Access to LAN behind pfSense OpenVPN client from OpenVPN server

Deviant0ne · Sep 22, 2016, 3:13 PM

I been wrestling with this for some time now and I'm hoping to finally get this working. Here is a basic diagram of my network:

 --------------------------------      ---------------------------------
|Debian VPS                     |      |pfSense router (V2.3.2)        |
|OpenVPN server (V2.3.12)       | <--> |Acts as OpenVPN client         |
|WAN only, no LAN (80.1.1.1)    |      |LAN: 10.0.1.1 WAN: 90.1.1.1    |
|OpenVPN Server IP: 10.30.0.1   |      |OpenVPN client IP: 10.30.0.250 |
 --------------------------------      ---------------------------------
                                                    ^
                                                    |
                                                    V

                                        -------------------------------
                                        | LAN (FreeBSD) client        | 
                                        | LAN: 10.0.1.10              |
                                        -------------------------------

I have a Debian virtual private server with no LAN behind it that is currently running the latest version of OpenVPN server. My pfSense router connects to this VPS as a client and I am able to route some of my Internet traffic over this connection using various firewall rules (this is working great). What I would like to be able to do is allow the Debian server access to my LAN over the OpenVPN connection from the pfSense router.

I currently have the following line in my OpenVPN server.conf to add a route to my local LAN:

route 10.0.1.0 255.255.255.0

I also have the following line in the CSC file for my pfSense router:

iroute 10.0.1.0 255.255.255.0

Even with those directives, I am unable to ping anything on the LAN (10.0.1.X) from the Debian server and I am also unable to ping the pfSense router using its OpenVPN address (10.30.0.250). I am however, able to ping the Debian server using the OpenVPN address (10.30.0.1) from the LAN. Under the firewall rules for the OpenVPN interface on my pfSense router, I have a pass all from all but the traffic still will not flow past the router. If necessary, I can provide the full server/client OpenVPN configurations, but I feel like I must be missing something on the pfSense-side. Any help with this would be greatly appreciated!

johnpoz · Sep 22, 2016, 3:24 PM

If you want traffic to be able to route both ways, a site to site connection would be better suited then a client connection. When you use a client connection your outbound traffic through the tunnel is being natted to your tunnel IP you get when you connect to the server. All your networks behind your client would be hidden by this nat.

Deviant0ne · Sep 22, 2016, 3:29 PM

@johnpoz:

If you want traffic to be able to route both ways, a site to site connection would be better suited then a client connection. When you use a client connection your outbound traffic through the tunnel is being natted to your tunnel IP you get when you connect to the server. All your networks behind your client would be hidden by this nat.

Thanks for the reply! Is it possible to use a site-to-site connection as an interface in pfSense so that I can route client traffic from the LAN over the OpenVPN connection to the Debian server and then out to the Internet?

johnpoz · Sep 22, 2016, 3:58 PM

sure why not.. I have a client connection to a vps currently in my setup as well. I could change that to a site to site if need be to show you how to do it. But pretty sure site to site is in the wiki docs.

Deviant0ne · Sep 22, 2016, 4:44 PM

@johnpoz:

sure why not.. I have a client connection to a vps currently in my setup as well. I could change that to a site to site if need be to show you how to do it. But pretty sure site to site is in the wiki docs.

I went back and re-read the how-to and I must be missing something as I don't see how this is different from how I currently have it configured. I am happy to try a site-to-site configuration, I am just not sure what I would need to change.

johnpoz · Sep 22, 2016, 5:02 PM

what how to are you reading exactly?

Deviant0ne · Sep 22, 2016, 5:20 PM

@johnpoz:

what how to are you reading exactly?

This is the original document I was reading: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

And though I am not using PIA, this was the basic steps I followed originally to configure access to my VPN: https://forum.pfsense.org/index.php?topic=76015.0

johnpoz · Sep 22, 2016, 7:40 PM

Your 1st link is site to site, but that is not what you set up is it?? Sure sounds like you just setup a client connection to your server running on your vps and not a actual site to site.

Deviant0ne · Sep 24, 2016, 2:09 AM

After carefully reading the site-to-site example, I decided that the best thing to do would be to re-vamp my server configuration and see if I can establish a site-to-site connection. I am going to try this at some point today, I'll report back with issues.

Edit 1: I believe I have created a site-to-site VPN between my pfSense router and my Debian VPS; the VPN tunnel will connect, but I am still unable to ping the LAN behind the pfSense router from the Debian VPS. When I reviewed the pfSense logs, I located the following error message:```
ERROR: FreeBSD route add command failed: external program exited with error status: 1


Here is the server configuration:

Server listening port and protocol

local 80.1.1.1
port 10000
proto udp
dev tun

Set the OpenVPN subnet

mode server
tls-server
topology subnet

server 10.30.0.0 255.255.255.0
ifconfig 10.30.0.1 10.30.0.2
route 10.0.1.0 255.255.255.0
client-to-client

Misc. IP and security settings

script-security 3
persist-key
persist-tun

Server certificates

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

Encryption and compression settings

cipher BF-CBC
comp-lzo adaptive

Used for setting static IP addresses on connected clients

client-config-dir /etc/openvpn/static_clients

OpenVPN server logging settings

keepalive 10 120
status openvpn-tunnel-status.log
verb 3


And here is the pfSense client configuration:

dev ovpnc3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 90.1.1.1
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote 80.1.1.1 10000
ifconfig 10.30.0.2 10.30.0.1
route 10.0.1.0 255.255.255.0
ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key
comp-lzo adaptive
resolv-retry infinite
topology subnet


Edit 2: I removed the```
route 10.0.1.0 255.255.255.0
```command from the pfSense client configuration and re-enabled the```
iroute 10.0.1.0 255.255.255.0
```command on the server in the client-specific overrides section. I reconnected the pfSense router to the Debian server after restarting the OpenVPN service and then connected to the Debian OpenVPN server from another machine. From the other machine, I was able to ping devices on my LAN [10.0.1.X] through the tunnel, but I am still unable to ping the LAN devices from the Debian server itself. Maybe I am missing an iptables rule…?

Edit 3: I finally found that the issue has something to do with when the iptables command is passed. I found that if I remove the iptables command```
iptables -t nat -A POSTROUTING  -s 10.30.0.0/24 -o venet0 -j SNAT --to-source 80.1.1.1
```after the pfSense client is connected and then re-issue the same command, I am able to ping the LAN behind the pfSense router without issue.