Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Remote Access configured, but clients can't access LAN resources??

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tycoonbob
      last edited by

      So I have OpenVPN configured (and working for the most part). When I connect to the VPN, I am on the 10.10.0.0/24 network, I get assigned an IP, I can route through the internet, and all is as expected there. However, I am unable to access any resources that live on my LAN, represented by a 10.10.10.0/24 address.

      My firewall rules (during all this test) are pretty relaxed. On the WAN side I have 2 rules;
      Allow WAN to udp/1194 (for vpn connections)
      Block anything else

      LAN side, just 1 rule:
      Default allow (allow any to any)

      VPN interface, also just 1 rule:
      Default allow (allow any to any)

      So I really don't think my firewall rules are the issue here. It's like the VPN connection doesn't know how to route between 10.10.0.0/24 and 10.10.10.0/24.
      In my OpenVPN Server profile, I have IPv4 Tunnel Network set to 10.10.0.0/24, and IPv4 Local network(s) set to 10.10.10.0/24, which if I understand correctly, is all I really need to do. It's also my understanding that connected routes are auto-created, but it just feels like my VPN traffic is being forced through the WAN gateway, and never has a chance to route to 10.10.10.0/24.

      Here is an Imgur album with screenshots of my config:
      http://imgur.com/a/Tvhpy

      What am I missing here? I've spent too much time trying to figure this out and I'm not getting anywhere. Help would be greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by

        Can you post a network map and your server1.conf?

        1 Reply Last reply Reply Quote 0
        • T Offline
          tycoonbob
          last edited by

          Hi marvosa.

          So let me preface with that I am running pfsense virtualized, under proxmox.  I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose).  The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo).

          So let me try to explain my network setup.

          MY LAN, 172.16.1.0/24
          COLO WAN (VLAN on my real LAN), 172.16.2.0/24
          COLO internal LAN, 10.10.10.0/24
          COLO internal VPN, 10.10.0.0/24

          pfSense WAN IP - 172.16.2.26 (CARP VIP to 172.16.1.28)
          pfSense LAN IP - 10.10.10.251 (CARP VIP to 10.10.10.254)

          I have a CentOS instance at 10.10.10.250, on my colo internal LAN.  From this box, 10.10.10.250, I can access the internet…so that means that pfSense is routing traffic out 172.16.2.26, through my real firewall, out to my real WAN.  On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense.

          So..

          WAN <--> pfSense WAN/172.16.2.26 <--> pfSense LAN/10.10.10.251 <---> LAN/10.10.10.0/24
                                                                                                                    |
                                                                                                                    --> VPN/10.10.0.0/24

          
          [2.3.2-RELEASE][admin@fw01.colo01.<redacted>]/var/etc/openvpn: cat server1.conf
          dev ovpns1
          verb 8
          dev-type tun
          tun-ipv6
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-256-CBC
          auth SHA512
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          client-connect /usr/local/sbin/openvpn.attributes.sh
          client-disconnect /usr/local/sbin/openvpn.attributes.sh
          local 172.16.2.26
          tls-server
          server 10.10.0.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc/server1
          username-as-common-name
          auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1"
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          max-clients 4
          push "route 10.10.10.0 255.255.255.0"
          push "dhcp-option DOMAIN <redacted>"
          push "dhcp-option DNS 10.10.10.254"
          client-to-client
          ca /var/etc/openvpn/server1.ca 
          cert /var/etc/openvpn/server1.cert 
          key /var/etc/openvpn/server1.key 
          dh /etc/dh-parameters.4096
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          persist-remote-ip
          float
          topology subnet</redacted></redacted></redacted> 
          

          Does all that make sense?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.