Clients can't see anything on LAN

JMullen · Jan 31, 2015, 4:44 AM

Alright, so this has me scratching my head. Just let me know what (else) I need to provide to get some help solving this. I'm thinking it's an issue with the firewall or routing, neither of which I'm super familiar with. Here's a pretty little picture showing the LAN topo and IP addresses :)

OpenVPN allows a connection just fine. Running nmap locally shows the device connected and with a valid IP (nmap -v -sP 192.168.1.1/24). Nothing out of place on the OVPN logs, either.

On the VPN connected device, if I try to view any of the networked resources (either PFSense itself, at .1 or any of my services running on the server at .3) nothing happens. 100% packet loss and it times out. This leads me to believe that the devices can't "see" anything on the LAN due to a config issue somewhere along the line. Here's some screenshots showing the configs. If anything else is needed, please by all means just ask!

FIREWALL:NAT:OUTBOUND

FIREWALL:RULES:WAN

FIREWALL:RULES:LAN

FIREWALL:RULES:OPENVPN

OPENVPN:SERVER

OPENVPN:SERVER:CLICK FOR DETAILS

OPENVPN:STATUS (Notice it ties me to 192.168.1.2… same address is set to STATIC for the router. Not sure if that's a big deal or not. I can connect to the router at that IP via SSH even with the client still connected to that IP via VPN. That said, it WAS giving out a 192.168.1.6 address to my client but while knocking my clumsy feet around, I believe I botched it.)

Any ideas? See anything out place? Need more info? Any help is greatly appreciated!!

cmb · Jan 31, 2015, 4:56 AM

Your OpenVPN can't be on the same subnet as the LAN with a tun type server. Change it to something that's unused elsewhere in your network.

JMullen · Jan 31, 2015, 5:09 AM

I had read that elsewhere and tried it before, just tried it again but no luck. Here's the current settings after the change.

EDIT: I know I'm missing something somewhere! It's driving me crazy because it's almost certainly a simple check box or a single digit off somewhere in a setting. :/

JMullen · Jan 31, 2015, 5:51 AM

FIXED

I'm not sure what exactly this does but I added it to the OpenVPN Server settings and I'm now able to hit all devices on the LAN from the VPN connection! :) Maybe this will help someone else!

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1"

seqteq · Feb 1, 2015, 4:02 AM

My VPN client can't get a route either. It does if I run the OpenVPN GUI 'As Administrator' on a windows box,
but my clients will be locked down/non-admin.

and "Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server."

I don't want to redirect all traffic, just traffic to one subnet.

I guessed at a dhcp-option:
push "dhcp-option 121 192.168.1.0 255.255.255.0 192.168.30.5"

But I get
Options error: –dhcp-option: unknown option type '121' or missing parameter

JMullen · Feb 1, 2015, 4:36 AM

@seqteq:

I guessed at a dhcp-option:
push "dhcp-option 121 192.168.1.0 255.255.255.0 192.168.30.5"

But I get
Options error: –dhcp-option: unknown option type '121' or missing parameter

Hey man :)

Not sure if you can use "push" like that to use DNSMasq's DHCP option parameter. Using some Google-fu, it seems that this is the correct syntax:

dhcp-option=121,x.x.x.x/yy,z.z.z.z

I believe that should work, since "push" (I think) is behaving like it has no idea what the 121 option is in your example there.

The proper syntax for "push" would be like I used in my quick fix, something like:```
push "route 192.168.2.0 255.255.255.0"


Hope that helps you some. Feel free to get up with me and I'll see if I can help you at all :)

seqteq · Feb 1, 2015, 4:36 AM

Thanks I'll give that a try in the manana :)

seqteq · Feb 1, 2015, 6:49 PM

I tried the DHCP option with that syntax with no luck,

I also tried the PUSH route and that didn't work.

I get:
ERROR: Windows route add command failed [adaptive]: returned error code 1
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=30]

I don't get this issue if I run OpenVPN GUI 'As Administrator' but I can't let my clients do that, they could tear up an anvil.

I've been looking at OpenVPN since last spring, I haven't revisited it because I was waiting on Hyper-V support in 2.2.

When I started I had great luck in my VMware test environment using a TAP or bridge setup. My locked down client got it's route statement assigned by DHCP option 121 from a windows DHCP server. I guess the DHCP client service on the windows box runs with sufficient privileges.

There has to be a way to push routes to a locked down client in TUN mode. I wonder if you could register the OpenVPN gui as a a windows service and have it run as local system???

All the searching I do, I find "just run it as administrator" :banghead

kejianshi · Feb 1, 2015, 6:59 PM

Your network has more NATs than old watermelon in the hot summer sun….

phil.davis · Feb 2, 2015, 7:11 AM

@JMullen:

FIXED

I'm not sure what exactly this does but I added it to the OpenVPN Server settings and I'm now able to hit all devices on the LAN from the VPN connection! :) Maybe this will help someone else!

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1"

You really should just put:

192.168.1.0/24,192.168.2.0/24

In the Remote Network/s field of the OpenVPN server settings. Then it does all that push route stuff for you.

And I suggest you change your LAN/s to some other private subnet/s that are not so common - your OpenVPN road-warrior users will have trouble when they are at home with their default SOHO device that already has 192.168.1.0/24 LAN.