VPN newb havin' Trouble with openvpn
-
Hello all,
Tryin to get this vpn up and running.
So after some trouble shooting got it to finally connect (had some certificate issues).
This is a pfsense box as a client connecting to a pfsense box as server. Currently just the one client so we can connect to a remote site, while more may be added later to allow other sites to use other (limited) services.
The connection is fine and the openvpn log is showing no errors. However, I can not connect to or even ping any devices on the remote LAN. Both sides show it as UP. the server local LAN is 192.168.0.0/24. The offsite local LAN 192.168.1.0/24
. The tunnel network is configured as 192.168.100.0/30.The server has an allow all to all IPV4 rule in the openvpn tab, as does the client. What am I missing?
Also, I am a bit uncertain, if I am on the local (server side) LAN will a device on the remote side be contacted via it's local IP aka 192.168.1.5 or is it actually an IP in the tunnel range? I am fairly sure it's NOT the tunnel range.. but please let me know. -
ok I checked around more, I also have a rule on WAN for both server and client that is Allow IPV4 UDP from all to "wan address". It does not connect unless these rules are both enabled.
-
Currently just the one client so we can connect to a remote site, while more may be added later to allow other sites to use other (limited) services.
So you presumably have set up a Remote access server and intend to accomplish a multi site to vpn server later. However, for multiple clients you have to broaden the tunnel subnet. 192.168.100.0/30 allows only one client.
If you have only one client, make a site to site set up, that's less difficult.Also, I am a bit uncertain, if I am on the local (server side) LAN will a device on the remote side be contacted via it's local IP aka 192.168.1.5 or is it actually an IP in the tunnel range?
You access the devices behind the client or the server via its interface address. Only the server and the clients get a virtual IP within the tunnel subnet, so only these nodes can be contacted by the virtual address.
To get this working, there are routes necessary on both sites, one at the client to direct the traffic to the LAN behind the server over the VPN and one at the server to route traffic for the clients LAN over VPN. A precondition is that the server and the client have to be the default upstream gateway in their networks.
The route for the client site can be set either by entering the server sides LAN subnet 192.168.0.0/24 in the "IPv4 Local networks" box in the server config, if the client pulls routes (default), or entering it in the "IPv4 Remote networks" box in the client settings. You may also do both.
For adding the route to clients LAN to the server you have to add a "client specific override" to the VPN server. Here you can enter the clients LAN 192.168.1.0/24 in the "IPv4 Remote networks" field.
You can do this for each client you add later. -
Awesome, thanks that answers a lot of questions, I was farting around with settings for the firewall rules and borked something up, once I get it straightened out, I'll try that. Thank you for your reply. Yes, I am limiting the size of the subnet, but I will try increasing the number of IP's available, initially the scope has strictly been to get one tunnel working, but I fully expect there will be multiple clients in the near future. Part of it is that I have to consider if the single server will be sufficient for all our needs or if a 2nd vpn server instance will be needed.