Running OpenVPN on LAN interface.

JamesVA

@viragomann:

That won't be a pfSense issue.

When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.

Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.

viragomann thanks for your reply!  I ran the following on the device i'm trying to remote into (192.168.100.121):

route ADD 192.168.101.0 MASK 255.255.255.0 192.168.100.5

The routing table on that devices now looks like:

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.121    25
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
    192.168.100.0    255.255.255.0        On-link  192.168.100.121    281
  192.168.100.121  255.255.255.255        On-link  192.168.100.121    281
  192.168.100.255  255.255.255.255        On-link  192.168.100.121    281
    192.168.101.0    255.255.255.0    192.168.100.5  192.168.100.121    26
    192.168.157.0    255.255.255.0        On-link    192.168.157.1    291
    192.168.157.1  255.255.255.255        On-link    192.168.157.1    291
  192.168.157.255  255.255.255.255        On-link    192.168.157.1    291
    192.168.237.0    255.255.255.0        On-link    192.168.237.1    291
    192.168.237.1  255.255.255.255        On-link    192.168.237.1    291
  192.168.237.255  255.255.255.255        On-link    192.168.237.1    291
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
        224.0.0.0        240.0.0.0        On-link    192.168.237.1    291
        224.0.0.0        240.0.0.0        On-link    192.168.157.1    291
        224.0.0.0        240.0.0.0        On-link  192.168.100.121    281
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
  255.255.255.255  255.255.255.255        On-link    192.168.237.1    291
  255.255.255.255  255.255.255.255        On-link    192.168.157.1    291
  255.255.255.255  255.255.255.255        On-link  192.168.100.121    281

However I still can't ping or RDP into that devices from an openVPN client.  Is there anything else I'm missing?

Thanks!

viragomann

If it has worked before as pfSense was the default gateway it should also work now with this route set on the destination device.

However, remember that his route is not persistent.

Maybe there are other reasons for that issue now like Windows firewall?

JamesVA

OK, i think it's working now with that particular client.  Disabled windows firewall - started working.  Re-enabled wf - continues to work.  shrug.

viragomann - how would I go about solving this via  NAT?  The issue with adding a persistent route is that on some devices i don't have access to the OS to add a static route. (for example NAS).

Thanks!

viragomann

You have to add an outbound NAT rule. Firewall > NAT > Outbound.

If the outbound NAT is set to do automatic rule generation, select hyprid at first and hit the save button below.

Then add a new rule:
inteface: LAN
Source: Network 192.168.101.0/24 (the VPN tunnel network)
Dest.: any
Translation: Interface address
You may enter a description, then save it and apply changes.

This rule translates source addresses from VPN traffic to the LAN address, so responses are sent back to pfSense without the need of a special route.

JamesVA

OK, I added the rules as you suggested (screenshots attached), but still can't ping anything that I didn't add a static route on…. Is there anything additional i need to do?

Thanks!

viragomann

Above you've written, firewalling is disabled.
If you've set the option "Disable Firewall" in System > Advanced > Firewall & NAT, there is also NAT disabled and not any firewall or NAT rule would work.

JamesVA

You're right.  I even got a warning when i was adding a NAT rule saying that filtering is disabled. doh!  I initially disabled fw because i couldn't get into 192.168.100.5:1194/udp from outside at all.

I've re-enabled it and added a LAN:any > LAN address:1194tcp/udp.  Seems like I can ping other clients now, thanks!

I also use pfsense for DHCP and DNS.  DNS works for LAN clients, but for some reason openVPN clients can't query 192.168.100.5:53.  I've tried adding a couple of rules I thought that I was missing on LAN and VPN interfaces, but they didn't work.

Is there a rule I need to add to fix this?

Thanks!

viragomann

With the any to any rule on OpenVPN interface shown above the access to the DNS should work.
The DNS access need at least access to port 53 with TCP/UDP.

Remember that you will have to request host names with their FQDN (host.domain) from remote.

JamesVA

Yup, i've been using FQDNs within nslookup tests (see attached screenshots).  Could it be something within my DNS forwarder settings?  Should i be listening on ALL interfaces within it, or just pick LAN?

Thanks!

viragomann

You may also select multiple interfaces by holding the CTRL key, but the OpenVPN interface has to be selected, though the client is accessing the LAN IP.

JamesVA

Yup - i think that fixed it.  I switched from "All" to multi selected.  All seems to be working now!

Huge thanks for your help, truly appreciated!