Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote client cannot access internal network

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 1.5k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      warnerthuis
      last edited by

      I have a pfSense 2.4.5-p1 and if I connect I can only access the pfSense machine, not any machine on the network. If I look at the client (W10, ipconfig/all) I don't see a default gateway, but on a working connection I don't see that either.
      The strange thing is that it has worked. We moved to another location (and a different IPadddress, which has been adjusted in both server and client) and since then it does not work anymore. I see the firewallrule that allows all traffic in the OpenVPN tab. Only IPv4 as we don't have IPv6.
      If I am connected I can login to the pfSense machine and access the webpage so it looks as there is either no route or no rule.
      I'm confused.

      V M 2 Replies Last reply Reply Quote 0
      • V Offline
        viragomann @warnerthuis
        last edited by

        @warnerthuis
        Did you try with different clients?

        Is pfSense the default gateway?

        What is the internal network?
        Show the clients routing table when it's connected.

        W 1 Reply Last reply Reply Quote 0
        • M Offline
          marvosa @warnerthuis
          last edited by

          @warnerthuis
          Post your server1.conf (/var/etc/openvpn)

          W 1 Reply Last reply Reply Quote 0
          • W Offline
            warnerthuis @viragomann
            last edited by

            @viragomann Yes, tried with different clients.
            I even removed the OpenVPN service entry from the server and with the
            Wizard created a completely new one. I use 2.5 on the client.
            Yes, it is the default gateway although it it not running DHCP.
            Internal network is 192.168.0.0/21
            If a client is connected there is no internetconnection anymore.
            That is restored the moment the connection is broken.
            route print on the client gives this:

            Interface List
            19...00 ff f1 98 69 09 ......TAP-Windows Adapter V9
            14...........................Wintun Userspace Tunnel
            8...d0 27 88 19 99 03 ......Realtek PCIe GbE Family Controller #2
            1...........................Software Loopback Interface 1

            IPv4 Route Table

            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 192.168.1.1 192.168.3.105 25
            10.76.99.0 255.255.255.0 172.31.24.1 172.31.24.2 259
            127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
            127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
            127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
            172.31.24.0 255.255.255.224 On-link 172.31.24.2 259
            172.31.24.2 255.255.255.255 On-link 172.31.24.2 259
            172.31.24.31 255.255.255.255 On-link 172.31.24.2 259
            192.168.0.0 255.255.248.0 On-link 192.168.3.105 281
            192.168.0.0 255.255.248.0 172.31.24.1 172.31.24.2 259
            192.168.3.105 255.255.255.255 On-link 192.168.3.105 281
            192.168.7.255 255.255.255.255 On-link 192.168.3.105 281
            224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
            224.0.0.0 240.0.0.0 On-link 192.168.3.105 281
            224.0.0.0 240.0.0.0 On-link 172.31.24.2 259
            255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
            255.255.255.255 255.255.255.255 On-link 192.168.3.105 281
            255.255.255.255 255.255.255.255 On-link 172.31.24.2 259

            Persistent Routes:
            None

            IPv6 Route Table

            Active Routes:
            If Metric Network Destination Gateway
            1 331 ::1/128 On-link
            8 281 fe80::/64 On-link
            19 259 fe80::/64 On-link
            19 259 fe80::c8c1:b4eb:ac3d:11b9/128
            On-link
            8 281 fe80::f582:d662:f994:5e88/128
            On-link
            1 331 ff00::/8 On-link
            8 281 ff00::/8 On-link
            19 259 ff00::/8 On-link

            Persistent Routes:
            None

            V 1 Reply Last reply Reply Quote 0
            • W Offline
              warnerthuis @marvosa
              last edited by

              @marvosa server1.conf:
              dev ovpns1
              dev-type tun
              dev-node /dev/tun1
              writepid /var/run/openvpn_server1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp4
              cipher AES-256-CBC
              auth SHA256
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              client-connect /usr/local/sbin/openvpn.attributes.sh
              client-disconnect /usr/local/sbin/openvpn.attributes.sh
              local 92.65.253.75
              tls-server
              server 172.31.24.0 255.255.255.224
              client-config-dir /var/etc/openvpn-csc/server1
              username-as-common-name
              plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
              tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'WerkWentSC' 1"
              lport 1194
              management /var/etc/openvpn/server1.sock unix
              max-clients 3
              push "route 192.168.0.0 255.255.248.0"
              push "route 10.76.99.0 255.255.255.0"
              push "dhcp-option DOMAIN werkwent.org"
              push "dhcp-option DNS 192.168.0.101"
              push "dhcp-option DNS 192.168.0.100"
              push "dhcp-option DNS 8.8.8.8"
              push "dhcp-option DNS 8.8.4.4"
              client-to-client
              ca /var/etc/openvpn/server1.ca
              cert /var/etc/openvpn/server1.cert
              key /var/etc/openvpn/server1.key
              dh /etc/dh-parameters.2048
              tls-auth /var/etc/openvpn/server1.tls-auth 0
              persist-remote-ip
              float
              topology subnet

