Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping some devices across openvpn

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      Jesto
      last edited by

      Hello,

      I have a strange issue with OpenVPN.
      I can ping and access some devices fine, but cannot access to some others..

      My setup is simple :
      10.94.10.0/24 my LAN net
      10.254.94.0/24 my OpenVPN net

      10.94.10.254/24 is my PfSense address on lan.
      10.94.10.10/24 is a Netgear NAS (its gateway is 10.94.10.254)
      10.94.10.201/24 is a random printer (its gateway is 10.94.10.254)

      If i try to ping as follow from pfsense/diagnostic/ping :
      ping 10.94.10.10 from LAN : OK
      ping 10.94.10.201 from LAN : OK
      ping 10.94.10.10 from OpenVPN : KO
      ping 10.94.10.201 from OpenVPN : OK

      I have exactly same symptoms with diagnostic/test ports.
      test port 80 10.94.10.10 from LAN : OK
      test port 80 10.94.10.201 from LAN : OK
      test port 80 10.94.10.10 from OpenVPN : KO
      test port 80 10.94.10.201 from OpenVPN : OK

      Also, i cannot NAT anything to 10.94.10.10

      Im away from this device atm (and can't access it) but im pretty sure JumboFrames is enabled on this device. I don't know about MTU. Could it be the reason ?
      If so, is there any way to sort it out without touching NAS settings ?

      Thanks a lot for your help.

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by

        Post your openvpn config (server1.conf).

        1 Reply Last reply Reply Quote 0
        • J Offline
          Jesto
          last edited by

          Thank you Marvosa. Here it is.

          dev ovpns1
          verb 1
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto tcp-server
          cipher AES-256-CBC
          auth SHA1
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          client-connect /usr/local/sbin/openvpn.attributes.sh
          client-disconnect /usr/local/sbin/openvpn.attributes.sh
          local 192.168.10.254
          tls-server
          server 10.254.94.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc
          client-cert-not-required
          username-as-common-name
          auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'EK-CERT-VPN' 1 "
          lport 443
          management /var/etc/openvpn/server1.sock unix
          max-clients 5
          push "route 10.94.10.0 255.255.255.0"
          push "dhcp-option DOMAIN ek.local"
          push "dhcp-option DNS 10.94.10.254"
          push "register-dns"
          push "dhcp-option NTP 10.94.10.254"
          duplicate-cn
          ca /var/etc/openvpn/server1.ca 
          cert /var/etc/openvpn/server1.cert 
          key /var/etc/openvpn/server1.key 
          dh /etc/dh-parameters.2048
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          persist-remote-ip
          float
          
          
          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            you sure your nas doesn't have a firewall blocking access from anything not on its own network… This is very common!!!

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J Offline
              Jesto
              last edited by

              The NAS is quite old and does not have such a rule (in appearance in web interface). I'll try to have a look at it more closely (and see if i can access it via putty or something) but i doubt. That would be strange for a NAS to sell it builtin with such a rule.

              1 Reply Last reply Reply Quote 0
              • M Offline
                marvosa
                last edited by

                The config looks ok.  So, there's a couple things:

                • Make sure there's a route to 10.94.10.0/24 in your client's routing table upon connection.  If not, verify that you're running the OpenVPN client as admin.

                • It looks like you're double NAT'ing.  If you have access to the modem or edge device, the easiest fix is to put your modem in to bridge mode, so PFsense gets a public IP and everything will start working.  Otherwise, you may need to add a route to the edge device that points the OpenVPN tunnel network towards PFsense.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.