[SOLVED] OpenVPN roadwarrior - cannot access home LAN computers



  • I've searched the forum and could not find anything similar/or could not understand how other users have solved this problem.

    Internet < - > pfsense (gateway, 192.168.1.1) < - > internal LAN (subnet 192.168.1.2 to 254)

    (yes, i know i shouldn't be using these defaults….... lets keep this simple for now)

    • I used the OpenVPN wizard to create the server
    • gateway redirect works, google "what is my ip" reflects that my IP has changed while i'm outside of the network
    • I can only access 192.168.1.1, but not 192.168.1.2, or 192.168.1.3 and so-on.

    The goal is to access the internal home network outside as if i was sitting at home. Thats the purpose of VPN, isn't it?  ;D ;D ;D ;D ;D







    ![openvpn settings.jpg](/public/imported_attachments/1/openvpn settings.jpg)
    ![openvpn settings.jpg_thumb](/public/imported_attachments/1/openvpn settings.jpg_thumb)



  • So pfSense is the default gateway in your LAN?
    Maybe your computers firewalls block the access. Windows firewalls for instance block access from other networks like the VPN tunnel is. Try turn off the firewall for testing.



  • @viragomann:

    So pfSense is the default gateway in your LAN?
    Maybe your computers firewalls block the access. Windows firewalls for instance block access from other networks like the VPN tunnel is. Try turn off the firewall for testing.

    pfsense is the default gateway.

    I have a NAS right at 192.168.1.2 that has a "free-for-all" access on the network, no firewall, no password, no nothing. cannot be ping'd

    Quick test:
    Note the phone is on LTE and the OpenVPN Connect icon on the top left.

    ![2017-05-13 21.57.38.png](/public/imported_attachments/1/2017-05-13 21.57.38.png)
    ![2017-05-13 21.57.38.png_thumb](/public/imported_attachments/1/2017-05-13 21.57.38.png_thumb)
    ![2017-05-13 21.58.12.png](/public/imported_attachments/1/2017-05-13 21.58.12.png)
    ![2017-05-13 21.58.12.png_thumb](/public/imported_attachments/1/2017-05-13 21.58.12.png_thumb)



  • To troubleshoot, go to Diagnostic > Packet Capture and take a capture of the ping onthe LAN interface and post the result, please.



  • @viragomann:

    To troubleshoot, go to Diagnostic > Packet Capture and take a capture of the ping onthe LAN interface and post the result, please.

    as requested.

    192.168.1.130 - win7 PC
    192.168.1.131 - win7 PC

    192.168.1.2 is the "free-for-all" NAS…..... its TP-Link Archer C8 in gigaswitch mode with a USB drive attached to it....... no routing, no wifi, no nothing.

    All devices on the home network can access the NAS by \192.168.1.2 on their respective programs, no login, no password

    i'll add on a topology here as well for the heck of it....







    ![2017-05-14 22.20.11_resize.jpg_thumb](/public/imported_attachments/1/2017-05-14 22.20.11_resize.jpg_thumb)
    ![2017-05-14 22.20.11_resize.jpg](/public/imported_attachments/1/2017-05-14 22.20.11_resize.jpg)



  • I requested for the packet capture result on LAN interface for a ping from your smart phone to the NAS like above.



  • sorry, I misread.




  • Okay, here you see only request to 192.168.1.2, but no responses from there.

    That basically may have one of the two already mentioned reasons. Either pfSense isn't the default gateway on the destination device the device blocks the access.

    Are you running the TP-Link in bridge mode?



  • @viragomann:

    Okay, here you see only request to 192.168.1.2, but no responses from there.

    That basically may have one of the two already mentioned reasons. Either pfSense isn't the default gateway on the destination device the device blocks the access.

    Are you running the TP-Link in bridge mode?

    Refer to my ugly hand written topology…. pfsense is the default gateway.

    TP Link is purely a switch now. everything is disabled. no DHCP, no NAT, no firewall, no wifi.



  • ekoo,

    Have a look at this thread.

    It could be that the TP-link is rejecting management from the OpenVPN subnet.



  • @biggsy:

    ekoo,

    Have a look at this thread.

    It could be that the TP-link is rejecting management from the OpenVPN subnet.

    Hi biggsy,

    its not just the TP-link. everything is not accessible.

    Did i setup the openVPN remote access wrong? (thru the wizard)

    if the intercommunication between 2 subnet is my problem, why is it that the phone (on 10.0.8.3) can access 192.168.1.1? and not 1.2 when its on the same subnet?

    Correct me if i'm wrong: the point of a road warrior is that:

    1. I can be sitting at a hotel room 500miles away from home with my laptop,
    2. click on OpenVPN, and connect to pfsense at home,
    3. click on "Network" icon in Windows and see all my shared drives as if i'm sitting on my desktop at home.

    yes? no?



  • Sorry, I misunderstood - reading that you couldn't access 192.168.1.2.

    However, you can access 192.168.1.1 because it is on the firewall (the LAN interface IP) but you have to get past there to access 192.168.1.2

    It could be that the TP-link is not replying because you are accessing from 10.0.8.x (see your PING).

    Are you using the WAN port of the TP-link to connect to the LAN port of your pfSense?



  • You can try SNAT to resolve this.

    Go to Firewall > NAT > Outbound. If the rule generation mode is set to Automatic, set it to Hybrid and save it.
    Add a new rule:
    interface: LAN
    source: <the vpn="" tunnel="" subnet="">Let the other options add their defaults, enter a description and save the rule.</the>



  • @biggsy:

    Sorry, I misunderstood - reading that you couldn't access 192.168.1.2.

    However, you can access 192.168.1.1 because it is on the firewall (the LAN interface IP) but you have to get past there to access 192.168.1.2

    It could be that the TP-link is not replying because you are accessing from 10.0.8.x (see your PING).

    Are you using the WAN port of the TP-link to connect to the LAN port of your pfSense?

    No, its not on the WAN port. its all connected on the LAN ports.

    @viragomann:

    You can try SNAT to resolve this.

    Go to Firewall > NAT > Outbound. If the rule generation mode is set to Automatic, set it to Hybrid and save it.
    Add a new rule:
    interface: LAN
    source: <the vpn="" tunnel="" subnet="">Let the other options add their defaults, enter a description and save the rule.</the>

    This worked. Now I don't have to pay for Plex. =)
    Thank you everyone for your help.



  • Good to hear that.

    Thanks for letting us know.



  • Thanks - sorted my problem 2



  • Thanks - solved my problem as well. I would have thought this was a pretty common configuration.  An easier to find guide for newbies would be helpful.


Log in to reply