OpenVPN Remote Access | pfSense Access | LAN not Connecting
-
Good afternoon,
Environment:
Pfsense 2.3.4-RELEASE (amd64)
Installed on Vmware ESXI 5.5Number of Wan Interfaces = 2
3 OpenVPN sites
01 = Affiliate peer to peer port 1190
02 = Affiliate peer to peer port 1180
03 = Remote Access port 1194IP LAN = 192.168.0.0/24
IP pfsense = 192.168.0.254
IP Tunnel OpenVPN 03 = 192.168.100.0/29
IP got at the OpenVPN connection = 192.168.100.2ps: I had followed many tutorials, including this: https://forum.pfsense.org/index.php?topic=129834.0
I'm with a little issue, I had setted up an OpenVPN connection client, I got connected in it, I got an IP from it (192.168.100.2), and I can access the web interface and got ping response from pfSense (192.168.0.254), but I can't access the local network (192.168.0.0/24).
It has 2 Wan interfaces, and all setting is on the first Wan (Firewall Rules, OpenVPN, Nat).Must I setting a route to it?
ps: It is already working correctly 2 site to site OpenVPN, and I didn't set any route.
ps²: looking at the firewall logs, it is beeing accepted, there is nothing beeing blocked.
In Firewall rules there is a rule allowing the VPN network to access the local network, no restrition IPv4 * * to Lan net
Looking the rules logsInterface Protocol Source Destination State Packets Bytes ovpns3 udp 192.168.100.2:10046 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 65 B / 0 B ovpns3 udp 192.168.100.2:13670 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 65 B / 0 B ovpns3 udp 192.168.100.2:29634 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 64 B / 0 B ovpns3 udp 192.168.100.2:30177 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 59 B / 0 B ovpns3 udp 192.168.100.2:30640 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 64 B / 0 B ovpns3 udp 192.168.100.2:6678 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 59 B / 0 B
OpenVPN Setting
General Information Server mode: Remote Access (SSL/TLS + User Auth) Backend for authentication: Active Directory Protocol: UDP Device mode: TUN Interface: WAN1 Local Port: 1194 Cryptographic Settings TLS authentication: checked Peer Certificate Authority: CA_OpenVPN Server certificate: Cert_OpenVPN_Server DH Parameter length (bits): 2048 Encryption Algorithm: AES-256-CBC Auth digest algorithm: SHA256 Hardware Crypto: No Certificate Depth: One (Client+Server) Strict User-CN Matching: Unchecked Tunnel Settings IPv4 Tunnel Network: 192.168.100.0/29 IPv6 Tunnel Network: - Redirect Gateway: Unchecked IPv4 Lo cal network(s): 192.168.0.0/24 IPv6 Local network(s): - Concurrent connections: Compression: Habilitado, Adaptative Type-of-Service: checked Inter-client communication: Unchecked Duplicate Connection: Unchecked Disable IPv6: checked Client Settings Dynamic IP: checked Address Pool: checked Topology: Subnet -- One IP Address per client in a common Subnet Advanced Client Settings DNS Default Domain: checked DNS Default Domain: mydomain DNS Server enable: checked DNS Server 1: 192.168.0.60 DNS Server 2: 192.168.0.50 Block Outside DNS: Unchecked Force DNS cache update: Unchecked NTP Server enable: Unchecked NetBIOS enable: Unchecked Enable custom port: Unchecked Advanced Configuration No change
I got a Packet Capture
Packet Capture Options Interface: OpenVPN_Client Promiscuous: Unchecked Address Family: any] Protocol: any Host Address: - Port: - Packet Length: 0 Count: 100 Level of detail: Normal Reverse DNS Lookup: Unchecked
Packets Captured
10:45:44.004702 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37 10:45:48.654349 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36 10:45:48.671845 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39 10:45:48.835013 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33 10:45:49.009172 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37 10:45:51.245159 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37 10:45:53.661205 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36 10:45:53.674875 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39 10:45:53.841873 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33 10:45:54.026358 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37 10:45:56.253528 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37 10:45:58.638449 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38 10:45:58.682023 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36 10:45:58.682116 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39 10:45:58.863800 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33 10:45:59.015410 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37 10:46:01.249763 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37 10:46:03.630210 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38 10:46:03.669477 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36 10:46:03.681827 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39 10:46:03.857357 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33 10:46:04.028139 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37 10:46:06.256763 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37 10:46:08.030200 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39 10:46:08.675615 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38 10:46:08.684214 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36 10:46:08.687934 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39 10:46:08.858353 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33 10:46:09.025574 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37 10:46:11.033067 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37 10:46:11.252529 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37 10:46:11.252562 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37 10:46:11.252596 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37 10:46:11.257781 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37 10:46:11.292618 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:11.549996 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:12.292619 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:12.546085 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:13.037521 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39 10:46:13.656319 