OVPN - Connect Success but no connectivity to Private IPs
-
A specific VPN interface should not be needed for accessing the LAN behind the vpn.
Are the routes set correctly on the client?
Post the routing table, please. -
Good thinking viragomann but it seems to be right as far as I can tell.
As you can see from the screenshots, the 10.10.80.0/21 network is going through the tunnel and I can ping the gateway. :/ hmmmm…
The last screenshot is of me trying to ping a machine; it does work when I'm in the network, just not over VPN. (i.e. the host is pingable from within)
 -
Is the pfSense the default gateway in 10.10.80.0/21? I'm in doubt.
If it isn't you have to add routes to the clients for the tunnel subnet or do NAT on pfSense.You can try a ping to pfSense LAN address to see if the routes work.
Also it seems you have added 10.10.80.0/21 to the "Local Networks" in the server settings and than have checked "redirect gateway". That shouldn't matter though, but sets additional routes.
-
Hey Viragomann,
Thanks again for looking into this.
PFSense box (10.10.80.186) is the router for the local LAN; the 192.168.0.186 box is the default gateway to the WAN. I attached a screenshot to help clarify.
I can ping and even log into the PFSense box from the VPN but cannot access any assets on the 10.10.80.0/21 network other than the PFSense box.
Yes, I have pushed the route and checked the redirect gateway box. Normally, I just click the box I believe but I was desperate so I tried other things.
What route would I add to the clients for the tunnel subnet and/or how would I properly NAT PFSense for the gateway issue?
 -
So you LAN devices use pfSense (10.10.80.186) as default gateway? If that's right, there will no special routes be needed for the VPN.
Can you also ping 10.10.80.186 over VPN?
Also ensure that the LAN device respond to request from VPN. Windows firewall block access from other subnets by default.
-
Correct, LAN gateway is 10.10.80.186. Yes I can ping that box and even log into it over VPN. I have changed the windows box to allow pings from everywhere but I also don't have access to SMB shares, web servers, etc. The mystery is…what could be wrong such that I cannot access any LAN devices except the gateway over the VPN? You're saying that everything looks correct as far as you can tell?
One more note. I have the DNS Resolver enabled and the DNS Forwarded Disabled...I assume none of that should matter when I'm trying to hit the IP Address directly though, right?
Thanks again.
-
Yes IP addresses should work anyway.
If you can ping the LAN interface of pfSense and it is the default gateway in LAN, also pings to other devices should work. But I assume, the devices don't respond.
To troubleshoot take a packet capture on pfSense (Diagnostics > Packet Capture). Set the interface to LAN, e.g. when pinging, the protocol to ICMP, eventually a host address (the clients vpn or the destinations IP), start the capture and try a ping, stop it and look if you see ping requests and responses.
-
So, this is somewhat enlightening but extremely curious. I've attached a packet capture from the LAN gateway.
The curious part is that I can access a linux machine on the LAN (10.10.81.195) both over ping and ssh no issues; however nothing will work from VPN client to one of my main servers (10.10.80.175). As you can see I tried to ping it, and hit several web server ports and the traffic never got back to the VPN client (10.10.103.2).
In the windows_weirdness capture you can see that from the vpn client I cannot get a response from the windows machine but from an internal device logged into via the VPN I can (10.10.81.195 -> 10.10.80.192). So why can I RDP to the windows machine from anywhere but only ping from internal…? very strange
The question seems to be why can VPN clients hit some assets on the LAN on some ports but not others?
Summary
PREFIX = 10.10.
PING 103.2 -> 81.195 (LINUX LAN MACHINE) -- SUCCESS
SSH:22 103.2 -> 81.195 (LINUX LAN MACHINE) -- SUCCESS
SSH:22 103.2 -> 80.186 (PFSense Gateway) -- SUCCESS
WEB:80 103.2 -> 80.186 (PFSense Gateway) -- SUCCESS
PING 103.2 -> 80.175 (LINUX Server) -- FAIL
WEB:8080 103.2 -> 80.175 (LINUX SERVER) -- FAIL
WEB:8989 103.2 -> 80.175 (LINUX SERVER) -- FAIL
WEB:80 103.2 -> 80.175 (LINUX SERVER) -- FAIL
PING 103.2 -> 80.192 (WINDOWS SERVER) -- FAIL WEIRD
RDP:3389 103.2 -> 80.192 (WINDOWS SERVER) -- SUCCESS WEIRD -
I haven't installed wireshark, hence I can't open the captures.
There are only two possible reasons for that behavior coming to my mind:
-
The software firewall on 80.175 blocks the access.
-
80.175 uses another gateway than pfSense.
Both already mentioned.
If 80.175 is a web server and accessible from the internet, the firewall want be the issue.
-
-
Ok, so I finally figured it out. OMG. I had created a cert with a type-o in it and the verify-x509-name was erroring when I tried to connect to machines that were on the domain. That's why some worked and some didn't, because some were on the domain and some weren't. Once I got that all fixed up everything else was easy.
Thanks so much for taking the time to look at this with me.