OpenVPN Remote Access configured, but clients can't access LAN resources??

  • So I have OpenVPN configured (and working for the most part). When I connect to the VPN, I am on the network, I get assigned an IP, I can route through the internet, and all is as expected there. However, I am unable to access any resources that live on my LAN, represented by a address.

    My firewall rules (during all this test) are pretty relaxed. On the WAN side I have 2 rules;
    Allow WAN to udp/1194 (for vpn connections)
    Block anything else

    LAN side, just 1 rule:
    Default allow (allow any to any)

    VPN interface, also just 1 rule:
    Default allow (allow any to any)

    So I really don't think my firewall rules are the issue here. It's like the VPN connection doesn't know how to route between and
    In my OpenVPN Server profile, I have IPv4 Tunnel Network set to, and IPv4 Local network(s) set to, which if I understand correctly, is all I really need to do. It's also my understanding that connected routes are auto-created, but it just feels like my VPN traffic is being forced through the WAN gateway, and never has a chance to route to

    Here is an Imgur album with screenshots of my config:

    What am I missing here? I've spent too much time trying to figure this out and I'm not getting anywhere. Help would be greatly appreciated!

  • Can you post a network map and your server1.conf?

  • Hi marvosa.

    So let me preface with that I am running pfsense virtualized, under proxmox.  I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose).  The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo).

    So let me try to explain my network setup.

    MY LAN,
    COLO WAN (VLAN on my real LAN),
    COLO internal LAN,
    COLO internal VPN,

    pfSense WAN IP - (CARP VIP to
    pfSense LAN IP - (CARP VIP to

    I have a CentOS instance at, on my colo internal LAN.  From this box,, I can access the internet…so that means that pfSense is routing traffic out, through my real firewall, out to my real WAN.  On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense.


    WAN <--> pfSense WAN/ <--> pfSense LAN/ <---> LAN/
                                                                                                              --> VPN/

    [2.3.2-RELEASE][admin@fw01.colo01.<redacted>]/var/etc/openvpn: cat server1.conf
    dev ovpns1
    verb 8
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/
    client-disconnect /usr/local/sbin/
    client-config-dir /var/etc/openvpn-csc/server1
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 4
    push "route"
    push "dhcp-option DOMAIN <redacted>"
    push "dhcp-option DNS"
    ca /var/etc/openvpn/ 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    topology subnet</redacted></redacted></redacted> 

    Does all that make sense?