Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved: Cannot access beyond router via OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    routingfirewallopenvpnopenvpn routinglog
    9 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddbnj
      last edited by ddbnj

      I set up openvpn yesterday and although I can connect to it remotely, I can only access the router itself. Nothing beyond it.

      I have firewall rules on the openvpn interface to allow all to all.
      There are no blocking rules, every interface for testing has allow all to all.

      Looking at filter.log, I do not have any activity from the 10.8.0.2 (client assigned)

      I've been at this for a day now and haven't gotten anywhere. Tried reinstalling and recreating multiple times.

      LAN 172.20.0.0/24
      IOTLAN: 172.20.100.0/24
      IOTWIFI: 172.20.200.0/24

      router 172.20.0.1

      Openvpn clients 10.8.0.0/24

      I've attached my server and client configs:

      [2.4.4-RELEASE][admin@protectli.pfdomain]/var/etc/openvpn: cat server2.conf

      dev ovpns2
      verb 1
      dev-type tun
      dev-node /dev/tun2
      writepid /var/run/openvpn_server2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp4-server
      cipher AES-256-CBC
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 69.112.137.17
      engine rdrand
      tls-server
      server 10.8.0.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server2
      username-as-common-name
      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server2 443
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfSense+Openvpn+server' 1"
      lport 443
      management /var/etc/openvpn/server2.sock unix
      push "route 172.20.0.0 255.255.255.0"
      push "route 172.20.100.0 255.255.255.0"
      push "route 172.20.200.0 255.255.255.0"
      push "dhcp-option DNS 172.20.0.1"
      ca /var/etc/openvpn/server2.ca
      cert /var/etc/openvpn/server2.cert
      key /var/etc/openvpn/server2.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server2.tls-auth 0
      ncp-ciphers AES-128-GCM
      persist-remote-ip
      float
      topology subnet
      

      Client1 config:

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      ncp-ciphers AES-128-GCM
      auth SHA256
      tls-client
      client
      resolv-retry infinite
      (privateaddress) 443 tcp-client
      verify-x509-name "pfSense Openvpn server" name
      auth-user-pass
      remote-cert-tls server
      
      <ca>
      -----BEGIN CERTIFICATE-----
      (removed)
      -----END CERTIFICATE-----
      </ca>
      <cert>
      -----BEGIN CERTIFICATE-----
      (removed)
      -----END CERTIFICATE-----
      </cert>
      <key>
      -----BEGIN PRIVATE KEY-----
      (removed)
      -----END PRIVATE KEY-----
      </key>
      key-direction 1
      <tls-auth>
      #
      # 2048 bit OpenVPN static key
      #
      -----BEGIN OpenVPN Static key V1-----
      -----END OpenVPN Static key V1-----
      </tls-auth>
      

      Thank you for any assistance.

      D 1 Reply Last reply Reply Quote 0
      • D
        ddbnj @ddbnj
        last edited by

        @ddbnj

        This is the route table from the client machine when connected via openvpn from outside LAN.

        IPv4 Route Table
        ===========================================================================
        Active Routes:
        Network Destination        Netmask          Gateway       Interface  Metric
                  0.0.0.0          0.0.0.0    192.168.43.42    192.168.43.81     50
                 10.8.0.0    255.255.255.0         On-link          10.8.0.2    291
                 10.8.0.2  255.255.255.255         On-link          10.8.0.2    291
               10.8.0.255  255.255.255.255         On-link          10.8.0.2    291
                127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
                127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
          127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
               172.20.0.0    255.255.255.0         10.8.0.1         10.8.0.2    291
             172.20.100.0    255.255.255.0         10.8.0.1         10.8.0.2    291
             172.20.200.0    255.255.255.0         10.8.0.1         10.8.0.2    291
             192.168.43.0    255.255.255.0         On-link     192.168.43.81    306
            192.168.43.81  255.255.255.255         On-link     192.168.43.81    306
           192.168.43.255  255.255.255.255         On-link     192.168.43.81    306
                224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
                224.0.0.0        240.0.0.0         On-link     192.168.43.81    306
                224.0.0.0        240.0.0.0         On-link          10.8.0.2    291
          255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
          255.255.255.255  255.255.255.255         On-link     192.168.43.81    306
          255.255.255.255  255.255.255.255         On-link          10.8.0.2    291
        ===========================================================================
        Persistent Routes:
          None
        
        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          So your routes to your networks are there.. But do they point back to pfsense, do they have any firewalls running on them that would not allow traffic from your 10.0.8 vpn tunnel network Ips

          Can you ping the IP address of pfsense IPs on your 172.20.0, 172.20.100 and 172.20.200? If so then the tunnel is working and your routing down the tunnel.

