OpenVPN Remote Access | pfSense Access | LAN not Connecting

jeferson.junior

Good afternoon,

Environment:
Pfsense 2.3.4-RELEASE (amd64)
Installed on Vmware ESXI 5.5

Number of Wan Interfaces = 2

3 OpenVPN sites

01 = Affiliate peer to peer port 1190
02 = Affiliate peer to peer port 1180
03 = Remote Access  port 1194

IP LAN = 192.168.0.0/24
IP pfsense = 192.168.0.254
IP Tunnel OpenVPN 03 = 192.168.100.0/29
IP got at the OpenVPN connection  = 192.168.100.2

ps: I had followed many tutorials, including this: https://forum.pfsense.org/index.php?topic=129834.0

I'm with a little issue, I had setted up an OpenVPN connection client, I got connected in it, I got an IP from it (192.168.100.2), and I can access the web interface and got ping response from pfSense (192.168.0.254), but I can't access the local network (192.168.0.0/24).
It has 2 Wan interfaces, and all setting is on the first Wan (Firewall Rules, OpenVPN, Nat).

Must I setting a route to it?

ps:  It is already working correctly 2 site to site OpenVPN, and I didn't set any route.

ps²: looking at the firewall logs, it is beeing accepted, there is nothing beeing blocked.
In Firewall rules there is a rule allowing the VPN network to access the local network, no restrition IPv4 * * to Lan net
Looking the rules logs

Interface   Protocol    Source                  Destination             State                 Packets         Bytes
ovpns3      udp 	  192.168.100.2:10046 -> 192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0        65 B / 0 B 	
ovpns3      udp 	  192.168.100.2:13670 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0        65 B / 0 B 	
ovpns3      udp 	  192.168.100.2:29634 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0        64 B / 0 B 	
ovpns3      udp 	  192.168.100.2:30177 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     59 B / 0 B 	
ovpns3      udp 	  192.168.100.2:30640 -> 192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     64 B / 0 B 	
ovpns3      udp 	  192.168.100.2:6678 ->  192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     59 B / 0 B

OpenVPN Setting

General Information
Server mode:    Remote Access (SSL/TLS + User Auth)
Backend for authentication: Active Directory
Protocol:   UDP
Device mode:    TUN
Interface:  WAN1
Local Port: 1194

Cryptographic Settings
TLS authentication: checked
Peer Certificate Authority: CA_OpenVPN
Server certificate: Cert_OpenVPN_Server
DH Parameter length (bits): 2048
Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA256
Hardware Crypto:    No
Certificate Depth: One (Client+Server)
Strict User-CN Matching: Unchecked

Tunnel Settings
IPv4 Tunnel Network: 192.168.100.0/29
IPv6 Tunnel Network: -
Redirect Gateway: Unchecked
IPv4 Lo
cal network(s): 192.168.0.0/24
IPv6 Local network(s): -
Concurrent connections:
Compression: Habilitado, Adaptative
Type-of-Service: checked
Inter-client communication: Unchecked
Duplicate Connection: Unchecked
Disable IPv6: checked

Client Settings
Dynamic IP: checked
Address Pool: checked
Topology: Subnet -- One IP Address per client in a common Subnet

Advanced Client Settings
DNS Default Domain: checked
DNS Default Domain: mydomain
DNS Server enable: checked
DNS Server 1: 192.168.0.60
DNS Server 2: 192.168.0.50
Block Outside DNS: Unchecked
Force DNS cache update: Unchecked
NTP Server enable: Unchecked
NetBIOS enable: Unchecked
Enable custom port: Unchecked

Advanced Configuration
No change

I got a Packet Capture

Packet Capture Options
Interface: OpenVPN_Client
Promiscuous: Unchecked
Address Family: any]
Protocol: any
Host Address: -
Port: -
Packet Length: 0
Count: 100
Level of detail: Normal
Reverse DNS Lookup: Unchecked