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38 10:46:13.682013 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36 10:46:13.692612 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39 10:46:13.878476 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33 10:46:14.037156 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37 10:46:14.314500 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:14.543956 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:16.048173 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37 10:46:16.256673 IP 192.168.100.2.60227 > 192.168.0.50.53: UDP, length 37 10:46:16.256705 IP 192.168.100.2.42632 > 192.168.0.50.53: UDP, length 37 10:46:16.256816 IP 192.168.100.2.46519 > 192.168.0.50.53: UDP, length 37 10:46:16.258064 IP 192.168.100.2.45443 > 192.168.0.50.53: UDP, length 37 10:46:18.109490 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39 10:46:18.304995 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:18.324530 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:18.553209 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:18.644932 IP 192.168.100.2.43017 > 192.168.0.60.53: UDP, length 38 10:46:18.686796 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36 10:46:18.697621 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39 10:46:18.863908 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33 10:46:19.027853 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37 10:46:19.335404 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:21.082807 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37 10:46:21.267447 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37 10:46:21.267480 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37 10:46:21.267617 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37 10:46:21.267691 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37 10:46:21.323851 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:23.051414 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39 10:46:23.653867 IP 192.168.100.2.55766 > 192.168.0.50.53: UDP, length 38 10:46:23.701073 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36 10:46:23.701729 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39 10:46:23.869555 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33 10:46:24.043412 IP 192.168.100.2.35269 > 192.168.0.60.53: UDP, length 45 10:46:24.144075 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.144135 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.154976 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.155125 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 179 10:46:24.155159 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.158416 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329 10:46:24.158438 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329 10:46:24.158445 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 445 10:46:24.165002 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.165504 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.170297 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.176650 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 126 10:46:24.176687 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.177501 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 51 10:46:24.187966 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.188002 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.188072 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.190173 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:25.345036 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:26.044520 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37 10:46:26.158599 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0 10:46:26.158675 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0 10:46:26.167414 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0 10:46:26.167541 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 179 10:46:26.167571 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0 10:46:26.170166 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329 10:46:26.170186 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329
I had realized in Diagnostics -> Route the following
Destination Gateway Flags Use Mtu Netif Expire 192.168.100.0/29 192.168.100.2 UGS 0 1500 ovpns3
Should I assign an interface to this OpenVPN connection, and create a route?
ps³: Sorry, if the information is too poor, please feel free to ask anything.
All the IP addresses here is not real, but represent a real information. -
@jeferson-junior i have the exact same issue and opened up a new ticket for the same thing
esxi not vmware 5.5 but very similar
wonder if it is a vmware bug
i tried both separate access interfaces as well as a trunk to same vswitch with virtual NIC
i can ping the lan interface on tap or tun mode, but cannot actually get to anything on the lan.from the inside i can browse and ping everything fine, so the switching and routing is working overall, just not through the vpn
any ideas anyone? -
It‘s recommended to use the tun mode if there are no special reasons for tap.
Is pfSense the default gateway on your LAN devices?
Have you entered your LAN subnet in the „Local Networks“ box in the OpenVPN server settings?
And do you get the route set at the client?Do your firewall rules allow the access?
-
@viragomann hi
I figured it out, it wasn't related to tun or tap mode at all, nor the VMware.I found one other person had done it, buried in another forum from 5 years ago.
you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade.
that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet.
as soon as I did that, I can get to everything fine :) -
@darrenh
That’s a workaround, but not a good solution for either- a routing issue, if pfSense isn’t the default gateway
or - your destination devices do no accept access from outside their subnet.
However, if the VPN access is only for you, the workaround will be okay.
- a routing issue, if pfSense isn’t the default gateway
-
@viragomann
it's just for me and about 3 other people
i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan.
then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything.
depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.