connected but cant access vpn lan after upgrade to 2.4.4 p1

ariban99

so i dont think i am doing it correctly.
i assigned OPT1 and OPT2 for the openvpn
so OPT1 is for 192.168.2.0
and OPT2 is for 192.168.3.0

then enabled them.

under rules, OPENVPN tab.
i create a new rule.
interface, WAN
IPV4
ANY
source, i selected OPT1
destination OPT2

and i did the reverse for the second openvpn but its still not working.
what am i doing wrong?

chpalmer

Your "Tunnel" networks.. put both sides of the VPN tunnel in the same subnet.

tunnel 10.0.3.0/30 When you do this each box will take an address in this subnet.

chpalmer

@chpalmer
On your second VPN tunnel use a different subnet..

chpalmer

I never assign my own OpenVPN sessions to an interface on the box. So you might be seeing another issue that I wouldn't see but the information above is correct either way. IP Tunnel network on each side should be in the same subnet.

Remote network is the network(s) of the box on the other side.

Derelict

@ariban99 said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

so i dont think i am doing it correctly.
i assigned OPT1 and OPT2 for the openvpn
so OPT1 is for 192.168.2.0
and OPT2 is for 192.168.3.0

You do not number OpenVPN assigned interfaces. You simply assign them then enable them then bounce that OpenVPN instance. You do not specifically number them in the interface configuration. Might be misunderstanding what you're doing but that's what I read.

netblues

Just assign interfaces to openvpn tunnels.
DON'T put ip's there, it will happen automaticaly by openvpn.

chpalmer

@netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

Just assign interfaces to openvpn tunnels.
DON'T put ip's there,

Just like Derelict said..

What does assigning tunnels to interfaces get over just building the tunnel on the router and not assigning them to interfaces? Just curious..

netblues

@chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

Just assign interfaces to openvpn tunnels.
DON'T put ip's there,

It creates the interfaces so you can policy route, add rules, monitor traffic, etc...

chpalmer

Thanks!

From your list the only thing it seems I don't have is the ability to monitor with the graphs.. you would have to elaborate on the ect..

But just curious..

netblues

@chpalmer https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

chpalmer

@netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:
https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

Thanks! Ive been wondering but never asked.

Adds a firewall tab under Firewall > Rules

We have this. Maybe past incarnations did not..??

Adds reply-to to rules on the VPN interface tab to help with return routing
Adds a Gateway entry for the far side of the VPN for policy routing
Allows the interface to be selected elsewhere in the GUI and packages
Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN

Good to know.

netblues

@chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

Adds a firewall tab under Firewall > Rules

We have this. Maybe past incarnations did not..??

Now you have one for each tunnel.
If you are just using one tunnel, then you can get away without assigning an interface
(it will be happening dynamicaly behind the scenes).
In more complex scenarios an assigned interface comes handy.
Say, remote client with no split tunnel accessing specific site using nat which happens at another remote client connected via another openvpn tunnel.
One use for that is geolocation bypass.
Another is using a vps host in a datacenter as a static ip gateway.

chpalmer

Thanks!

On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup..

I do think the OP could simplify his setup a bit in this fashion.

from one of our spur sites..

Ive since tightened up the road warrior rule and thus done away with all the blocking rules.

netblues

@chpalmer So the question is, in your setup can 172.19.1.0/24 ping 127.30.10.0/24 if you change the block into pass?

chpalmer

@netblues

Yes. Because in my VPN config page I include any network I want the site to be able to access.

chpalmer

But say I have a site I want to pass though another..

Site 1 LAN 172.16.1.0/24
VPN to site 2
Remote Networks 192.168.254.0/24,172.19.1.0/24,172.22.22.0/24

Site 2 LAN 192.168.254.0/24
VPNs to sites 2 and 3
VPN1 Remote Networks 172.16.1.0/24

VPN2 Remote Networks 172.19.1.0/24,172.22.22.0/24

Site 3 LAN 1 172.19.1.0/24 LAN 2 172.22.22.0/24
VPN to site 2
Remote Networks 172.16.1.0/24,192.168.254.0/24

chpalmer

I can have multiple LANs on site 1 but the only one routed to sites 2 and 3 will be what is entered in their respective OpenVPN config pages. And visa versa..

ariban99

sorry i was traveling and just got back.
i am completely lost. mine still doesnt work.
does anyone have a tutorial i can follow to make it work?
as soon as i assign the opvnvpn to an interface my vpn connections get lost.
do i then enable the interface?
this last part of add the rules in openvpn , i dont think i am doing it right. can you outline it step by step there are not that many options

netblues

It is expected for the vpn connection to stop functioning.
Restar openvpn service to recover from the change.

joegeorge

After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine.

@ariban99 is it possible you're experiencing the same issue?