Can't reach Lan host in OpenVPN tab mode

hunteralberto

Hi,

I had configure a OpenVPN in tab mode (Bridge). I follow this manual : https://forum.netgate.com/topic/42698/how-to-openvpn-tap-bridging-with-lan

Everything work fine, the remote client connect well, DHCP is Assigned well, I can ping the Lan and Wan interface, but I can't ping the host in the Lan network.

I add a "permit all" rule in the firewall on the Wan, Lan and OpenVPN interface, but even this don't have connection to the host in the Lan.

The bridged is with the Lan interface.

Any help please.

Gertjan

@hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

I add a "permit all" rule in the firewall on the Wan,

I understand that you are testing, but a "permit all" on WAN is bad, very bad.

As told in the Official pfSEnse Video's, "bridging" is possible, but tricky.

Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

The default LAN rule works just fine - what did you change ?

hunteralberto

@Gertjan said in Can't reach Lan host in OpenVPN tab mode:

but tricky

Hi, thanks for your reply.

I know a permit all is a bad idea, but just wand to make this work.

I install the OpenVPN client in a Windows PC (this PC is the cliend that will connect to the pfsense OpenVPN server. It is outside the pfsense networks), import the ".ovpn" downloaded form the pfsense, and I connect to the pfsense OpenVPN server via the pfsense Wan interface. From the Windows PC I can ping the Wan and Lan interface of the pfsense, but can't reach the hosts on the pfsense Lan side.

Thanks...

Gertjan

Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

ipconfig /all

On your connected PC says what ?

OpenVPN client log ?
Open VPN server log ?

hunteralberto

@Gertjan

Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

You mean if I can open it form the windows client when I connect to the VPN. No, I can't. The Ip is 172.16.1.1. I can Ping it but can't access http. In the local 172.16.1.x I can access http, this the way that i configure the pfsense.

ipconfig /all

C:\Users\Alberto Leonor>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-GJ1C193
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : DC-4A-3E-EF-2C-0D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
Physical Address. . . . . . . . . : 0A-D4-0C-37-0E-79
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

**Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-9B-C6-92-BE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.1.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:24 PM
Lease Expires . . . . . . . . . . : Wednesday, April 15, 2020 3:18:23 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 172.16.1.0
NetBIOS over Tcpip. . . . . . . . : Enabled**

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3165
Physical Address. . . . . . . . . : 08-D4-0C-37-0E-79
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.10.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:15 PM
Lease Expires . . . . . . . . . . : Wednesday, April 17, 2019 3:03:50 PM
Default Gateway . . . . . . . . . : 172.20.10.1
DHCP Server . . . . . . . . . . . : 172.20.10.1
DNS Servers . . . . . . . . . . . : 172.20.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

C:\Users\Alberto Leonor>

OpenVPN client log
Tue Apr 16 15:18:22 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Tue Apr 16 15:18:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Apr 16 15:18:22 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Tue Apr 16 15:18:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.52.36.250:1194
Tue Apr 16 15:18:22 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue Apr 16 15:18:22 2019 UDP link remote: [AF_INET]179.52.36.250:1194
Tue Apr 16 15:18:23 2019 [OPENVPNSERVER] Peer Connection Initiated with [AF_INET]179.52.36.250:1194
Tue Apr 16 15:18:24 2019 open_tun
Tue Apr 16 15:18:24 2019 TAP-WIN32 device [Ethernet 2] opened: \.\Global{9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}.tap
Tue Apr 16 15:18:24 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.1.130/255.255.255.0 on interface {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D} [DHCP-serv: 172.16.1.0, lease-time: 31536000]
Tue Apr 16 15:18:24 2019 Successful ARP Flush on interface [41] {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}
Tue Apr 16 15:18:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 16 15:18:29 2019 Initialization Sequence Completed

Open VPN server log
Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:25:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:26:01 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:26:01 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:26:02 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:26:02 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:28:04 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:28:04 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:28:05 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:28:05 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:30:07 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:30:08 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:31:09 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:31:09 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:31:10 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:31:10 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:33:00 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client disconnected
Apr 16 15:33:12 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 16 15:33:12 openvpn 86479 MANAGEMENT: CMD 'status 2'
Apr 16 15:33:13 openvpn 86479 MANAGEMENT: CMD 'quit'
Apr 16 15:33:13 openvpn 86479 MANAGEMENT: Client disconnected

Does this help?
Thanks.

hunteralberto

@Gertjan

I found and unassigned interface. It this don't matter?

Attached Image.

Rico

Follow this guide and recheck all your settings: https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html

-Rico

hunteralberto

@Rico
Hi Rico,

The configuration is exactly like the guide you send me.

Hope you could help me,
Thanks,

Gertjan

Question :

@hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

Description . . . . . . . . . . . : TAP-Windows Adapter V9
.....
DHCP Server . . . . . . . . . . . : 172.16.1.0

A DHCP server living on an IP ending with 0 ?? That's new for me.

hunteralberto

@Gertjan

Yes, this is so weird for me too.

I set the DHCP setting in the "Server Bridge DHCP Start/End" in the OpenVPN server setting.

Any idea?

Gertjan

@hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

Any idea?

Yes.
A DHCP server needs a host address. Not a network address, like the one terminating with 0.

But maybe this is just don't care situation because :

@hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

Everything work fine, the remote client connect well, DHCP is Assigned well ....

hunteralberto

@Gertjan

That set. I dont know if firewall is blocking traffic or something like this.

Gertjan

Me neither ;)
But a firewall does what you want - you are the boss ^^
Idea : make your rules verbose and have a look at the firewall logs.