OpenVPN Remote Access configured, but clients can't access LAN resources??
So I have OpenVPN configured (and working for the most part). When I connect to the VPN, I am on the 10.10.0.0/24 network, I get assigned an IP, I can route through the internet, and all is as expected there. However, I am unable to access any resources that live on my LAN, represented by a 10.10.10.0/24 address.
My firewall rules (during all this test) are pretty relaxed. On the WAN side I have 2 rules;
Allow WAN to udp/1194 (for vpn connections)
Block anything else
LAN side, just 1 rule:
Default allow (allow any to any)
VPN interface, also just 1 rule:
Default allow (allow any to any)
So I really don't think my firewall rules are the issue here. It's like the VPN connection doesn't know how to route between 10.10.0.0/24 and 10.10.10.0/24.
In my OpenVPN Server profile, I have IPv4 Tunnel Network set to 10.10.0.0/24, and IPv4 Local network(s) set to 10.10.10.0/24, which if I understand correctly, is all I really need to do. It's also my understanding that connected routes are auto-created, but it just feels like my VPN traffic is being forced through the WAN gateway, and never has a chance to route to 10.10.10.0/24.
Here is an Imgur album with screenshots of my config:
What am I missing here? I've spent too much time trying to figure this out and I'm not getting anywhere. Help would be greatly appreciated!
Can you post a network map and your server1.conf?
So let me preface with that I am running pfsense virtualized, under proxmox. I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose). The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo).
So let me try to explain my network setup.
MY LAN, 172.16.1.0/24
COLO WAN (VLAN on my real LAN), 172.16.2.0/24
COLO internal LAN, 10.10.10.0/24
COLO internal VPN, 10.10.0.0/24
pfSense WAN IP - 172.16.2.26 (CARP VIP to 172.16.1.28)
pfSense LAN IP - 10.10.10.251 (CARP VIP to 10.10.10.254)
I have a CentOS instance at 10.10.10.250, on my colo internal LAN. From this box, 10.10.10.250, I can access the internet…so that means that pfSense is routing traffic out 172.16.2.26, through my real firewall, out to my real WAN. On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense.
WAN <--> pfSense WAN/172.16.2.26 <--> pfSense LAN/10.10.10.251 <---> LAN/10.10.10.0/24
[2.3.2-RELEASE][email@example.com.<redacted>]/var/etc/openvpn: cat server1.conf dev ovpns1 verb 8 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 172.16.2.26 tls-server server 10.10.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 4 push "route 10.10.10.0 255.255.255.0" push "dhcp-option DOMAIN <redacted>" push "dhcp-option DNS 10.10.10.254" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float topology subnet</redacted></redacted></redacted>
Does all that make sense?