[SOLVED] Route LAN through OpenVPN client



  • I guess I'm missing something obvious, so here goes:

    I got a CA certificate and a .ovpn from a partner company to connect to their site. When I connect with a OpenVPN windows client, it works, so there's no problem with their side. There's a 172.20.0.0/24 tunnel network and the 192.168.50.0/24 remote network.

    I created an OpenVPN client on PfSense, and it connects fine. When I go to Diagnostics>Ping, I can ping the remote server from the OpenVPN address, but can't ping with localhost or LAN. Traceroot shows it doesn't go to the OpenVPN tunnel network.

    I have put a firewall rule "Everything can go anywhere" in the Firewall>Rules>OpenVPN tab. Then I tried to make an interface and gateway out of the OpenVPN connection and make a rule to route the traffic through there, but no luck. I don't know what's the proper way to route LAN to OpenVPN client. Do I use the gateway?

    Thanks.



  • Yes, you have to assign an interface to the OpenVPN client. So you also get your gateway.

    Then you have to modify the firewall any-to-any rule on LAN interface and select the OpenVPN gateway in the advanced options to direct all traffic over the VPN.



  • Ok, I've done that, but no luck. I made a rule in LAN as follows:

    Pass, IPv4, Protocol:any, Source:any, Destination:192.168.50.0/24(i tried adding the tunnel network, and I've tried "any"), Gateway:COMPANY_VPNV4 - 172.20.0.1

    Also I added a rule "any to any" in Firewall>Rules>COMPANY (the new interface).

    No luck. Ping and traceroute work if sent from OpenVPN interface, but don't work from anywhere else.

    At the same time, I have another OpenVPN server connection with my own office, and routing to that OpenVPN works, without new interfaces or gateways. Is the first OpenVPN server connection disrupting the OpenVPN client connection?



  • I read again your first post, it's not absolutely clear, what you have set up. Better to post the VPN client settings.

    If you enter the remote network 192.168.50.0/24 in the client settings the modification of the any to any rule on LAN shouldn't be necessary. It also okay if the gateway is set to any, cause the remote networks entry sets the route to the vpn gateway when the connection is up.

    Maybe there is missing a route back to your local network on the other side.
    If they don't want set the route, you can solve that by an outbound NAT rule in pfSense. Check if pfSense has set it automatically.
    Otherwise switch the outbound NAT to hybrid mode and add a new route, set the interface to the VPN clients interface you've added before and the source to your LAN subnet, other values should be at their defaults.

    Bear in mind that firewall rules on the interface tabs only affect incoming traffic. So rules on the VPN interface tab are only needed if you want to allow access from the other side of the connection.



  • My OpenVPN client. I tried with net30 and without. But by default, i don't use it.

     <openvpn-client><auth_user>Username</auth_user>
    			<auth_pass>Password</auth_pass>
    			<vpnid>3</vpnid>
    			<protocol>TCP</protocol>
    			<dev_mode>tun</dev_mode>
    			<ipaddr></ipaddr>
    			<interface>wan</interface>
    			 <local_port><server_addr>PUBLIC.IP.ADDRESS</server_addr>
    			<server_port>1194</server_port>
    			<resolve_retry>yes</resolve_retry>
    			 <proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
    			 <proxy_user><proxy_passwd><mode>p2p_tls</mode>
    			<topology>net30</topology>
    			 <custom_options><caref>584e8899db3be</caref>
    			 <certref><crypto>AES-256-CBC</crypto>
    			<digest>SHA1</digest>
    			<engine>none</engine>
    			<tunnel_network>172.20.0.0/24</tunnel_network>
    			 <tunnel_networkv6><remote_network>192.168.50.0/24</remote_network>
    			 <remote_networkv6><use_shaper><compression><passtos></passtos>
    
    			<verbosity_level>3</verbosity_level></compression></use_shaper></remote_networkv6></tunnel_networkv6></certref></custom_options></proxy_passwd></proxy_user></proxy_port></proxy_addr></local_port></openvpn-client> 
    
    

    My routes. 192.168.73.0/24 is my LAN, and 192.168.50.15 is what I'm trying to get.

    Maybe there is missing a route back to your local network on the other side.

    If my Windows OpenVPN client works fine, does that mean there is a route back? I'll try and set up a NAT, although I already tried it before..

    Current Outbound NAT:


  • Netgate

    What do they have for remote networks on their end for you?

    If none then you have to assign an interface and outbound NAT on it.

    The firewall rules on the OpenVPN tab (or the assigned interface) govern what connections can be made inbound to you from the other side. If you don't want that you should probably delete/disable those.



  • It works! Thanks guys :D

    I needed to NAT the VPN which seems obvious now. I did NAT before, but I probably had some other setting set wrong at that time.