Remote client cannot access internal network
-
@warnerthuis
Did you try with different clients?Is pfSense the default gateway?
What is the internal network?
Show the clients routing table when it's connected. -
@warnerthuis
Post your server1.conf (/var/etc/openvpn) -
@viragomann Yes, tried with different clients.
I even removed the OpenVPN service entry from the server and with the
Wizard created a completely new one. I use 2.5 on the client.
Yes, it is the default gateway although it it not running DHCP.
Internal network is 192.168.0.0/21
If a client is connected there is no internetconnection anymore.
That is restored the moment the connection is broken.
route print on the client gives this:Interface List
19...00 ff f1 98 69 09 ......TAP-Windows Adapter V9
14...........................Wintun Userspace Tunnel
8...d0 27 88 19 99 03 ......Realtek PCIe GbE Family Controller #2
1...........................Software Loopback Interface 1IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.3.105 25
10.76.99.0 255.255.255.0 172.31.24.1 172.31.24.2 259
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.31.24.0 255.255.255.224 On-link 172.31.24.2 259
172.31.24.2 255.255.255.255 On-link 172.31.24.2 259
172.31.24.31 255.255.255.255 On-link 172.31.24.2 259
192.168.0.0 255.255.248.0 On-link 192.168.3.105 281
192.168.0.0 255.255.248.0 172.31.24.1 172.31.24.2 259
192.168.3.105 255.255.255.255 On-link 192.168.3.105 281
192.168.7.255 255.255.255.255 On-link 192.168.3.105 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.3.105 281
224.0.0.0 240.0.0.0 On-link 172.31.24.2 259
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.3.105 281
255.255.255.255 255.255.255.255 On-link 172.31.24.2 259Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
8 281 fe80::/64 On-link
19 259 fe80::/64 On-link
19 259 fe80::c8c1:b4eb:ac3d:11b9/128
On-link
8 281 fe80::f582:d662:f994:5e88/128
On-link
1 331 ff00::/8 On-link
8 281 ff00::/8 On-link
19 259 ff00::/8 On-linkPersistent Routes:
None -
@marvosa server1.conf:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 92.65.253.75
tls-server
server 172.31.24.0 255.255.255.224
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'WerkWentSC' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 3
push "route 192.168.0.0 255.255.248.0"
push "route 10.76.99.0 255.255.255.0"
push "dhcp-option DOMAIN werkwent.org"
push "dhcp-option DNS 192.168.0.101"
push "dhcp-option DNS 192.168.0.100"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet -
@warnerthuis said in Remote client cannot access internal network:
192.168.0.0/21
Your client and server side networks are overlapping. You have 192.168.0.0/21 at both sites.
So the client is not able to route this network over the VPN. -
Sorry, I used the wrong setup.
First I have to mention that I deleted the whole setup on the pfSense and created a new one with the wizard.
Now I started a machine without network.
Connected it to my phone with USB tethering.
I can ping 8.8.8.8 (of course) but not our server 192.168.0.101.
And the icon on the pc changes from connected to no internet available.
On the pc the route print gives the following:===========================================================================
Interface List
8...d0 27 88 19 99 03 ......Realtek PCIe GbE Family Controller #2
14...........................Wintun Userspace Tunnel
31...5e 70 3b bc 8c 70 ......Remote NDIS Compatible Device
19...00 ff f1 98 69 09 ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.42.129 192.168.42.114 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.42.0 255.255.255.0 On-link 192.168.42.114 281
192.168.42.114 255.255.255.255 On-link 192.168.42.114 281
192.168.42.255 255.255.255.255 On-link 192.168.42.114 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.42.114 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.42.114 281Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
31 281 fe80::/64 On-link
31 281 fe80::c442:303d:398e:ac72/128
On-link
1 331 ff00::/8 On-link
31 281 ff00::/8 On-linkPersistent Routes:
None
(why does it make the font so large? I cut and paste this from Notepad)
I still have the feeling that there is a rule missing that allows access to the 192.168.0.0 network, but all the rules are there in "Firewall"tab OpenVPN and are the same as in the pfSense firewall at my home that does work.
But it is strange that I can from that pc login in the firewall at address 192.168.1.1. -
@warnerthuis
Now you're missing the route to the remote network. Did you change the server config? -
@viragomann
I only changed the external address.
Maybe I should look in the routing setup.... -
The server pushes the routes as the config shows:
push "route 192.168.0.0 255.255.248.0"
push "route 10.76.99.0 255.255.255.0"But nothing of this is in the client routing table. Was the client really connected to the server, when you print the routing table?
If the routes are not set on the client check its OpenVPN log. It should give hints to the problem.
-
@viragomann
I have to wait till monday, as I cannot access the machine right now.
Something to do with a changed password ;-) -
I found the problem. There was a floating rule that disabled access to the internal network. We never used floating rules, but we did have virtual networks where the rules were for and these networks were removed with the move to the new location. After disabling these rules my test works (a simple webserver with a default page and a NAT-rule to access it from outside)