Connection from OpenVPN Client LAN to OpenVPN server

jiunnyik

Hi,

How to configure pfSense OpenVPN client so that client's LAN can reach OpenVPN server without any extra config at server side ?

As I know we need to configure server side with iroute and push route for the client.

But I have tested Asus RT-AC55UHP, its OpenVPN client's LAN can reach reach server without "iroute" and "route" on server side.

Can pfSense do the same ?

Thanks.

viragomann

If the pfSense running OpenVPN server is the default gateway, there is no need for adding routes.
Just put a firewall rule an the OpenVPN tab to permit access to LAN clients.

jiunnyik

pfSense is running as OpenVPN client and gateway at home.

Is there anyway to configure the pfsense so that its LAN client can access OpenVPN server directly ?

OpenVPN server is running on Centos at data center.

Thank you.

viragomann

In client configuration at IPv4 or IPv6 Remote Network enter the networks at server side you want to reach.
So if the tunnel is up pfSense will add routes to this networks.

jiunnyik

It doesn't work

My Centos OpenVPN server has 10.11.12.1

My pfsense OpenVPN client has 10.11.12.6 and LAN 192.168.18.0/24

I tried to put 10.11.12.0/24 into IPv4 remote Network, but my LAN client unable to reach / ping 10.11.12.1

viragomann

I'll try to replicate.

Your OpenVPN tunnel is 10.11.12.0/24.
The server has 10.11.12.1.
And you just want to reach the server? For that there's no need to add routes if the OpenVPN client (pfSense) is the default gateway. It's in the same subnet.
Try a ping from pfSense to the server.

jiunnyik

pfSense can ping to server and vice versa

viragomann

So if the pfSense box (OpenVPN client) is the default gateway for the host behind the ping should also work from there.

If not, make a packet capture at pfSense (Diagnostic menu) on OpenVPN interface an filter for ICMP to see what's going on there.

jiunnyik


05:45:21.769837 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 1, length 64
05:45:22.769083 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 2, length 64
05:45:23.768987 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 3, length 64
05:45:24.769018 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 4, length 64
05:45:25.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 5, length 64
05:45:26.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 6, length 64
05:45:27.768991 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 7, length 64
05:45:28.769023 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 8, length 64
05:45:29.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 9, length 64
05:45:30.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 10, length 64
05:45:31.768995 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 11, length 64
05:45:32.769028 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 12, length 64
05:45:33.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 13, length 64
05:45:34.768978 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 14, length 64
05:45:35.768999 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 15, length 64
05:45:36.769031 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 16, length 64
05:45:37.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 17, length 64
05:45:38.769096 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 18, length 64
05:45:39.769002 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 19, length 64
05:45:40.769035 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 20, length 64
05:45:41.769068 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 21, length 64

This is the test result

viragomann

There are only seen ICMP requests, no responds.
The common way to fix this is to add a route for clients LAN to the server. I think you know, but don't want this.

If you want to solve it from client side, you have to add an outbound NAT rule to the clients OpenVPN interface, translating the source address to clients address. This is not recommended, cause this way, you just see at server side requests coming from client address instead of the real LAN hosts address.

To do so, go to Firewall > NAT > Outbound. If your outbound NAT does automatic rule generation, select Hybrid or manual and hit save at first.
Then add a new rule by +:
Interface: OpenVPN
Protocol: any
Source: the clients LAN network or any
Destination: any
Translation: Interface address

If you have more than one VPN client or also a server running, you have to assign an interface to the vpn client at first and use this in the NAT rule above, if you haven't already!

jiunnyik

It works. Thanks

What is the settings for vpn client interface when I running both server and client on the same pfsense ?

Thanks.

viragomann

As mentioned, you have to assign an interface in Interfaces > (assign) to each openvpn instance.
At "Available network ports" select ovpnc1 for the client and click +, open the new interface, check Enabled, give it an appropriate name and save it.
Do the same for the OpenVPN server using ovpns1 network port.

In outbound NAT use the new interfaces instead of OpenVPN.
For server, you might not need an outbound NAT rule.

jiunnyik

This works perfectly as what I want.

Thank you viragomann