Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN in existing enviroment: could only ping clients but not reach other ports, firewall completely opened.

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 488 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      execcr
      last edited by

      Hello, i've installed a pfsense 2.4.4 as VM in my enviroment, with only a WAN port with static ip.
      Then i've configured an OpenVPN Server to let some clients (are CentOS machine i need to supervise) send data to me. I need that machine to be OpenVPN Server only, i have a default gateway (a Zyxel UTM).

      So the basic information are:

      My network: 192.168.50.0/24.
      OpenVPN Client Nework: 172.16.0.0/24
      Pfsense VM WAN Address: 192.168.50.200
      Static route on GW to pfsense vm : 172.16.0.0/24 via 192.168.50.200

      For debugging pourpose i had enabled all traffic on WAN (and disabled block bogus and private network ) an on the OpenVPN firewall interfaces.
      Nat is set to automatic mode.

      A Nat on the Zyxel allow the server to be reached from the outside.

      The problem:
      From my vpn clients i can ping all my network address (192.168.50.0/24). But i need to connect to my client via ssh or http and this doesn't work. I could only ping them. If i try to connect to some exposed services (es. http or ssh) i could not connect. It goes timeout.

      I cannot understand why this happend.

      In theory this should work. The logic route should be this:
      ->i would like to ping 172.16.0.5 for example.

      my pc [192.168.50.15] --> my GW [192.168.50.1] --> Pfsense VM [192.168.50.200] --> OpenVPN interface [172.16.0.1] --> tun vpn --> client [172.16.0.5] --> OpenVPN interface [172.16.0.1] --> Pfsense VM [192.168.50.200] --> my pc [192.168.50.15]
      then backwards client [172.16.0.5] --> OpenVPN interface [172.16.0.1]--> pfsense VM [192.168.50.200] --> my pc [192.168.50.15]

      OpenVPN configuration: Tun / Client Access
      IPv4 Local network: 192.168.50.0/24

      Any idea? Myabe i should trunking on another network the GW<->Pfsense VM link to better manage routing? I've always masqueraded the traffic but this time i cannot (i need to reach vpn clients and not viceversa)

      Thank you

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You're on the right way. As you described the route, you see that the packets from local network to the vpn client take another route than packets in the other direction. So you get an asymmetric routing.

        Best way to resolve it is to put the pfSense VM into a VLAN and set a static route for the tunnel network on the gateway.

        If masquerading is no option, the only other solution is to add a static route to all the local devices you want to reach from vpn clients.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          @execcr said in OpenVPN in existing enviroment: could only ping clients but not reach other ports, firewall completely opened.:

          a Zyxel UTM

          Why do you not just run your vpn server there just replace it with pfsense? Running an vpn server that is inside your network is always going to be a asymmetrical mess...

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.