Can connect to VPN but can't access network


  • I want to set up pfSense with OpenVPN so that I can connect to my home network when I am away.

    I went through the steps at https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server and I can connect to the the VPN but I can't access my local network (as in, SSH into my servers or reach web portals that are set up).

    I followed the directions to a T, skipping over the optional parts that I am unsure if I need at the moment, changing  IPv4 Local network(s) from 192.168.1.0 to my subnet (192.168.0.0), and I had to edit my .ovpn file to change the line remote 192.168.0.171 1194 udp from my local IP to my networks public IP. Also I am using my ISPs modem/router/AP, so I had to add in a port forward rule there to get it to work (as expected).

    What am I missing here?

    I am still new to pfSense so I am not really sure how to best show you my setup, but if you need to look at any configs just let me know what you need to see, or I can screenshot if that makes more sense.

  • LAYER 8 Global Moderator

    Confused sounds like your using same network on pfsense was as lan

    So your pfsense wan is 192.168.0.171, but then this sounds like your lan is also 192.168.0 ?

    "changing  IPv4 Local network(s) from 192.168.1.0 to my subnet (192.168.0.0"

    What is your pfsense wan network IP/mask?
    What is your pfsense lan network 192.168.?/?

    What did you use for your tunnel network, I use 10.0.8/24 for example
    What is the network your remote user is on, for example when at work I am on 10.56.40/24
    What did you setup for your local networks in the openvpn setup..  I have a few of my local segments that I want to be able to get to when I am remote and vpn'd in, etc.  See attached

    Also keep in mind are you running any software firewalls on these boxes your trying to get too?  That quite often can block access from other than local network, ie the tunnel network your remote vpn client got from pfsense.



  • Sorry if I miss something here, I'm on mobile. I had also made another change that I forgot to mention and is probably important.

    I am only using pfSense as a VPN, not a router or firewall and it's running in a VM. Eventually I will use it for everything but I need to get a wireless AP first. I was trying to set this up before but my problem was that WAN would take 192.168.0.* and the lab address would be 192.168.1.1. So I would be able to access the login from machines directly on the same subnet as pfSense but not from my wireless devices. This is a problem because then I can't access my server from my wireless devices. So I made a post about it elsewhere and was told for my purposes to just set one interface, so that's what I've done. Just one interface, WAN set to 192.168.0.175.

    Was this the incorrect thing to do? If I said .171 earlier that was a sleepy typo, my wan is 182.168.0.175.

    So that's what I changed and also shouof answer your first couple of questions.

    My tunnle network is whatever the default or recommended in the page I linked.

    The network I try to access from will always be changing. I travel lots and spend lots of time in hotels but I still want to be able to access and manage my servers. I'm at home for the time being so i don't have a separate network to test from so I am testing using my phone. It's local address is 100.9 0.13.38 and public looks to be ipv6, which maybe could be a problem? I hadn't set up ipv6 on pfSense, but I can connect so I'm not sure.

    I don't believe I have any firewalls set on my machines, unless they are autoconfigured by the containers. I'll need to double-check when I'm at home from work.

  • LAYER 8 Global Moderator

    So a bit confused still.. So your using pfsense as just a openvpn server on what it counts as its WAN that is on rfc1918 space, ie this 192.168.0.175..  And you want to get to devices on 192.168.0/24

    So you have this

    internet - publicIP wan ispdevice lan192.168.0.? –- your network 192.168.0/24 devices --- 192.168.0.175 wan pfsense

    So here is a problem for sure, maybe not all of them but for sure this is going to be an issue.

    So you want to go to say 192.168.0.100 some computer on your network..  What is its gateway I would assume your isp device 192.168.0.1 lets call it.

    So without pfsense natting your tunnel IP lets call it 10.0.8.100 for conversation purposes.  I have never looked into or tried setting up pfsense as a openvpn server only on 1 interface..  So not sure how you have that setup??  But I am assuming your not natting??  So you run into this problem with your vpn client that now has a 10.0.8.100 address..  So he wants to go to 192.168.0.100 so his traffic goes down the tunnel and pfsense sends him the traffic with a source of 10.0.8.100??  Now your box on your network says hey I need to answer this guy at 10.0.8.100 and sends that traffic to your gateway..  Where does your ispdevice send traffic dest for 10.0.8.100?

    Even if you put in a route statement that says send it to pfsense 192.168.0.175 you have a asymmetrical routing problem..  And not going to work at all or well that is for sure, if pfsense nats the vpn clients to the 192.168.0/24 network you might be fine but very convoluted setup.

