
                          last edited by

                          @Derelict:

                          If it was all there it would be working. Look again, hop by hop.

                          Apparently I'm overlooking something, you see something I don't. That's why I came here  ;)

                          @Derelict:

                          AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

                          I have no firewall on my phone, no firewall on the NAS, switch, APs, RPIs, etc., etc. Can't connect to any of them  :o

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            You said up there (quoted below) you could get to your NAS, so which is it?

                            You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

                            I also suspect that:

                            to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

                            Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

                            This is not extremely difficult but there is some complexity to get everything working.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • R Offline
                              reilos
                              last edited by

                              @Derelict:

                              You said up there (quoted below) you could get to your NAS, so which is it?

                              Yeah, that seemed to work just once  :(

                              @Derelict:

                              You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

                              I've tested it from a totally different subnet, 100.96.xxx.xxx so how can that be the issue here?
                              I will change that, and all the devices configured in my network when i'm sure everything else works, since i have to reconfigure a lot then (shares on all client devices, static IPs for quite some devices, virtual appliances, etc.)

                              @Derelict:

                              I also suspect that:

                              to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

                              Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

                              Good point there. My Access Points indeed don't have a default gateway configered. Heck, i found out it's not even possible to do so on them ???
                              Somehow i left the default gateway field in the switch empty facepalm
                              However, the NAS was configured correctly, but i still couldn't access that.

                              Now, what I did found out was this: Even though you set the "IPv4 Local Network/s" field correctly, the route to that network is not (always) pushed to the client. In the client export tab (if you have installed the package), you have to ad an entry for the route in the "Additional configuration options" field. My suggestion would be to make it default, if the route is configured in the OpenVPN server.

                              I did add this maually in the client settings of the laptop earlier, but i was connected via the phone's "Personal Wifi Hotspot", which turned out to be in the 192.1.1.0/24 subnet (despite android documentation telling its in the 192.168.43.xxx range). When i tested with my phone only earlier (on network 100.96.xxx.xxx), i hadn't updated the config file to push the route yet.

                              Now that i updated all of the above, i can access at least my pfSense box, NAS and Switch management, so from my phone everything seems to work fine now  ;D

                              Now i can change my whole network's subnet… The joy...

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "i found out it's not even possible to do so on them"

                                Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07 | Lab VMs 2.8, 25.07

                                1 Reply Last reply Reply Quote 0
                                • R Offline
                                  reilos
                                  last edited by

                                  @johnpoz:

                                  Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

                                  3 different brands, and I can set just about everything but the gateway on two of them….
                                  Even my old Apple Airport has that option  >:(

                                  I know there's an unofficial dd-wrt build for one of them, but not for the other one. I'm not too keen on the unofficial builds.

                                  For now, i'll just stick to the current situation. I can access my NAS and it's shares, the main switch management and the devices and VMs i need. If i need to do maintenance on the access points i'll just have to come home once in a while  :P

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.