Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access devices on LAN from VPN client

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 6 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      reilos
      last edited by

      Any other ideas anyone?

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by

        It's already been said, but your tunnel network is the same as the LAN on the remote end and the LAN on your end is the same as the wireless subnet on the remote end.  That is not going to work reliably.  In a routed solution, all of the subnets on both ends have to be unique.

        • First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

        • Second, change the subnets on whichever side is easiest to change.  Also, I would stay away from 192.168.1.1/24 on either side… it's too common and will break your routing at some point

        So, provided you have the firewalll rules in place to allow the traffic, once your subnets are unique and you modify the server-side openvpn config accordingly, I don't see anything would prevent traffic from getting to it's destination at that point.

        1 Reply Last reply Reply Quote 0
        • D Offline
          divsys
          last edited by

          Agreeing with everything suggested so far (especially - get off of 192.168.1.x ).
          One other potential issue - check the devices you're attempting to access don't have firewall(s)/filtering enabled that prevents access from the OpenVPN tunnel (10.0.1.0/24).

          Happens very often with the Windoze builtin firewall, but I've seen similar issues with managed switches and other servers.

          Worth a look

          -jfp

          1 Reply Last reply Reply Quote 0
          • R Offline
            reilos
            last edited by

            @marvosa:

            First order of business, make sure everything you want to connect to is using PFsense as the default gateway.

            Check

            @marvosa:

            Second, change the subnets on whichever side is easiest to change.

            Check
            (tried from ip 100.96.xxx.xxx)

            Can still only access the pfsense GUI, nothing else  :-[

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

              Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

              Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R Offline
                reilos
                last edited by

                @Derelict:

                Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.

                Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.

                Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.

                I've posted all screenshots and config files, as far as I can see, everything mentioned above is in there. Everything in there is correct, right? Or not? I have no other firewall or gateway in place, and I CAN connect to 192.168.1.1 which is the pfsense box. So I would think I should be able to reach the other devices in that subnet too. I also see nothing blocking in the firewall logs.
                I just can't wrap my head around this somehow…

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  If it was all there it would be working. Look again, hop by hop.

                  AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R Offline
                    reilos
                    last edited by

                    @Derelict:

                    If it was all there it would be working. Look again, hop by hop.

                    Apparently I'm overlooking something, you see something I don't. That's why I came here  ;)

                    @Derelict:

                    AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.

                    I have no firewall on my phone, no firewall on the NAS, switch, APs, RPIs, etc., etc. Can't connect to any of them  :o

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      You said up there (quoted below) you could get to your NAS, so which is it?

                      You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

                      I also suspect that:

                      to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

                      Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

                      This is not extremely difficult but there is some complexity to get everything working.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • R Offline
                        reilos
                        last edited by

                        @Derelict:

                        You said up there (quoted below) you could get to your NAS, so which is it?

                        Yeah, that seemed to work just once  :(

                        @Derelict:

                        You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.

                        I've tested it from a totally different subnet, 100.96.xxx.xxx so how can that be the issue here?
                        I will change that, and all the devices configured in my network when i'm sure everything else works, since i have to reconfigure a lot then (shares on all client devices, static IPs for quite some devices, virtual appliances, etc.)

                        @Derelict:

                        I also suspect that:

                        to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)

                        Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.

                        Good point there. My Access Points indeed don't have a default gateway configered. Heck, i found out it's not even possible to do so on them ???
                        Somehow i left the default gateway field in the switch empty facepalm
                        However, the NAS was configured correctly, but i still couldn't access that.

                        Now, what I did found out was this: Even though you set the "IPv4 Local Network/s" field correctly, the route to that network is not (always) pushed to the client. In the client export tab (if you have installed the package), you have to ad an entry for the route in the "Additional configuration options" field. My suggestion would be to make it default, if the route is configured in the OpenVPN server.

                        I did add this maually in the client settings of the laptop earlier, but i was connected via the phone's "Personal Wifi Hotspot", which turned out to be in the 192.1.1.0/24 subnet (despite android documentation telling its in the 192.168.43.xxx range). When i tested with my phone only earlier (on network 100.96.xxx.xxx), i hadn't updated the config file to push the route yet.

                        Now that i updated all of the above, i can access at least my pfSense box, NAS and Switch management, so from my phone everything seems to work fine now  ;D

                        Now i can change my whole network's subnet… The joy...

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "i found out it's not even possible to do so on them"

                          Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07 | Lab VMs 2.8, 25.07

                          1 Reply Last reply Reply Quote 0
                          • R Offline
                            reilos
                            last edited by

                            @johnpoz:

                            Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway.

                            3 different brands, and I can set just about everything but the gateway on two of them….
                            Even my old Apple Airport has that option  >:(

                            I know there's an unofficial dd-wrt build for one of them, but not for the other one. I'm not too keen on the unofficial builds.

                            For now, i'll just stick to the current situation. I can access my NAS and it's shares, the main switch management and the devices and VMs i need. If i need to do maintenance on the access points i'll just have to come home once in a while  :P

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.