VPN Connection works but no network resource access



  • Anyone point me to a guide on access network resources over VPN?

    I have been able to set up OpenVPN fine and can connect from my laptop to my PFSense box. What I can't do though is access any networked shares on my home network.

    My PFSense is 192.168.1.1/24 and my OpenVPN tunnel network is 192.168.2.0/24.

    I have configured the Firewall rule for OpenVPN to pass traffic on the OpenVPn connection.

    Anyone provide either a link to a post about accessing resources or some advice?

    I have utilised corporate provide VPN before however never set up my own.

    regards



  • Basically there are a few points that have to be given for the connection to function:

    • pfSense has to be the default gateway in the home LAN. Otherwise you have to set routes at the LAN hosts or do NAT at pfSense.

    • The traffic has to be permitted by firewall rules. As you said above, that's given.

    • The client has to have set a route to the LAN over the VPN. This is set by entering your LAN network in "Locale Network(s)" box in the server config or check "Redirect gateway" if you want to direct the whole traffic over VPN. But ensure that the route is set correctly at the client. Check this with route or route print command.
      If you're in doubt post the clients routing table and interface settings here.

    • The LAN subnet must not overlap the clients local network or the VPN tunnel.
      Your LAN is 192.168.1.0/24 and your VPN tunnel 192.168.2.0/24, these subnets are the default on 85% percent of routers. It will be better to change both. You can also use subnets of 10.0.0.0/8 or 172.16.0.0/12.



  • I don't know what you mean at point three sorry.

    When I look at the OpenVPN server setup on PFSense my IPv4 Local Network is set as 192.168.1.1/24 and the tunnel network 192.168.2.0/24.

    MY DNS server is set to 192.168.1.1, same for NTP Server.

    Also I don't see the relevance of point four. Is there a problem utilising the IPs that I am using? How does 10.0.0.0.8/16 work better than 192.168.1.0/24? Surely OpenVPN works on 192.168.1.1/24 just as well as 10.0.0.8/16.

    When I check OpenVPN from the Status drop down I see my remote connection on virtual address 192.168.2.2. The routing table shows the target network is 192.168.2.2

    What do I need to setup so that my remote device can access network resources on the VPN server side network?



  • Is there a problem utilising the IPs that I am using? How does 10.0.0.0.8/16 work better than 192.168.1.0/24?

    As far as the RFC1918 range you use for the tunnel, there is no difference to OpenVPN.
    What you've described can be made to work.
    Best practices suggest NOT using the 192.168.x.x ranges as they are so often associated with various LAN networks the risk of a design conflict is increased with their use.

    As far as selecting ranges for LAN usage, again 192.168.0.x and 192.168.1.x appear in WAY too many default setups.
    The chances of running into a potential conflict with some outside network connecting to yours is again increased.

    You can of course do what you want, it's your network.
    We're just voicing issues that keep appearing over and over in the forum yet can be avoided pretty easily.

    Just my $.02



  • That's ok. Never set up my own VPN before so was not sure if there was some technical reason.

    I can see my connection in Status/OpenVPN, virtual address is 192.168.2.2

    When I do an IPCONFIG I can see the TAP Adapter has an address of 192.168.2.2 and a subnet of 255.255.255.0 and the default gateway is blank.

    When I check my IP address via Google it shows my real IP and not the VPN IP.

    Is my problem connecting with network drives on my network server side or client side?

    EDIT: I am unable to ping 192.168.1.1 when my client is connected to the server.

    Not sure how to read the route print output.



  • Couple of possibilities….

    What's the LAN subnet of remote device (without VPN connected)?  If it's the same as your home LAN (192.168.1.0/24? ) you're going to have issues.

    Is your laptop a Windows computer?  Win machines are famous for blocking network connections for VPN's because they're "unknown" subnets to the Windows firewall.
    Try turning off the Win Firewall for testing purposes.

    If you can post a screenshot of the route print after you've connected it might tell part of the story.



  • I just went through this and posted how I got it to work (not for shares, but other LAN resources).  I posted my settings in this thread.  Maybe it could help you?



  • @divsys:

    Couple of possibilities….

    What's the LAN subnet of remote device (without VPN connected)?  If it's the same as your home LAN (192.168.1.0/24? ) you're going to have issues.

