OpenVPN Remote Access configured, but clients can't access LAN resources??



  • So I have OpenVPN configured (and working for the most part). When I connect to the VPN, I am on the 10.10.0.0/24 network, I get assigned an IP, I can route through the internet, and all is as expected there. However, I am unable to access any resources that live on my LAN, represented by a 10.10.10.0/24 address.

    My firewall rules (during all this test) are pretty relaxed. On the WAN side I have 2 rules;
    Allow WAN to udp/1194 (for vpn connections)
    Block anything else

    LAN side, just 1 rule:
    Default allow (allow any to any)

    VPN interface, also just 1 rule:
    Default allow (allow any to any)

    So I really don't think my firewall rules are the issue here. It's like the VPN connection doesn't know how to route between 10.10.0.0/24 and 10.10.10.0/24.
    In my OpenVPN Server profile, I have IPv4 Tunnel Network set to 10.10.0.0/24, and IPv4 Local network(s) set to 10.10.10.0/24, which if I understand correctly, is all I really need to do. It's also my understanding that connected routes are auto-created, but it just feels like my VPN traffic is being forced through the WAN gateway, and never has a chance to route to 10.10.10.0/24.

    Here is an Imgur album with screenshots of my config:
    http://imgur.com/a/Tvhpy

    What am I missing here? I've spent too much time trying to figure this out and I'm not getting anywhere. Help would be greatly appreciated!



  • Can you post a network map and your server1.conf?



  • Hi marvosa.

    So let me preface with that I am running pfsense virtualized, under proxmox.  I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose).  The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo).

    So let me try to explain my network setup.

    MY LAN, 172.16.1.0/24
    COLO WAN (VLAN on my real LAN), 172.16.2.0/24
    COLO internal LAN, 10.10.10.0/24
    COLO internal VPN, 10.10.0.0/24

    pfSense WAN IP - 172.16.2.26 (CARP VIP to 172.16.1.28)
    pfSense LAN IP - 10.10.10.251 (CARP VIP to 10.10.10.254)

    I have a CentOS instance at 10.10.10.250, on my colo internal LAN.  From this box, 10.10.10.250, I can access the internet…so that means that pfSense is routing traffic out 172.16.2.26, through my real firewall, out to my real WAN.  On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense.

    So..

    WAN <--> pfSense WAN/172.16.2.26 <--> pfSense LAN/10.10.10.251 <---> LAN/10.10.10.0/24
                                                                                                              |
                                                                                                              --> VPN/10.10.0.0/24

    
    [2.3.2-RELEASE][admin@fw01.colo01.<redacted>]/var/etc/openvpn: cat server1.conf
    dev ovpns1
    verb 8
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 172.16.2.26
    tls-server
    server 10.10.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 4
    push "route 10.10.10.0 255.255.255.0"
    push "dhcp-option DOMAIN <redacted>"
    push "dhcp-option DNS 10.10.10.254"
    client-to-client
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    topology subnet</redacted></redacted></redacted> 
    

    Does all that make sense?


Log in to reply