Packets Captured

10:45:44.004702 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37
10:45:48.654349 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36
10:45:48.671845 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39
10:45:48.835013 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33
10:45:49.009172 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37
10:45:51.245159 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37
10:45:53.661205 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36
10:45:53.674875 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39
10:45:53.841873 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33
10:45:54.026358 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37
10:45:56.253528 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37
10:45:58.638449 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38
10:45:58.682023 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36
10:45:58.682116 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39
10:45:58.863800 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33
10:45:59.015410 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37
10:46:01.249763 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37
10:46:03.630210 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38
10:46:03.669477 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36
10:46:03.681827 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39
10:46:03.857357 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33
10:46:04.028139 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37
10:46:06.256763 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37
10:46:08.030200 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39
10:46:08.675615 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38
10:46:08.684214 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36
10:46:08.687934 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39
10:46:08.858353 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33
10:46:09.025574 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37
10:46:11.033067 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37
10:46:11.252529 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37
10:46:11.252562 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37
10:46:11.252596 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37
10:46:11.257781 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37
10:46:11.292618 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
10:46:11.549996 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
10:46:12.292619 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
10:46:12.546085 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
10:46:13.037521 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39
10:46:13.656319 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38
10:46:13.682013 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36
10:46:13.692612 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39
10:46:13.878476 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33
10:46:14.037156 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37
10:46:14.314500 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
10:46:14.543956 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
10:46:16.048173 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37
10:46:16.256673 IP 192.168.100.2.60227 > 192.168.0.50.53: UDP, length 37
10:46:16.256705 IP 192.168.100.2.42632 > 192.168.0.50.53: UDP, length 37
10:46:16.256816 IP 192.168.100.2.46519 > 192.168.0.50.53: UDP, length 37
10:46:16.258064 IP 192.168.100.2.45443 > 192.168.0.50.53: UDP, length 37
10:46:18.109490 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39
10:46:18.304995 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
10:46:18.324530 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
10:46:18.553209 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
10:46:18.644932 IP 192.168.100.2.43017 > 192.168.0.60.53: UDP, length 38
10:46:18.686796 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36
10:46:18.697621 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39
10:46:18.863908 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33
10:46:19.027853 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37
10:46:19.335404 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
10:46:21.082807 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37
10:46:21.267447 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37
10:46:21.267480 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37
10:46:21.267617 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37
10:46:21.267691 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37
10:46:21.323851 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
10:46:23.051414 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39
10:46:23.653867 IP 192.168.100.2.55766 > 192.168.0.50.53: UDP, length 38
10:46:23.701073 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36
10:46:23.701729 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39
10:46:23.869555 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33
10:46:24.043412 IP 192.168.100.2.35269 > 192.168.0.60.53: UDP, length 45
10:46:24.144075 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.144135 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
10:46:24.154976 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.155125 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 179
10:46:24.155159 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
10:46:24.158416 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329
10:46:24.158438 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329
10:46:24.158445 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 445
10:46:24.165002 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.165504 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.170297 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.176650 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 126
10:46:24.176687 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
10:46:24.177501 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 51
10:46:24.187966 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:24.188002 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
10:46:24.188072 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
10:46:24.190173 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
10:46:25.345036 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
10:46:26.044520 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37
10:46:26.158599 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0
10:46:26.158675 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0
10:46:26.167414 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0
10:46:26.167541 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 179
10:46:26.167571 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0
10:46:26.170166 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329
10:46:26.170186 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329

I had realized in Diagnostics -> Route the following

Destination	        Gateway	        Flags	Use	  Mtu	Netif	Expire
192.168.100.0/29	192.168.100.2	UGS	     0	  1500	ovpns3

Should I assign an interface to this OpenVPN connection, and create a route?

ps³: Sorry, if the information is too poor, please feel free to ask anything.
All the IP addresses here is not real, but represent a real information.

darrenh

@jeferson-junior i have the exact same issue and opened up a new ticket for the same thing
esxi not vmware 5.5 but very similar
wonder if it is a vmware bug
i tried both separate access interfaces as well as a trunk to same vswitch with virtual NIC
i can ping the lan interface on tap or tun mode, but cannot actually get to anything on the lan.

from the inside i can browse and ping everything fine, so the switching and routing is working overall, just not through the vpn
any ideas anyone?

viragomann

It‘s recommended to use the tun mode if there are no special reasons for tap.

Is pfSense the default gateway on your LAN devices?

Have you entered your LAN subnet in the „Local Networks“ box in the OpenVPN server settings?
And do you get the route set at the client?

Do your firewall rules allow the access?

darrenh

@viragomann hi
I figured it out, it wasn't related to tun or tap mode at all, nor the VMware.

I found one other person had done it, buried in another forum from 5 years ago.
you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade.
that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet.
as soon as I did that, I can get to everything fine :)

viragomann

@darrenh
That’s a workaround, but not a good solution for either

• a routing issue, if pfSense isn’t the default gateway
  or
• your destination devices do no accept access from outside their subnet.

However, if the VPN access is only for you, the workaround will be okay.

darrenh

@viragomann
it's just for me and about 3 other people
i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan.
then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything.
depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.