    Is your laptop a Windows computer?  Win machines are famous for blocking network connections for VPN's because they're "unknown" subnets to the Windows firewall.
    Try turning off the Win Firewall for testing purposes.

    If you can post a screenshot of the route print after you've connected it might tell part of the story.

    Yes it is the same subnet.

    Here is the route table:

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.43.1    192.168.43.39    25
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.2.0    255.255.255.0        On-link      192.168.2.2    276
          192.168.2.2  255.255.255.255        On-link      192.168.2.2    276
        192.168.2.255  255.255.255.255        On-link      192.168.2.2    276
        192.168.43.0    255.255.255.0        On-link    192.168.43.39    281
        192.168.43.39  255.255.255.255        On-link    192.168.43.39    281
      192.168.43.255  255.255.255.255        On-link    192.168.43.39    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.43.39    281
            224.0.0.0        240.0.0.0        On-link      192.168.2.2    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.43.39    281
      255.255.255.255  255.255.255.255        On-link      192.168.2.2    276



  • From that route print it looks like you have a VPN connection established, but no routing info is being added to the PC at all.

    Your Remote (Laptop) Subnet 192.168.43.0/24 is NOT the same as your Home (pfSense) subnet - 192.168.1.0/24.  That's a good thing.

    The two places to look for issues now would be:

    The client install of the remote device.  Did you run the OpenVPN install as and Administrator?  Did you set the OpenVPN GUI to run as Administrator?
    Up the verbosity of the client logs (edit the client config and add "verb 3" to the end) and reconnect. Check the logs of the client, you should see a "Route add…" command.
    If that command shows an error, then you probably need to get your admin rights working.

    If that command is not there, then something is wrong with the way you setup the OpenVPN server on pfSense.
    Post a screen shot of the full OpenVPN server screen.



  • I have started getting an error now. When I look in Status/OpenVPN I see the following:

    Common Name   Real Address                       Virtual Address             Connected Since Bytes Sent Bytes Received
    [error]         Unable to contact daemon       Service not running?           0                     0 B                     0 B

    Stopped

    I tried deleting the server, certificates..everything and resetting it up but keep getting the same message.



  • If you've been playing with the OpenVPN server setup, it's possible to get OpenVPN in a "confused" state where a previous instance is still running and a "restart" of the OpenVPN server process - doesn't.  You can find the OpenVPN(s) PID manually and kill it(them) or just do a full reboot of the box and see if everything comes back to life properly.

    OpenVPN is an excellent tool for what it does, and it has a vast array of options to accommodate many scenarios.
    One of its "quirks" under pfSense (IMHO) is the way it tries to keep itself alive come hell or high water.
    When you're testing and changing settings on the fly, this can lead to the issues you're seeing.

    Once you've got your production settings figured out, it tends to be very stable.
    It can be a little daunting the first time you have to deal with make sure your changes are actually implemented, but well worth the effort.

    Keep at, try and be methodical and let us know how it goes.



  • A reboot didn't work, still kept getting the same problem.

    I deleted all the config. The server, firewall rules, users and all certificates (CAs and Certificates), rebooted started PFSense and then started again. I get the same error message.

    I am doing this all through the webGUI. Do I need to remove the USB drive with PFSense on it and delete config files or something?

    Update: I have just noted that even though I delete everything after I restart PFSense everything is back. It's like my deletions are not being saved.



  • @darrenyorston:

    I have started getting an error now. When I look in Status/OpenVPN I see the following:

    Common Name   Real Address                       Virtual Address             Connected Since Bytes Sent Bytes Received
    [error]         Unable to contact daemon       Service not running?           0                     0 B                     0 B

    Stopped

    I tried deleting the server, certificates..everything and resetting it up but keep getting the same message.

    I got the same state, but the server was running and accepted connections.

    I could solve this by switching the servers listening interface to another one. However, it was set to the WAN CARP VIP at first and I switched to an internal one and forwarded OpenVPN connections. Now the daemon works and shows the correct state.



  • Anyone have any advice on my problem? At this stage even after deleting all VPN related settings, rebooting and then re-configuring I end up with the same error. My next option is to reinstall PFSense on a new USB. Though I feel that if this is an option to address the problem there is something significantly wrong.