Running OpenVPN on LAN interface.
-
Hello, I've recently moved my pfsense appliance from sitting between my LAN and ISP, to just sitting on my LAN and being a openVPN server. OpenVPN was working while I had WAN interface enabled.
Wan interface is disabled.
pfsense firewalling is disabled (i think).
Appliance LAN IP is 192.168.100.5, openvpn is listening on LAN IP on 1194/udp
ISP router (192.168.100.1) is forwarding 1194/udp to the LAN IP.
openvpn client subnet is 192.168.101.0/24When I connect, from a client, connection succeeds and i can ping 192.168.100.5, but any other device on LAN segment is unreachable. Attached are the screenshots of my setup, route tables etc.
Could someone point me in the direction of what else I can look at?
Thanks in advance!
-
That won't be a pfSense issue.
When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.
Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.
-
That won't be a pfSense issue.
When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.
Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.
viragomann thanks for your reply! I ran the following on the device i'm trying to remote into (192.168.100.121):
route ADD 192.168.101.0 MASK 255.255.255.0 192.168.100.5
The routing table on that devices now looks like:
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.121 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.100.0 255.255.255.0 On-link 192.168.100.121 281
192.168.100.121 255.255.255.255 On-link 192.168.100.121 281
192.168.100.255 255.255.255.255 On-link 192.168.100.121 281
192.168.101.0 255.255.255.0 192.168.100.5 192.168.100.121 26
192.168.157.0 255.255.255.0 On-link 192.168.157.1 291
192.168.157.1 255.255.255.255 On-link 192.168.157.1 291
192.168.157.255 255.255.255.255 On-link 192.168.157.1 291
192.168.237.0 255.255.255.0 On-link 192.168.237.1 291
192.168.237.1 255.255.255.255 On-link 192.168.237.1 291
192.168.237.255 255.255.255.255 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 192.168.157.1 291
224.0.0.0 240.0.0.0 On-link 192.168.100.121 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.237.1 291
255.255.255.255 255.255.255.255 On-link 192.168.157.1 291
255.255.255.255 255.255.255.255 On-link 192.168.100.121 281However I still can't ping or RDP into that devices from an openVPN client. Is there anything else I'm missing?
Thanks!
-
If it has worked before as pfSense was the default gateway it should also work now with this route set on the destination device.
However, remember that his route is not persistent.
Maybe there are other reasons for that issue now like Windows firewall?
-
OK, i think it's working now with that particular client. Disabled windows firewall - started working. Re-enabled wf - continues to work. shrug.
viragomann - how would I go about solving this via NAT? The issue with adding a persistent route is that on some devices i don't have access to the OS to add a static route. (for example NAS).
Thanks!
-
You have to add an outbound NAT rule. Firewall > NAT > Outbound.
If the outbound NAT is set to do automatic rule generation, select hyprid at first and hit the save button below.
Then add a new rule:
inteface: LAN
Source: Network 192.168.101.0/24 (the VPN tunnel network)
Dest.: any
Translation: Interface address
You may enter a description, then save it and apply changes.This rule translates source addresses from VPN traffic to the LAN address, so responses are sent back to pfSense without the need of a special route.
-
OK, I added the rules as you suggested (screenshots attached), but still can't ping anything that I didn't add a static route on…. Is there anything additional i need to do?
Thanks!
-
Above you've written, firewalling is disabled.
If you've set the option "Disable Firewall" in System > Advanced > Firewall & NAT, there is also NAT disabled and not any firewall or NAT rule would work.
-
You're right. I even got a warning when i was adding a NAT rule saying that filtering is disabled. doh! I initially disabled fw because i couldn't get into 192.168.100.5:1194/udp from outside at all.
I've re-enabled it and added a LAN:any > LAN address:1194tcp/udp. Seems like I can ping other clients now, thanks!
I also use pfsense for DHCP and DNS. DNS works for LAN clients, but for some reason openVPN clients can't query 192.168.100.5:53. I've tried adding a couple of rules I thought that I was missing on LAN and VPN interfaces, but they didn't work.
Is there a rule I need to add to fix this?
Thanks!
-
With the any to any rule on OpenVPN interface shown above the access to the DNS should work.
The DNS access need at least access to port 53 with TCP/UDP.Remember that you will have to request host names with their FQDN (host.domain) from remote.
-
Yup, i've been using FQDNs within nslookup tests (see attached screenshots). Could it be something within my DNS forwarder settings? Should i be listening on ALL interfaces within it, or just pick LAN?
Thanks!
-
You may also select multiple interfaces by holding the CTRL key, but the OpenVPN interface has to be selected, though the client is accessing the LAN IP.
-
Yup - i think that fixed it. I switched from "All" to multi selected. All seems to be working now!
Huge thanks for your help, truly appreciated!