[Solved] DHCP clients on LAN do not see OpenVPN network

Falselock

Have remote OpenVPN server. It is up and running.

Have pfsense as main gateway for local network. There is DHCP service on pfsense LAN interface.
Also set up OpenVPN client on my pfsense and do connect to remove OpenVPN server. It is working, no any errors in log. Even can ping remove OpenVPN network from pfsense console.

BUT!

My DCHP clients on LAN interface do not see OpenVPN network. That is strange, cause I expect pfsense will route traffic automatically after successful connection.
I 100% sure problem on pfsense side, cause had the same scheme on non pfsense router and everything works as expected.

What should I tune on pfsense to be able access remote VPN network from LAN DHCP clients?

marvosa

Are you seeing blocks in the logs?  Would need to see the config on both sides to offer any targetted help.  Post the server1.conf from the server and the client1.conf from the client.

Falselock

@marvosa:

Are you seeing blocks in the logs?  Would need to see the config on both sides to offer any targetted help.  Post the server1.conf from the server and the client1.conf from the client.

No any blocks.

Client side

dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-client
client
nobind
management /var/etc/openvpn/client1.sock unix
remote 285.325.45.142 53294
ifconfig 10.8.0.2 10.8.0.1
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
ncp-ciphers AES-256-GCM:AES-128-GCM
resolv-retry infinite
topology subnet
auth-nocache
remote-cert-tls server

Server side

dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server 10.8.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.kz' 1"
lport 53294
management /var/etc/openvpn/server2.sock unix
push "route 192.168.10.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server2.crl-verify
tls-auth /var/etc/openvpn/server2.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
route 192.168.1.0 255.255.255.0 # Office

marvosa

What is the LAN subnet on both sides?

Falselock

@marvosa:

What is the LAN subnet on both sides?

thanks. fixed by defining "Client Specific Overrides" and```
iroute 192.168.1.0 255.255.255.0;