please help with openvpn

striker-pl

have you checked the firewalls on those PC's, they could potentially be blocking the traffic by seeing it as outside your internal network.

Gertjan

@vnkvnk said in please help with openvpn:

What I am missing here?

What about an official, recent video, from the official source ? One came out a couple of weeks ago.
Yours is using a - very - old version of pfSense. That's like explaining Windows 10 with Windows 8 examples.

Here : Youtube => Netgate !!

Check out also all the OpenVPN (server) videos from Youtube => Videos

vnkvnk

@Gertjan Hi
I agree, the video I used is a little older, but everything in the setup is the same, no difference.
Thanks for the link, I will do more studies, but so far I am stack with VPN and I do need it. Unless I will find myself or someone could help me, there is no sense for me to continue. Especially, if there is my error in the setting - I need to find it. If it is a glitch (one, with IP changing I already found) I am not sure I would like to learn it.

Anyway, thank you

vnkvnk

@striker-pl Nothing special in my firewall. The machine with win 7, the one I cannot ping even does not have any antivirus software.

Gertjan

@vnkvnk said in please help with openvpn:

Tunnel network 192.168.3.0/24 - local network 192.168.1.0/24

What about setting :

so not more local networks to set.

@vnkvnk said in please help with openvpn:

BUT, from remote PC can ping 192.168.1.1 and 192.168.1.101, but cannot 1.100 and 1.102
1.100 - Win7, 1.102 and 1.102 are Win10

Time to Diagnostics Packet Capture on the LAN interface for ICMP.
If 1.100 replies : ICMP arrives at LAN. It would be logic to think that if 1.100 arrives, 1.101 and 1.102 will also arrive.

What are your firewall rules here :

The OPENVPN and OpenVPN tabs ?

And, as @vnkvnk : the WIN machines that don't work : their network is set to "public" (non trusted) or "home" (trusted) ?

vnkvnk

Hi All
ok, did a few back and force changes.
Started from scratch. Pfsense just after factory default,
to the pfsense connected 3 computers
192.168.1.100 - win7, work network,
192.168.1.167. win10, private network
192.168.1.169, win7, work network
all 3 computers ping no issue

recorded all configuration, I hope it will work
https://drive.google.com/file/d/1pLlafiVl79J8daTMoDnzTkF9gTphoZJi/view

all firewall rules are here
https://drive.google.com/file/d/1kIvybUFL2JC6_1XJDQpMUg0SIRDhs9Ak/view?usp=sharing

installed client, connected. Can ping 192.168.1.1(pfsense), 1.67(win10) and 1.69(win7), cannot 192.168.1.100(win7)
https://drive.google.com/file/d/14DZrhwZIUR2Z8T18K1HB7U2pFcCtY09n/view?usp=sharing

Any idea?
Thanks

Gertjan

Last video, your Client VPN PC : what is it's local IP address and mask ?

Can you ping 100/167/169 from pfSense ? Use the Console (SSH !) access, option 8 and ping.

test with : Diagnostics > Packet Capture
and select :

and redo the ping test. Packets should be on LAN for the 3 PC's.

Like :

07:03:47.037767 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 49236, seq 0, length 64
07:03:48.038539 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 49236, seq 1, length 64
07:03:49.039552 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 49236, seq 2, length 64
07:03:51.255089 IP 192.168.1.1 > 192.168.1.3: ICMP echo request, id 9528, seq 0, length 64
07:03:51.255577 IP 192.168.1.3 > 192.168.1.1: ICMP echo reply, id 9528, seq 0, length 64
07:03:52.255553 IP 192.168.1.1 > 192.168.1.3: ICMP echo request, id 9528, seq 1, length 64
07:03:52.256001 IP 192.168.1.3 > 192.168.1.1: ICMP echo reply, id 9528, seq 1, length 64
07:03:53.256534 IP 192.168.1.1 > 192.168.1.3: ICMP echo request, id 9528, seq 2, length 64
07:03:53.256927 IP 192.168.1.3 > 192.168.1.1: ICMP echo reply, id 9528, seq 2, length 64
07:03:54.257576 IP 192.168.1.1 > 192.168.1.3: ICMP echo request, id 9528, seq 3, length 64
07:03:54.258099 IP 192.168.1.3 > 192.168.1.1: ICMP echo reply, id 9528, seq 3, length 64

Where PC 192.168.1.2 is shut down - a request, send from pfSEnse, but no replies.
PC 192.168.1.3 is awake,there are requests as there are replies.

vnkvnk

@Gertjan
here are a screens from the client
not connected yet

next, connected

vnkvnk

@vnkvnk
next, connected

pings from client

ping from ssh is fine

packet capture to 1.167 - ping is fine and 1.100 not, packets looks identical to me

yesterday I used another computer as a client. the same issue with ping

Thanks

Gertjan

@vnkvnk said in please help with openvpn:

yesterday I used another computer as a client. the same issue with ping

Same issue : go or no go ?

Because ping to "167" works, we know they are send over the VPN, out of pfSense VPN server into the pfSense LAN.
If "100" doesn't reply, this is because it doesn't receive a ping OR it doesn't want to reply a ping.
"100" is using a cable ( ! ) connection like "167", right ? Nothing but a dumb switch separates "100" and "167" ?
If so, I'm pretty sure "100" is firewalling. Easy to proof : prepare an (free)-OS-on-a-USB-stick. Disconnect the hard drive of the "100" PC (de-activate hard drive in BIOS will do == no risk) - boot from USB stick, have it activate it's DHCP client and use the onboard NIC : it will have an IP, you would be able to ping it.

vnkvnk

@Gertjan I agree, the vpn is connected since 167 is fine.
And I could assume 100 is "blocking" ping. Even more info: 168.168.3.2(client) and 192.168.1.167 can ping and tracert; 3.2 and 1.100 - cannot treacert too, while 1.100 and 1.167 - are absolutely fine. So, 1.100 could communicate with any PC on pfsense side, but not trough pfsense to client.
Also, I did another test - instead of pfsense I tested with old Cisco RV042. set up PPTP firewall, used the same computers for hardware, even IP used the same. On the client pc windows VPN, just user and password. All is as expected, all 3 computers are pinging each other.
PS. on "problematic" computer 1.100, just for curiosity changed manually IP to 1.168 - no magic happens

Gertjan

@vnkvnk said in please help with openvpn:

Even more info

Using the pfSense - GUI access : does "100" reply to ping ?
From "167" : "100" replies to ping ? Or better, can you see and your network resources exposed by "100" on "167" ?

@vnkvnk said in please help with openvpn:

changed manually IP to 1.168

When doing so - chanting the IP, check / set also the gateway IP, idem for the DNS IP, you can find these on the other tabs.. The last two should be the IP of pfSense.