connected but cant access vpn lan after upgrade to 2.4.4 p1

chpalmer · Dec 12, 2018, 8:18 AM

@netblues said in connected but cant access vpn lan after upgrade to 2.4.4 p1:
https://www.netgate.com/docs/pfsense/book/openvpn/assigning-openvpn-interfaces.html

Thanks! Ive been wondering but never asked.

Adds a firewall tab under Firewall > Rules

We have this. Maybe past incarnations did not..??

Adds reply-to to rules on the VPN interface tab to help with return routing
Adds a Gateway entry for the far side of the VPN for policy routing
Allows the interface to be selected elsewhere in the GUI and packages
Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN

Good to know.

netblues · Dec 12, 2018, 8:27 AM

@chpalmer said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

Adds a firewall tab under Firewall > Rules
We have this. Maybe past incarnations did not..??

Now you have one for each tunnel.
If you are just using one tunnel, then you can get away without assigning an interface
(it will be happening dynamicaly behind the scenes).
In more complex scenarios an assigned interface comes handy.
Say, remote client with no split tunnel accessing specific site using nat which happens at another remote client connected via another openvpn tunnel.
One use for that is geolocation bypass.
Another is using a vps host in a datacenter as a static ip gateway.

chpalmer · Dec 12, 2018, 4:19 PM

Thanks!

On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup..

I do think the OP could simplify his setup a bit in this fashion.

from one of our spur sites..

Ive since tightened up the road warrior rule and thus done away with all the blocking rules.

netblues · Dec 12, 2018, 7:55 PM

@chpalmer So the question is, in your setup can 172.19.1.0/24 ping 127.30.10.0/24 if you change the block into pass?

chpalmer · Dec 12, 2018, 8:22 PM

@netblues

Yes. Because in my VPN config page I include any network I want the site to be able to access.

chpalmer · Dec 12, 2018, 8:31 PM

But say I have a site I want to pass though another..

Site 1 LAN 172.16.1.0/24
VPN to site 2
Remote Networks 192.168.254.0/24,172.19.1.0/24,172.22.22.0/24

Site 2 LAN 192.168.254.0/24
VPNs to sites 2 and 3
VPN1 Remote Networks 172.16.1.0/24

VPN2 Remote Networks 172.19.1.0/24,172.22.22.0/24

Site 3 LAN 1 172.19.1.0/24 LAN 2 172.22.22.0/24
VPN to site 2
Remote Networks 172.16.1.0/24,192.168.254.0/24

chpalmer · Dec 12, 2018, 8:34 PM

I can have multiple LANs on site 1 but the only one routed to sites 2 and 3 will be what is entered in their respective OpenVPN config pages. And visa versa..

ariban99 · Dec 14, 2018, 2:03 PM

sorry i was traveling and just got back.
i am completely lost. mine still doesnt work.
does anyone have a tutorial i can follow to make it work?
as soon as i assign the opvnvpn to an interface my vpn connections get lost.
do i then enable the interface?
this last part of add the rules in openvpn , i dont think i am doing it right. can you outline it step by step there are not that many options

netblues · Dec 14, 2018, 2:19 PM

It is expected for the vpn connection to stop functioning.
Restar openvpn service to recover from the change.

joegeorge · Dec 14, 2018, 2:56 PM

After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine.

@ariban99 is it possible you're experiencing the same issue?

Gertjan · Dec 14, 2018, 3:07 PM

@joegeorge said in connected but cant access vpn lan after upgrade to 2.4.4 p1:

After the upgrade one of my alias which used hostnames stopped working which broke on of my OpenVPN tunnels. The others which were not using this alias were fine

The alias is used by a firewall rule.
That firewall rule is used on the VPN interface tab.
The VPN becomes non-reachable for this 'alias' (== IP).
So this is more a "alias isn't updated" problem, nothing to do with OpenVPN.
Right ? Yes ? No ? Missing info ?

Check why the alias isn't resolved (should refresh every 300 sec). See logs if it didn't - won't do - can't - whatever.

joegeorge · Dec 14, 2018, 3:12 PM

@Gertjan Correct, I may have misunderstood @ariban99's issue when I read it first. Sounded like their connection came up but there was a "routing"/firewall issue.

You're right, I should check my logs. Thanks.

ariban99 · Dec 14, 2018, 5:40 PM

no i have a static ip so i am not using aliases.
i just think i am doing it wrong.
no one confirms if i am doing it right or wrong. can someone help. here is my exact setup and what i am doing

openvpn server 192.168.1.0/24
openvpn client 1 192.168.2.0/24 (tunnel 10.0.1.0/30)
openvpn client 2 192.168.3.0/24 (tunnel 10.0.3.0/30)
client 1 and 2 reach the server with NO issues

but client 1 talking to 2 or 2 talking to 1, does NOT work. i can only reach from 1 or 2 to the main openvpn server

so i was told to assign the 2 openvpn on the main server to an interface. then i enabled those 2 interfaces
as soon as i do this.
client 1 and client 2 lost their connection to the server

then i was told to go to firewall rules, openvpn tab, create a new rule as follows:
action: pass
interface: openvpn
address: ipv4
protocol: any
source: the assigned interface from client 1 openvpn
destination: the assigned interface from client 2 openvpn
i wrote a description and saved.
but this does NOT do anything. i am still without connection to the main server openvpn from both clients. not sure what i am doing wrong!
please advise