OpenVPN Remote Access | pfSense Access | LAN not Connecting



  • Good afternoon,

    Environment:
    Pfsense 2.3.4-RELEASE (amd64)
    Installed on Vmware ESXI 5.5

    Number of Wan Interfaces = 2

    3 OpenVPN sites

    01 = Affiliate peer to peer port 1190
    02 = Affiliate peer to peer port 1180
    03 = Remote Access  port 1194

    IP LAN = 192.168.0.0/24
    IP pfsense = 192.168.0.254
    IP Tunnel OpenVPN 03 = 192.168.100.0/29
    IP got at the OpenVPN connection  = 192.168.100.2

    ps: I had followed many tutorials, including this: https://forum.pfsense.org/index.php?topic=129834.0

    I'm with a little issue, I had setted up an OpenVPN connection client, I got connected in it, I got an IP from it (192.168.100.2), and I can access the web interface and got ping response from pfSense (192.168.0.254), but I can't access the local network (192.168.0.0/24).
    It has 2 Wan interfaces, and all setting is on the first Wan (Firewall Rules, OpenVPN, Nat).

    Must I setting a route to it?

    ps:  It is already working correctly 2 site to site OpenVPN, and I didn't set any route.

    ps²: looking at the firewall logs, it is beeing accepted, there is nothing beeing blocked.
    In Firewall rules there is a rule allowing the VPN network to access the local network, no restrition IPv4 * * to Lan net
    Looking the rules logs

    
    Interface   Protocol    Source                  Destination             State                 Packets         Bytes
    ovpns3      udp 	  192.168.100.2:10046 -> 192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0        65 B / 0 B 	
    ovpns3      udp 	  192.168.100.2:13670 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0        65 B / 0 B 	
    ovpns3      udp 	  192.168.100.2:29634 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0        64 B / 0 B 	
    ovpns3      udp 	  192.168.100.2:30177 -> 192.168.0.60:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     59 B / 0 B 	
    ovpns3      udp 	  192.168.100.2:30640 -> 192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     64 B / 0 B 	
    ovpns3      udp 	  192.168.100.2:6678 ->  192.168.0.50:53 	NO_TRAFFIC:SINGLE 	1 / 0 	     59 B / 0 B
    
    

    OpenVPN Setting

    
    General Information
    Server mode:    Remote Access (SSL/TLS + User Auth)
    Backend for authentication: Active Directory
    Protocol:   UDP
    Device mode:    TUN
    Interface:  WAN1
    Local Port: 1194
    
    Cryptographic Settings
    TLS authentication: checked
    Peer Certificate Authority: CA_OpenVPN
    Server certificate: Cert_OpenVPN_Server
    DH Parameter length (bits): 2048
    Encryption Algorithm: AES-256-CBC
    Auth digest algorithm: SHA256
    Hardware Crypto:    No
    Certificate Depth: One (Client+Server)
    Strict User-CN Matching: Unchecked
    
    Tunnel Settings
    IPv4 Tunnel Network: 192.168.100.0/29
    IPv6 Tunnel Network: -
    Redirect Gateway: Unchecked
    IPv4 Lo
    cal network(s): 192.168.0.0/24
    IPv6 Local network(s): -
    Concurrent connections:
    Compression: Habilitado, Adaptative
    Type-of-Service: checked
    Inter-client communication: Unchecked
    Duplicate Connection: Unchecked
    Disable IPv6: checked
    
    Client Settings
    Dynamic IP: checked
    Address Pool: checked
    Topology: Subnet -- One IP Address per client in a common Subnet
    
    Advanced Client Settings
    DNS Default Domain: checked
    DNS Default Domain: mydomain
    DNS Server enable: checked
    DNS Server 1: 192.168.0.60
    DNS Server 2: 192.168.0.50
    Block Outside DNS: Unchecked
    Force DNS cache update: Unchecked
    NTP Server enable: Unchecked
    NetBIOS enable: Unchecked
    Enable custom port: Unchecked
    
    Advanced Configuration
    No change
    
    

    I got a Packet Capture

    
    Packet Capture Options
    Interface: OpenVPN_Client
    Promiscuous: Unchecked
    Address Family: any]
    Protocol: any
    Host Address: -
    Port: -
    Packet Length: 0
    Count: 100
    Level of detail: Normal
    Reverse DNS Lookup: Unchecked
    
    