    I run pfsense on vm, have been doing it for years - works great...  But I would not suggest you use pfsense just for a vpn server behind some other nat.  Why can you not replace your ispdevice with pfsense and use pfsense as your edge router/firewall?  Can you not just leverage your ispdevice wifi as your AP??  To use any wifi router as just AP disable its dhcp server, give its lan an IP on your network and connect it to your network with one of its lan ports.

    So you end up with this then

    internet - publicIP wan pfsense lan 192.168.0.1 -- your network devices - 192.168.0.2 AP (old wifi router)

    No you will have no issues with vpn remote in..  Other than possible conflicts with common 192.168.0/24 network.. I use 192.168.9/24 as my local lan since that would be way less likely to see on any other network I might be on, starbucks, work, friends house, etc. etc..

    Running an vpn server on the inside of a network is going to be a pain with configuration and overcoming asymmetrical routing issues.  It is always much simpler to just run your vpnserver at the edge of the network, when its your actual gateway for the devices behind it like what normally pfsense is setup like then much more straight forward setup and easy to maintain, troubleshoot and setup.


  • Hm okay. Yes, you're assumptions there are right.

    I see the problem you're explaining, I am new to networking and was thinking this should work but maybe not.

    I don't think my modem can run as just an AP, it's either everything (modem, router, ap) or just a modem. I'll look into that though because that could save me some money down the line

    Outside of the AP, the reason I don't use pfSense for everything is that it's running on a Dell 2950 which is a big power hungry beast so I don't run it all the time, just when I'm actively using it. Eventually down the line I will upgrade to an R710 or something similar and leave it on 24/7 but that's a ways down the line.

    I have never used pfSense before and wanted to become familiar with it, as well as this seemed like a simple thing to do, but it may be better to set up a VPN server on my RPI

  • LAYER 8 Global Moderator

    Any wifi router can be just an AP.. As I said.. Give its lan an IP for your network.  Turn OFF its dhcp server, connect it to your network via one of its LAN ports - NOT is wan/internet port.. There you go AP only!!  And can use its other switch ports to be on your network as well.

    This can be done with any wifi router - any!!

    While this can be a cost saver in a pinch, and if all you want is very basic wifi then sure this method works.  But if your going to have more than your run of the mill home users network then I would suggest get a true AP with vlan support.  The stuff from unifi are very home budget friendly with loads of features.  Air time fairness, band steering, DFS channels. etc. etc.. They have a controller software that can run on anything, windows/linux/osx if you want some added bells and whistles like captive portal reporting on connected users and their bandwidth usage, etc. etc.

    There new AC lite model is only $89, their pro model is $149 have seen for $130 which does 3x3 - all of them are POE for easy proper mounting for coverage, etc.

    If what your looking do is take your home network to the next level - which I would assume that is what your looking to do with your interest in pfsense then yes I would suggest a real AP vs using old wifi router.  But if what you want to do is get it up and running then sure you could leverage your old wifi router now and get AP at later date as you get fancier and fancier with your network.

    I have been running pfsense for years.  I started with 2 segments, I currently have 7 with 4 of those being wifi vlans on different ssids.  While I want to reduce the number of SSIDs down to 2 I would still have 4 or even more vlans on wifi.  I just wish consumer devices like roku, nest, harmony supported wpa enterprise vs only psk so it would be easier to use dynamic assigned vlans and then could prob get away with just 1 ssid.  And then dynamically assign you to your vlan based upon your auth..


  • Well, problem is solved. Well, at least I think it is.

    I had NAT disabled on pfSense because I had thought that I was supposed to if I wasn't using it as a router. Turning it on allows me to connect to the VPN and access my servers from my phone.

    I can't access through my laptop while I am on the network to test, but I don't know if that is expected behaviour or not. I will need to get onto another network to test.

    edit Ran over to somebody elses house to test, yeah - everything works now.


  • So a bit confused still.. So your using pfsense as just a openvpn server on what it counts as its WAN that is on rfc1918 space, ie this 192.168.0.175..  And you want to get to devices on 192.168.0/24

    So you have this

    internet - publicIP wan ispdevice lan192.168.0.? –- your network 192.168.0/24 devices --- 192.168.0.175 wan pfsense

    So here is a problem for sure, maybe not all of them but for sure this is going to be an issue.

    So you want to go to say 192.168.0.100 some computer on your network..  What is its gateway I would assume your isp device 192.168.0.1 lets call it.

    If a ISP modem is in bridge mode but normally has a network of 192.168.0.0/24, and the main network for pfSense is 192.168.0.0/24 will that cause problems? I can connect to VPN and get internet access and access a few machines on the network when connected remotely but I can't access all machines and services on the LAN. For example there is a web application running on the LAN but I can't even ping it when connected via OpenVPN.