OpenVPN tap can connect to all LAN except the firewall itself
-
I’ve mostly followed this guide to setup a tap-based OpenVPN server on pfSense 2.3.2, and my client can connect okay, gets an IP address on the LAN, and can connect to all devices on the LAN, as well as ping pfSense, but it cannot connect to other services on the pfSense box (e.g. SSH, HTTPS, DNS). There are no entries in the firewall log indicating that anything was blocked, and adding any/any rules to the LAN, TAP, BRIDGE interfaces has no effect. Nothing particularly interesting looking in any other logs, either.
What could I be missing that would cause this scenario?
-
I have both tap and tun servers. I used tap until I found out tun could do most of the same things if configured properly. My tap guide was similar to the one you linked to. If you can get to the lan (for example in file explorer \my_file_server) then you should be able to get to the router. Try 192.168.1.1 from a browser window.
I have two tun servers. 1 is for private browsing only over public wifi. It uses a auto logon file for convenience. The 2nd uses 2 passwords and a different user id. In both cases, the certs must match the user id. The user id is not obvious because I renamed files in the config directory. The idea for the 2nd one is that the lan should be harder to get to just in case.
tap is more full service but tun does the job and is easier to set up.
the lan oriented tun server config is the same except for a couple of settings on the main server page. I used the wizard because it provides all the detail work automatically.
Edit: the tap guide I used. It worked.
https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/
for tun:
Uncheck redirect gateway
Enter the local network into the box
recheck redirect gateway(this allows you to access the lan and route through the home network)
check enable netbios over tcp/ip
For node type I have p - I'm not quite sure what it does but things worked better with this setting.
I also added dns servers and checked force dns cache update
accessing lan resources differs a little too. With tap it's \my_file_server in file explorer. With tun it's \192.168.1.156 for example. At least for me.
one big difference is that tap will not work with android without the google play app which allows it. The cost is about $10. It works great.
remote desktop over the local lan works perfectly with both tap and tun.