    Packets Captured

    
    10:45:44.004702 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37
    10:45:48.654349 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36
    10:45:48.671845 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39
    10:45:48.835013 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33
    10:45:49.009172 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37
    10:45:51.245159 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37
    10:45:53.661205 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36
    10:45:53.674875 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39
    10:45:53.841873 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33
    10:45:54.026358 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37
    10:45:56.253528 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37
    10:45:58.638449 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38
    10:45:58.682023 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36
    10:45:58.682116 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39
    10:45:58.863800 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33
    10:45:59.015410 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37
    10:46:01.249763 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37
    10:46:03.630210 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38
    10:46:03.669477 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36
    10:46:03.681827 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39
    10:46:03.857357 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33
    10:46:04.028139 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37
    10:46:06.256763 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37
    10:46:08.030200 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39
    10:46:08.675615 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38
    10:46:08.684214 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36
    10:46:08.687934 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39
    10:46:08.858353 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33
    10:46:09.025574 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37
    10:46:11.033067 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37
    10:46:11.252529 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37
    10:46:11.252562 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37
    10:46:11.252596 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37
    10:46:11.257781 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37
    10:46:11.292618 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
    10:46:11.549996 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
    10:46:12.292619 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
    10:46:12.546085 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
    10:46:13.037521 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39
    10:46:13.656319 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38
    10:46:13.682013 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36
    10:46:13.692612 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39
    10:46:13.878476 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33
    10:46:14.037156 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37
    10:46:14.314500 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
    10:46:14.543956 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
    10:46:16.048173 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37
    10:46:16.256673 IP 192.168.100.2.60227 > 192.168.0.50.53: UDP, length 37
    10:46:16.256705 IP 192.168.100.2.42632 > 192.168.0.50.53: UDP, length 37
    10:46:16.256816 IP 192.168.100.2.46519 > 192.168.0.50.53: UDP, length 37
    10:46:16.258064 IP 192.168.100.2.45443 > 192.168.0.50.53: UDP, length 37
    10:46:18.109490 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39
    10:46:18.304995 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0
    10:46:18.324530 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
    10:46:18.553209 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0
    10:46:18.644932 IP 192.168.100.2.43017 > 192.168.0.60.53: UDP, length 38
    10:46:18.686796 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36
    10:46:18.697621 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39
    10:46:18.863908 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33
    10:46:19.027853 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37
    10:46:19.335404 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
    10:46:21.082807 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37
    10:46:21.267447 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37
    10:46:21.267480 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37
    10:46:21.267617 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37
    10:46:21.267691 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37
    10:46:21.323851 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
    10:46:23.051414 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39
    10:46:23.653867 IP 192.168.100.2.55766 > 192.168.0.50.53: UDP, length 38
    10:46:23.701073 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36
    10:46:23.701729 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39
    10:46:23.869555 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33
    10:46:24.043412 IP 192.168.100.2.35269 > 192.168.0.60.53: UDP, length 45
    10:46:24.144075 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.144135 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
    10:46:24.154976 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.155125 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 179
    10:46:24.155159 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
    10:46:24.158416 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329
    10:46:24.158438 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329
    10:46:24.158445 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 445
    10:46:24.165002 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.165504 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.170297 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.176650 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 126
    10:46:24.176687 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
    10:46:24.177501 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 51
    10:46:24.187966 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:24.188002 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
    10:46:24.188072 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0
    10:46:24.190173 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0
    10:46:25.345036 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0
    10:46:26.044520 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37
    10:46:26.158599 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0
    10:46:26.158675 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0
    10:46:26.167414 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0
    10:46:26.167541 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 179
    10:46:26.167571 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0
    10:46:26.170166 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329
    10:46:26.170186 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329
    
    

    I had realized in Diagnostics -> Route the following

    
    Destination	        Gateway	        Flags	Use	  Mtu	Netif	Expire
    192.168.100.0/29	192.168.100.2	UGS	     0	  1500	ovpns3
    
    

    Should I assign an interface to this OpenVPN connection, and create a route?

    ps³: Sorry, if the information is too poor, please feel free to ask anything.
    All the IP addresses here is not real, but represent a real information.



  • @jeferson-junior i have the exact same issue and opened up a new ticket for the same thing
    esxi not vmware 5.5 but very similar
    wonder if it is a vmware bug
    i tried both separate access interfaces as well as a trunk to same vswitch with virtual NIC
    i can ping the lan interface on tap or tun mode, but cannot actually get to anything on the lan.

    from the inside i can browse and ping everything fine, so the switching and routing is working overall, just not through the vpn
    any ideas anyone?



  • It‘s recommended to use the tun mode if there are no special reasons for tap.

    Is pfSense the default gateway on your LAN devices?

    Have you entered your LAN subnet in the „Local Networks“ box in the OpenVPN server settings?
    And do you get the route set at the client?

    Do your firewall rules allow the access?



  • @viragomann hi
    I figured it out, it wasn't related to tun or tap mode at all, nor the VMware.

    I found one other person had done it, buried in another forum from 5 years ago.
    you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade.
    that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet.
    as soon as I did that, I can get to everything fine :)



  • @darrenh
    That’s a workaround, but not a good solution for either

    • a routing issue, if pfSense isn’t the default gateway
      or
    • your destination devices do no accept access from outside their subnet.

    However, if the VPN access is only for you, the workaround will be okay.



  • @viragomann
    it's just for me and about 3 other people
    i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan.
    then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything.
    depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.


Log in to reply