          Simple test sniff on sa your 172.20.0 interface, now ping something on this network that you should be able to get to.. say 172.20.0.X -- do you see pfsense send on the traffic... If so, then its a client related problem, firewall, not using pfsense as its default gateway, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          D 1 Reply Last reply Reply Quote 0
          • D
            ddbnj @johnpoz
            last edited by ddbnj

            @johnpoz

            Thank you for replying.

            172.20.0.3: ping 172.20.0.17
            worked (172.20.0.17 firewall allowing pings)

            The rules for 172.20.0.17:

            To                         Action      From
            --                         ------      ----
            OpenSSH                    ALLOW       Anywhere
            443/tcp                    ALLOW       Anywhere
            224.0.0.0/4                DENY        Anywhere
            5355/udp                   DENY        Anywhere
            8443/tcp                   ALLOW       Anywhere
            10001/udp                  ALLOW       Anywhere
            3478                       ALLOW       172.20.0.0/24
            8080 on bond0              ALLOW       Anywhere
            OpenSSH (v6)               ALLOW       Anywhere (v6)
            443/tcp (v6)               ALLOW       Anywhere (v6)
            5355/udp (v6)              DENY        Anywhere (v6)
            8443/tcp (v6)              ALLOW       Anywhere (v6)
            10001/udp (v6)             ALLOW       Anywhere (v6)
            8080 (v6) on bond0         ALLOW       Anywhere (v6)
            

            There are no IP specific rules except for Unifi.

            From remote client:
            10.8.0.2: ping 172.20.0.1
            (works)
            10.8.0.2: ping 172.20.100.1
            (works)
            10.8.0.2: ping 172.20.0.17
            (times out)

            I'm running klog -f /var/log/filter.log on 172.20.0.1 and no activity from 10.8.0.1.

            rules-openvpn.JPG

            rules-lan.JPG

            Thanks for helping me.

            Devan

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @ddbnj said in Cannot access beyond router via OpenVPN:

              10.8.0.2: ping 172.20.0.17
              (times out)

              And where do those rules allow icmp (ping)?

              I see you allow ssh and etc... But no ICMP on that .17 firewall that I see.

              So again to PROVE it to yourself... Sniff on pfsense when you ping .17 Do you see it sending the pings... Then its NOT pfsense!!

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              D 1 Reply Last reply Reply Quote 0
              • D
                ddbnj @johnpoz
                last edited by

                @johnpoz

                Sorry this is frustrating. Me too.

                I turned off the firewall on 172.20.0.17.

                pi:~ $ sudo iptables -S
                -P INPUT ACCEPT
                -P FORWARD ACCEPT
                -P OUTPUT ACCEPT
                pi:~ $
                

                I still can ping 172.20.0.17 from anywhere on 172.20.0.0/24.

                Here are the packet capture from the VPN interface. It's for all ICMP data on this interface. All ping requests were remote while connected to openvpn.

                14:46:00.102158 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 63, length 40
                14:46:00.102168 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 63, length 40
                14:46:01.120550 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 64, length 40
                14:46:01.120555 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 64, length 40
                14:46:02.135848 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 65, length 40
                14:46:02.135853 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 65, length 40
                14:46:03.148124 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 66, length 40
                14:46:03.148129 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 66, length 40
                14:46:06.790785 IP 10.8.0.2 > 172.20.0.1: ICMP echo request, id 1, seq 67, length 40
                14:46:06.790795 IP 172.20.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 67, length 40
                14:46:07.770961 IP 10.8.0.2 > 172.20.0.1: ICMP echo request, id 1, seq 68, length 40
                14:46:07.770966 IP 172.20.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 68, length 40
                14:46:08.800442 IP 10.8.0.2 > 172.20.0.1: ICMP echo request, id 1, seq 69, length 40
                14:46:08.800446 IP 172.20.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 69, length 40
                14:46:09.816666 IP 10.8.0.2 > 172.20.0.1: ICMP echo request, id 1, seq 70, length 40
                14:46:09.816670 IP 172.20.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 70, length 40
                14:46:15.991837 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 71, length 40
                14:46:20.820495 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 72, length 40
                14:46:25.919175 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 73, length 40
                

                As you can see I can reach and communicate up to the router and not beyond. I cannot ping or SSH to anything behind it.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I didn't say sniff on the vpn interface... Sniff on the 172.20.0.1 interface of pfsense... But you can see right here pfsense is seeing the traffic!!

