• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

TUN OpenVPN Remote Access SSL/TLS in Double NAT scenario

Scheduled Pinned Locked Moved OpenVPN
3 Posts 2 Posters 957 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    abajac
    last edited by Jul 25, 2016, 5:29 PM Jul 25, 2016, 3:47 PM

    Hi guys,

    I'm scratching my head on this one, and would greatly appreciate any assistance.

    I'm currently trying to set up a OpenVPN Remote Access Server (SSL/TLS, no user auth). I'm in a double NAT scenario, as I share the internet with the neighbours.

    Actiontec Router:

    WAN              LAN
    Public IP    192.168.1.0/24

    pfSense Router:

    WAN                                  LAN
    192.168.1.68(DMZ)    10.171.71.0/24

    OpenVPN Tunnel Network:

    10.171.72.0/24

    Now, I've been able to successfully set up the OpenVPN server, use the client export wizard to download an auto-configured package, and connect the client to the server; get a success message and everything.

    For testing, I can ping my gateway (10.171.71.1) from my OpenVPN client (10.171.72.2). However, I can't ping anything else on my LAN subnet; I get a request timed out.

    When trying to ping my OpenVPN client from my LAN subnet (say, 10.171.71.15 > 10.171.71.2) I get a "Destination Host Unreachable" error.

    This implies to me that although my packets may be reaching the LAN machine, the LAN machine cannot send packets back because it doesn't know how to get there.

    Windows Firewalls have been disabled for testing purposes also, so they should be responding to pings.

    Is this correct? If so, how do I add a route so that my LAN machines know how to get to my VPN subnet? Is the double-nat responsible?

    Kind Regards.

    EDIT: I have made some progress. By adding a static route to the LAN machine itself (in this case, Windows), I am able to point it to the VPN subnet via the appropriate gateway. Is there any way to push this route to my LAN computers without needing to do it manually on each one?

    EDIT2: I think I've figured out the issue. The subnet mask on my LAN machines is incorrect. Setting it correctly seems to result in traffic being routed correctly.

    1 Reply Last reply Reply Quote 0
    • M
      mannyjacobs73
      last edited by Jul 25, 2016, 7:30 PM

      Did you need to do anything 'peculiar' in the steps / wizard, considering your double-NAT setup?

      I'm having some trouble even connecting to my pfsense behind one NAT.  I won't hijack your post with my issue.  I'm just curious to know anyway.

      As far as your issue goes, I was going to say there is a check-box that says 'allow access to other machines on the LAN', as I thought it may be that - seems you have sorted your problem though.

      1 Reply Last reply Reply Quote 0
      • A
        abajac
        last edited by Jul 25, 2016, 9:04 PM

        Hi manny,

        No, I didn't need to do anything peculiar for the double-nat. No custom routes or NAT settings required. Literally, the issue was the subnet mask, which took quite a while to figure out, but was an easy-fix.

        Thanks!

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received