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @warnerthuis
                last edited by

                @warnerthuis said in Remote client cannot access internal network:

                192.168.0.0/21

                Your client and server side networks are overlapping. You have 192.168.0.0/21 at both sites.
                So the client is not able to route this network over the VPN.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  warnerthuis
                  last edited by warnerthuis

                  Sorry, I used the wrong setup.
                  First I have to mention that I deleted the whole setup on the pfSense and created a new one with the wizard.
                  Now I started a machine without network.
                  Connected it to my phone with USB tethering.
                  I can ping 8.8.8.8 (of course) but not our server 192.168.0.101.
                  And the icon on the pc changes from connected to no internet available.
                  On the pc the route print gives the following:

                  ===========================================================================
                  Interface List
                  8...d0 27 88 19 99 03 ......Realtek PCIe GbE Family Controller #2
                  14...........................Wintun Userspace Tunnel
                  31...5e 70 3b bc 8c 70 ......Remote NDIS Compatible Device
                  19...00 ff f1 98 69 09 ......TAP-Windows Adapter V9
                  1...........................Software Loopback Interface 1

                  IPv4 Route Table

                  Active Routes:
                  Network Destination Netmask Gateway Interface Metric
                  0.0.0.0 0.0.0.0 192.168.42.129 192.168.42.114 25
                  127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
                  127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
                  127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
                  192.168.42.0 255.255.255.0 On-link 192.168.42.114 281
                  192.168.42.114 255.255.255.255 On-link 192.168.42.114 281
                  192.168.42.255 255.255.255.255 On-link 192.168.42.114 281
                  224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
                  224.0.0.0 240.0.0.0 On-link 192.168.42.114 281
                  255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
                  255.255.255.255 255.255.255.255 On-link 192.168.42.114 281

                  Persistent Routes:
                  None

                  IPv6 Route Table

                  Active Routes:
                  If Metric Network Destination Gateway
                  1 331 ::1/128 On-link
                  31 281 fe80::/64 On-link
                  31 281 fe80::c442:303d:398e:ac72/128
                  On-link
                  1 331 ff00::/8 On-link
                  31 281 ff00::/8 On-link

                  Persistent Routes:
                  None
                  (why does it make the font so large? I cut and paste this from Notepad)
                  I still have the feeling that there is a rule missing that allows access to the 192.168.0.0 network, but all the rules are there in "Firewall"tab OpenVPN and are the same as in the pfSense firewall at my home that does work.
                  But it is strange that I can from that pc login in the firewall at address 192.168.1.1.

                  V 1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann @warnerthuis
                    last edited by

                    @warnerthuis
                    Now you're missing the route to the remote network. Did you change the server config?

                    W 1 Reply Last reply Reply Quote 0
                    • W Offline
                      warnerthuis @viragomann
                      last edited by

                      @viragomann
                      I only changed the external address.
                      Maybe I should look in the routing setup....

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann @warnerthuis
                        last edited by

                        The server pushes the routes as the config shows:

                        push "route 192.168.0.0 255.255.248.0"
                        push "route 10.76.99.0 255.255.255.0"

                        But nothing of this is in the client routing table. Was the client really connected to the server, when you print the routing table?

                        If the routes are not set on the client check its OpenVPN log. It should give hints to the problem.

                        W 1 Reply Last reply Reply Quote 0
                        • W Offline
                          warnerthuis @viragomann
                          last edited by

                          @viragomann
                          I have to wait till monday, as I cannot access the machine right now.
                          Something to do with a changed password ;-)

                          W 1 Reply Last reply Reply Quote 0
                          • W Offline
                            warnerthuis @warnerthuis
                            last edited by warnerthuis

                            I found the problem. There was a floating rule that disabled access to the internal network. We never used floating rules, but we did have virtual networks where the rules were for and these networks were removed with the move to the new location. After disabling these rules my test works (a simple webserver with a default page and a NAT-rule to access it from outside)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.