can't reach my access points on my lan side using openVPN

Asamat

Can you attach screenshots of

OpenVPN server config
Firewall Rules for OpenVPN
route table from OpenVPN client when it has OpenVPN up

tripplex95

0_1541318488851_Screenshot_2018-11-04 Anonymous Anonymous dev - VPN OpenVPN Servers Edit.png 0_1541318546703_Screenshot_2018-11-04 Anonymous Anonymous dev - Firewall Rules OpenVPN.png

Asamat

I see no traffic on OpenVPN tunnel. Can you try to use Packet Capture (Diagnostics/Packet Capture) to check if there are any incoming packets in tunnel?

Interface: OpenVPN
promiscuous mode enabled
start
Capture traffic for a while (2-3 minutes) then Stop and check.

Asamat

@tripplex95 said in can't reach my access points on my lan side using openVPN:

I am able to reach the firewall by its lan ip when openVPN enabled.

Sorry, I only now saw this comment - if you can reach LAN IP but can't reach any host behind LAN - you need to check route table on hosts behind LAN.
And if you try Packet Capture on LAN I think you will see output packets from your Remote host but no replies from hosts on LAN (and it's definitely problem with route table on these hosts)

chpalmer

You can reach the LAN address of the firewall from one of the OpenVPN clients?

Can you show your OpenVPN firewall rules? Set to LAN net and not LAN address right?

tripplex95

It's there apart of the screen shot. Look above the cmd route output.

tripplex95

@asamat this so an issue. so I have to set a static routes in the access points to be able to access them via openvpn?

Asamat

If your access points don't have pfSense as default GW - yes, you need to add static route like
Destination: 10.0.8.0/24
GW: <pfSense IP>

tripplex95

@asamat yes they are configured and have pfsense as there default gateway.

biggsy

It may be because the APs don't want to talk to anything outside their own network - e.g., traffic coming from the VPN tunnel. I've seen this a few times.

You would need outbound NAT to overcome that.

Have a look at this thread and jimp's recommendation.

Gertjan

@biggsy said in can't reach my access points on my lan side using openVPN:

It may be because the APs don't want to talk to anything outside their own network - e.g., traffic coming from the VPN tunnel. I've seen this a few times.

This can be tested easily. tested.
Change your WAN2 for a LAN2 interface.
You'll be having a LAN with 192.168.1.1/24 - on this LAN you have your AP (right ?!).
Make LAN2 (OPT1) like 192.168.2.1/24 - put a pass all firewall rule on it, activate a DHCP server on it, connect to it.

Now, can you access your AP on LAN coming from your PC hooked on LAN2 ?
You should be able to do so. (I do soo all the time, accessing devices on other LAN segments).
If not => go check you AP.