                  14:46:15.991837 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 71, length 40
                  14:46:20.820495 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 72, length 40
                  14:46:25.919175 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 73, length 40
                  

                  Validate that traffic is actually living the 172.20.0.1 interface of pfsense towards your .17 box... To prove to youself its NOT pfsense...

                  If pfsense puts the traffic on the wire towards .17, and there is no answer its either firewall on the device. device is not using pfsense as its gateway.. Or something in between the device and pfsense.. This is not rocket science by any means.

                  I can pretty much promise you its your device!!!

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    ddbnj @johnpoz
                    last edited by

                    @johnpoz

                    Thank you.

                    As requested, from the LAN interface. I chose the VPN interface so one can see what a normal ICMP reply would resemble.

                    15:10:02.886130 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 90, length 40
                    15:10:07.853518 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 91, length 40
                    15:10:12.822370 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 92, length 40
                    15:10:17.803202 IP 10.8.0.2 > 172.20.0.17: ICMP echo request, id 1, seq 93, length 40
                    

                    I agree with you that it is my device. And also the other devices behind my router.

                    I don't know how to fix them to accept connections from outside the LAN with the firewall completely off.

                    All of my devices on the LAN obtain their IP addresses via DHCP.

                    ifconfig:

                    bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>  mtu 1500
                            inet 172.20.0.17  netmask 255.255.255.0  broadcast 172.20.0.255
                            inet6 fe80::f413:4fff:fefc:dfb6  prefixlen 64  scopeid 0x20<link>
                            ether f6:13:4f:fc:df:b6  txqueuelen 1000  (Ethernet)
                            RX packets 127203  bytes 47050038 (44.8 MiB)
                            RX errors 0  dropped 4  overruns 0  frame 0
                            TX packets 48932  bytes 6892625 (6.5 MiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                    
                    eth0: flags=6147<UP,BROADCAST,SLAVE,MULTICAST>  mtu 1500
                            ether f6:13:4f:fc:df:b6  txqueuelen 1000  (Ethernet)
                            RX packets 0  bytes 0 (0.0 B)
                            RX errors 0  dropped 0  overruns 0  frame 0
                            TX packets 0  bytes 0 (0.0 B)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                    
                    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
                            inet 127.0.0.1  netmask 255.0.0.0
                            inet6 ::1  prefixlen 128  scopeid 0x10<host>
                            loop  txqueuelen 1000  (Local Loopback)
                            RX packets 344781  bytes 118577339 (113.0 MiB)
                            RX errors 0  dropped 0  overruns 0  frame 0
                            TX packets 344781  bytes 118577339 (113.0 MiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                    
                    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
                            inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
                            inet6 fe80::b675:4544:9388:1cab  prefixlen 64  scopeid 0x20<link>
                            unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
                            RX packets 0  bytes 0 (0.0 B)
                            RX errors 0  dropped 0  overruns 0  frame 0
                            TX packets 125  bytes 7096 (6.9 KiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                    
                    wlan0: flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST>  mtu 1500
                            ether f6:13:4f:fc:df:b6  txqueuelen 1000  (Ethernet)
                            RX packets 127203  bytes 47050038 (44.8 MiB)
                            RX errors 0  dropped 0  overruns 0  frame 0
                            TX packets 48932  bytes 6892625 (6.5 MiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                    

                    I do not see a gateway specified.

                    Examining the route:

                    Kernel IP routing table
                    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
                    default         protectli.pfdom 0.0.0.0         UG    1024   0        0 bond0
                    10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
                    172.20.0.0      0.0.0.0         255.255.255.0   U     0      0        0 bond0
                    protectli.pfdom 0.0.0.0         255.255.255.255 UH    1024   0        0 bond0
                    
                    

                    Bingo! I had an old VPN configuration using the same route. Once I turned off openvpn on that machine it worked.

                    Thank you for helping me work through this!

                    -Devan

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @ddbnj said in Cannot access beyond router via OpenVPN:

                      10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

                      Yeah that would dick it up ;)

                      Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe

                      The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.