Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OVPN - Connect Success but no connectivity to Private IPs

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann
      last edited by

      A specific VPN interface should not be needed for accessing the LAN behind the vpn.

      Are the routes set correctly on the client?
      Post the routing table, please.

      1 Reply Last reply Reply Quote 0
      • S Offline
        srfnmnk
        last edited by

        Good thinking viragomann but it seems to be right as far as I can tell.

        As you can see from the screenshots, the 10.10.80.0/21 network is going through the tunnel and I can ping the gateway. :/ hmmmm…

        The last screenshot is of me trying to ping a machine; it does work when I'm in the network, just not over VPN. (i.e. the host is pingable from within)

        ![Screen Shot 2017-10-31 at 2.54.52 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.54.52 PM.png)
        ![Screen Shot 2017-10-31 at 2.54.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.54.52 PM.png_thumb)
        ![Screen Shot 2017-10-31 at 2.55.08 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.08 PM.png)
        ![Screen Shot 2017-10-31 at 2.55.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.08 PM.png_thumb)
        ![Screen Shot 2017-10-31 at 2.55.19 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.19 PM.png)
        ![Screen Shot 2017-10-31 at 2.55.19 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.19 PM.png_thumb)

        1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann
          last edited by

          Is the pfSense the default gateway in 10.10.80.0/21? I'm in doubt.
          If it isn't you have to add routes to the clients for the tunnel subnet or do NAT on pfSense.

          You can try a ping to pfSense LAN address to see if the routes work.

          Also it seems you have added 10.10.80.0/21 to the "Local Networks" in the server settings and than have checked "redirect gateway". That shouldn't matter though, but sets additional routes.

          1 Reply Last reply Reply Quote 0
          • S Offline
            srfnmnk
            last edited by

            Hey Viragomann,

            Thanks again for looking into this.

            PFSense box (10.10.80.186) is the router for the local LAN; the 192.168.0.186 box is the default gateway to the WAN. I attached a screenshot to help clarify.

            I can ping and even log into the PFSense box from the VPN but cannot access any assets on the 10.10.80.0/21 network other than the PFSense box.

            Yes, I have pushed the route and checked the redirect gateway box. Normally, I just click the box I believe but I was desperate so I tried other things.

            What route would I add to the clients for the tunnel subnet and/or how would I properly NAT PFSense for the gateway issue?

            ![Screen Shot 2017-11-01 at 8.27.02 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-01 at 8.27.02 AM.png)
            ![Screen Shot 2017-11-01 at 8.27.02 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-01 at 8.27.02 AM.png_thumb)

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann
              last edited by

              So you LAN devices use pfSense (10.10.80.186) as default gateway? If that's right, there will no special routes be needed for the VPN.

              Can you also ping 10.10.80.186 over VPN?

              Also ensure that the LAN device respond to request from VPN. Windows firewall block access from other subnets by default.

              1 Reply Last reply Reply Quote 0
              • S Offline
                srfnmnk
                last edited by

                Correct, LAN gateway is 10.10.80.186. Yes I can ping that box and even log into it over VPN. I have changed the windows box to allow pings from everywhere but I also don't have access to SMB shares, web servers, etc. The mystery is…what could be wrong such that I cannot access any LAN devices except the gateway over the VPN? You're saying that everything looks correct as far as you can tell?

                One more note. I have the DNS Resolver enabled and the DNS Forwarded Disabled...I assume none of that should matter when I'm trying to hit the IP Address directly though, right?

                Thanks again.

                1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann
                  last edited by

                  Yes IP addresses should work anyway.

                  If you can ping the LAN interface of pfSense and it is the default gateway in LAN, also pings to other devices should work. But I assume, the devices don't respond.

                  To troubleshoot take a packet capture on pfSense (Diagnostics > Packet Capture). Set the interface to LAN, e.g. when pinging, the protocol to ICMP, eventually a host address (the clients vpn or the destinations IP), start the capture and try a ping, stop it and look if you see ping requests and responses.

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    srfnmnk
                    last edited by

                    So, this is somewhat enlightening but extremely curious. I've attached a packet capture from the LAN gateway.

                    The curious part is that I can access a linux machine on the LAN (10.10.81.195) both over ping and ssh no issues; however nothing will work from VPN client to one of my main servers (10.10.80.175). As you can see I tried to ping it, and hit several web server ports and the traffic never got back to the VPN client (10.10.103.2).

                    In the windows_weirdness capture you can see that from the vpn client I cannot get a response from the windows machine but from an internal device logged into via the VPN I can (10.10.81.195 -> 10.10.80.192). So why can I RDP to the windows machine from anywhere but only ping from internal…? very strange

                    The question seems to be why can VPN clients hit some assets on the LAN on some ports but not others?

                    Summary

                    PREFIX = 10.10.

                    PING            103.2 -> 81.195    (LINUX LAN MACHINE) --  SUCCESS
                    SSH:22          103.2 -> 81.195    (LINUX LAN MACHINE) --  SUCCESS
                    SSH:22          103.2 -> 80.186    (PFSense Gateway)  --  SUCCESS
                    WEB:80          103.2 -> 80.186    (PFSense Gateway)  --  SUCCESS
                    PING            103.2 -> 80.175    (LINUX Server)      --  FAIL
                    WEB:8080        103.2 -> 80.175    (LINUX SERVER)      --  FAIL
                    WEB:8989        103.2 -> 80.175    (LINUX SERVER)      --  FAIL
                    WEB:80          103.2 -> 80.175    (LINUX SERVER)      --  FAIL
                    PING            103.2 -> 80.192    (WINDOWS SERVER)    --  FAIL        WEIRD
                    RDP:3389        103.2 -> 80.192    (WINDOWS SERVER)    --  SUCCESS    WEIRD

                    packetcapture.pcap
                    windows_weirdness.pcap

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann
                      last edited by

                      I haven't installed wireshark, hence I can't open the captures.

                      There are only two possible reasons for that behavior coming to my mind:

                      • The software firewall on 80.175 blocks the access.

                      • 80.175 uses another gateway than pfSense.

                      Both already mentioned.

                      If 80.175 is a web server and accessible from the internet, the firewall want be the issue.

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        srfnmnk
                        last edited by

                        Ok, so I finally figured it out. OMG. I had created a cert with a type-o in it and the verify-x509-name was erroring when I tried to connect to machines that were on the domain. That's why some worked and some didn't, because some were on the domain and some weren't. Once I got that all fixed up everything else was easy.

                        Thanks so much for taking the time to look at this with me.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.