OVPN - Connect Success but no connectivity to Private IPs



  • Hey guys,

    Looking for a little help here. It seems as though I'm missing a step or something…I want to be able to SMB and hit my web servers over OVPN and I used to be able to but something changed and I can't access them anymore. Used wizard to create the OVPN config and I can connect after exporting client config no problem.

    Thanks so much ahead of time.

    I used to see the VPN interface in the "Interface Statistics" on the dashboard but I don't see the VPN Interface anymore. When I try to configure the OVPN interface, I lose all connectivity to the VPN and in the Firewall Rules page I then wind up with the seemingly auto-generated OpenVPN rules and the new Interface rules even though I tied the new interface to the OVPN interface...Thoughts?

    Lastly, I set up a wireshark on a host on LAN and via the VPN I can see the ping come in but the reply never gets back out of the VPN.

    PfSense 2.4.1

    192.168.0.186 -> WAN Gateway (ATT Router in Bridge Mode)
    10.10.80.186 -> PfSense Box connected directly to WAN Gateway
    10.10.80.0/21 -> LAN Net
    10.10.103.0/24 -> OVPN Net
    Outbound NAP -> Automatic
    VPN -> Push route 10.10.80.0 255.255.248.0

    Firewall Rules
    WAN Interface -> IPV4 * * WAN Address 1194 *

    ![Screen Shot 2017-10-31 at 8.58.26 AM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 8.58.26 AM.png)
    ![Screen Shot 2017-10-31 at 8.58.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 8.58.26 AM.png_thumb)
    ![Screen Shot 2017-10-31 at 8.58.37 AM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 8.58.37 AM.png)
    ![Screen Shot 2017-10-31 at 8.58.37 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 8.58.37 AM.png_thumb)



  • A specific VPN interface should not be needed for accessing the LAN behind the vpn.

    Are the routes set correctly on the client?
    Post the routing table, please.



  • Good thinking viragomann but it seems to be right as far as I can tell.

    As you can see from the screenshots, the 10.10.80.0/21 network is going through the tunnel and I can ping the gateway. :/ hmmmm…

    The last screenshot is of me trying to ping a machine; it does work when I'm in the network, just not over VPN. (i.e. the host is pingable from within)

    ![Screen Shot 2017-10-31 at 2.54.52 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.54.52 PM.png)
    ![Screen Shot 2017-10-31 at 2.54.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.54.52 PM.png_thumb)
    ![Screen Shot 2017-10-31 at 2.55.08 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.08 PM.png)
    ![Screen Shot 2017-10-31 at 2.55.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.08 PM.png_thumb)
    ![Screen Shot 2017-10-31 at 2.55.19 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.19 PM.png)
    ![Screen Shot 2017-10-31 at 2.55.19 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 2.55.19 PM.png_thumb)



  • Is the pfSense the default gateway in 10.10.80.0/21? I'm in doubt.
    If it isn't you have to add routes to the clients for the tunnel subnet or do NAT on pfSense.

    You can try a ping to pfSense LAN address to see if the routes work.

    Also it seems you have added 10.10.80.0/21 to the "Local Networks" in the server settings and than have checked "redirect gateway". That shouldn't matter though, but sets additional routes.



  • Hey Viragomann,

    Thanks again for looking into this.

    PFSense box (10.10.80.186) is the router for the local LAN; the 192.168.0.186 box is the default gateway to the WAN. I attached a screenshot to help clarify.

    I can ping and even log into the PFSense box from the VPN but cannot access any assets on the 10.10.80.0/21 network other than the PFSense box.

    Yes, I have pushed the route and checked the redirect gateway box. Normally, I just click the box I believe but I was desperate so I tried other things.

    What route would I add to the clients for the tunnel subnet and/or how would I properly NAT PFSense for the gateway issue?

    ![Screen Shot 2017-11-01 at 8.27.02 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-01 at 8.27.02 AM.png)
    ![Screen Shot 2017-11-01 at 8.27.02 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-01 at 8.27.02 AM.png_thumb)



  • So you LAN devices use pfSense (10.10.80.186) as default gateway? If that's right, there will no special routes be needed for the VPN.

    Can you also ping 10.10.80.186 over VPN?

    Also ensure that the LAN device respond to request from VPN. Windows firewall block access from other subnets by default.



  • Correct, LAN gateway is 10.10.80.186. Yes I can ping that box and even log into it over VPN. I have changed the windows box to allow pings from everywhere but I also don't have access to SMB shares, web servers, etc. The mystery is…what could be wrong such that I cannot access any LAN devices except the gateway over the VPN? You're saying that everything looks correct as far as you can tell?

    One more note. I have the DNS Resolver enabled and the DNS Forwarded Disabled...I assume none of that should matter when I'm trying to hit the IP Address directly though, right?

    Thanks again.



  • Yes IP addresses should work anyway.

    If you can ping the LAN interface of pfSense and it is the default gateway in LAN, also pings to other devices should work. But I assume, the devices don't respond.

    To troubleshoot take a packet capture on pfSense (Diagnostics > Packet Capture). Set the interface to LAN, e.g. when pinging, the protocol to ICMP, eventually a host address (the clients vpn or the destinations IP), start the capture and try a ping, stop it and look if you see ping requests and responses.



  • So, this is somewhat enlightening but extremely curious. I've attached a packet capture from the LAN gateway.

    The curious part is that I can access a linux machine on the LAN (10.10.81.195) both over ping and ssh no issues; however nothing will work from VPN client to one of my main servers (10.10.80.175). As you can see I tried to ping it, and hit several web server ports and the traffic never got back to the VPN client (10.10.103.2).

    In the windows_weirdness capture you can see that from the vpn client I cannot get a response from the windows machine but from an internal device logged into via the VPN I can (10.10.81.195 -> 10.10.80.192). So why can I RDP to the windows machine from anywhere but only ping from internal…? very strange

    The question seems to be why can VPN clients hit some assets on the LAN on some ports but not others?

    Summary

    PREFIX = 10.10.

    PING            103.2 -> 81.195    (LINUX LAN MACHINE) --  SUCCESS
    SSH:22          103.2 -> 81.195    (LINUX LAN MACHINE) --  SUCCESS
    SSH:22          103.2 -> 80.186    (PFSense Gateway)  --  SUCCESS
    WEB:80          103.2 -> 80.186    (PFSense Gateway)  --  SUCCESS
    PING            103.2 -> 80.175    (LINUX Server)      --  FAIL
    WEB:8080        103.2 -> 80.175    (LINUX SERVER)      --  FAIL
    WEB:8989        103.2 -> 80.175    (LINUX SERVER)      --  FAIL
    WEB:80          103.2 -> 80.175    (LINUX SERVER)      --  FAIL
    PING            103.2 -> 80.192    (WINDOWS SERVER)    --  FAIL        WEIRD
    RDP:3389        103.2 -> 80.192    (WINDOWS SERVER)    --  SUCCESS    WEIRD

    packetcapture.pcap
    windows_weirdness.pcap



  • I haven't installed wireshark, hence I can't open the captures.

    There are only two possible reasons for that behavior coming to my mind:

    • The software firewall on 80.175 blocks the access.

    • 80.175 uses another gateway than pfSense.

    Both already mentioned.

    If 80.175 is a web server and accessible from the internet, the firewall want be the issue.



  • Ok, so I finally figured it out. OMG. I had created a cert with a type-o in it and the verify-x509-name was erroring when I tried to connect to machines that were on the domain. That's why some worked and some didn't, because some were on the domain and some weren't. Once I got that all fixed up everything else was easy.

    Thanks so much for taking the time to look at this with me.


Log in to reply