OpenVpn Made me crazy! Routing problem?
-
Hello everyone! i had configured openvpn following this guide https://www.ceos3c.com/2017/04/10/configure-openvpn-for-pfsense-2-3-step-by-step/
Everythings good, the clients can connect without any problem, but i see ONLY pfsense in my remote network, not the other pc, printers ecc.
Culd be a routing problem? firewall and nat seems ok, i attach here the open vpn routing table.Some info:
Tunnell: 192.168.10.0/24
Remote network: 192.168.0.0/24
DNS: 192.168.0.200 (pfsense ip)
port: 1194thanks!
-
That may be caused by a couple of reasons:
-
The OpenVPN server isn't the default gateway for the device you try to access.
-
The device blocks the access itself. Windows firewalls for instance do this by default.
-
The client doesn't set the routes.
-
pfSense blocks the access, cause you're rules aren't set corectly.
Since you don't offer configuration details, it's hard to say what's the reason for your problem.
-
-
It works!! Thanks!! probably stupid win firewall block me :-
I've a doubt: the vpn now works great, but i can reach the remote device using remote ip, i try to explain:My tunnel is for example 10.0.0.0/24
Remote net is 192.168.0.0/24after connecting to openvpn, i can reach my nas with this local ip, 192.168.0.100, it's correct? or i should to have a tunnel ip like 10.0.0.100?
Thanks a lot -
No, by default the client add routes for the remote network after connecting. So it goes this way, you access the devices with their real local IP.
-
ok great! one last question, if i have the local net and remote net with same ip class, and a device with same ip in local and remote? for example:
local net: 192.168.0.0/24
local printer: 192.168.0.30
vpn tunnel: 10.0.0.0/24
remote net: 192.168.0.0/24
remote nas: 192.168.0.30in this case, printer and nas has the same ip!is a problem? where i go? to nas or to printer? thanks very very mutch
-
Its late, so if I'm posting in error, forgive me.
However, when VPNs are involved, its best to makes sure that the networks involved are different.
Its also best if both are moved to private but not common numbers…
Like 192.168.32.0/24 for the local network.
Then
192.168.33.0/24 for the remote network.
And move the VPN networks in pfsense to something sane but also unique and uncommon like 10.12.14.0/24
You really don't want your networks getting confused about where to send your packets.
You never know what you might want to connect to this in the future, so why not make it idiot proof?