Cannot access devices on LAN from VPN client

reilos

Any other ideas anyone?

marvosa

It's already been said, but your tunnel network is the same as the LAN on the remote end and the LAN on your end is the same as the wireless subnet on the remote end.  That is not going to work reliably.  In a routed solution, all of the subnets on both ends have to be unique.

• First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

• Second, change the subnets on whichever side is easiest to change.  Also, I would stay away from 192.168.1.1/24 on either side… it's too common and will break your routing at some point

So, provided you have the firewalll rules in place to allow the traffic, once your subnets are unique and you modify the server-side openvpn config accordingly, I don't see anything would prevent traffic from getting to it's destination at that point.

divsys

Agreeing with everything suggested so far (especially - get off of 192.168.1.x ).
One other potential issue - check the devices you're attempting to access don't have firewall(s)/filtering enabled that prevents access from the OpenVPN tunnel (10.0.1.0/24).

Happens very often with the Windoze builtin firewall, but I've seen similar issues with managed switches and other servers.

Worth a look

reilos

@marvosa:

First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

Check

@marvosa:

Second, change the subnets on whichever side is easiest to change.

Check
(tried from ip 100.96.xxx.xxx)

Can still only access the pfsense GUI, nothing else  :-[

Derelict

Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

reilos

@Derelict:

Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

I've posted all screenshots and config files, as far as I can see, everything mentioned above is in there. Everything in there is correct, right? Or not? I have no other firewall or gateway in place, and I CAN connect to 192.168.1.1 which is the pfsense box. So I would think I should be able to reach the other devices in that subnet too. I also see nothing blocking in the firewall logs.
I just can't wrap my head around this somehow…

Derelict

If it was all there it would be working. Look again, hop by hop.

AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

reilos

@Derelict:

If it was all there it would be working. Look again, hop by hop.

Apparently I'm overlooking something, you see something I don't. That's why I came here  ;)

@Derelict:

AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

I have no firewall on my phone, no firewall on the NAS, switch, APs, RPIs, etc., etc. Can't connect to any of them  :o

Derelict

You said up there (quoted below) you could get to your NAS, so which is it?

You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

I also suspect that:

to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

This is not extremely difficult but there is some complexity to get everything working.

reilos

@Derelict:

You said up there (quoted below) you could get to your NAS, so which is it?

Yeah, that seemed to work just once  :(

@Derelict:

You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

I've tested it from a totally different subnet, 100.96.xxx.xxx so how can that be the issue here?
I will change that, and all the devices configured in my network when i'm sure everything else works, since i have to reconfigure a lot then (shares on all client devices, static IPs for quite some devices, virtual appliances, etc.)

@Derelict:

I also suspect that:

to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

Good point there. My Access Points indeed don't have a default gateway configered. Heck, i found out it's not even possible to do so on them ???
Somehow i left the default gateway field in the switch empty facepalm
However, the NAS was configured correctly, but i still couldn't access that.

Now, what I did found out was this: Even though you set the "IPv4 Local Network/s" field correctly, the route to that network is not (always) pushed to the client. In the client export tab (if you have installed the package), you have to ad an entry for the route in the "Additional configuration options" field. My suggestion would be to make it default, if the route is configured in the OpenVPN server.

I did add this maually in the client settings of the laptop earlier, but i was connected via the phone's "Personal Wifi Hotspot", which turned out to be in the 192.1.1.0/24 subnet (despite android documentation telling its in the 192.168.43.xxx range). When i tested with my phone only earlier (on network 100.96.xxx.xxx), i hadn't updated the config file to push the route yet.

Now that i updated all of the above, i can access at least my pfSense box, NAS and Switch management, so from my phone everything seems to work fine now  ;D

Now i can change my whole network's subnet… The joy...

johnpoz

"i found out it's not even possible to do so on them"

Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

reilos

@johnpoz:

Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

3 different brands, and I can set just about everything but the gateway on two of them….
Even my old Apple Airport has that option  >:(

I know there's an unofficial dd-wrt build for one of them, but not for the other one. I'm not too keen on the unofficial builds.

For now, i'll just stick to the current situation. I can access my NAS and it's shares, the main switch management and the devices and VMs i need. If i need to do maintenance on the access points i'll just have to come home once in a while  :P