OpenVPN Connected / LAN Gateway Reachable / LAN Clients not so much



  • I’ve been banging my head on this one for about a week now. Need some help.

    My OpenVPN client connects with no issue. Once connected, I can reach the LAN gateway, but no other devices on the LAN.

    LAN – 10.131.0.0 (pfSense is 10.131.0.1)
    OpenVPN – 10.132.6.0 (pfSense is 10.132.6.1)

    Once connected, I can ping 10.132.6.1, 10.131.0.1, 8.8.8.8. I can not ping 10.131.0.11 which is a server on the network. I have confirmed I can ping that server when connected directly to the LAN.

    I’ve set this up a couple of times with the wizard and tried several things mentioned in other posts. No luck though. Anyone have any ideas?

    Here is some supplementary info:

    Trying this with the Windows client exported from pfSense.

    Server Config:
    vpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    multihome
    tls-server
    server 10.132.6.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user hbkbkbkjbjkc2U= false server1 33900" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ville-VPN' 1"
    lport 33900
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 10.131.0.0 255.255.255.0"
    push "dhcp-option DNS 8.8.8.8"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    persist-remote-ip
    float
    topology subnet

    Client Config:
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote (Our WAN IP) 1194 udp
    verify-x509-name "ville-VPN" name
    auth-user-pass
    pkcs12 pfSense-udp-1194-cf.p12
    tls-auth pfSense-udp-1194-cf-tls.key 1
    remote-cert-tls server

    Route Print:
    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.43.1  192.168.43.121    50
          10.131.0.0    255.255.255.0      10.132.6.1      10.132.6.2    35
          10.132.6.0    255.255.255.0        On-link        10.132.6.2    291
          10.132.6.2  255.255.255.255        On-link        10.132.6.2    291
        10.132.6.255  255.255.255.255        On-link        10.132.6.2    291
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
        192.168.43.0    255.255.255.0        On-link    192.168.43.121    306
      192.168.43.121  255.255.255.255        On-link    192.168.43.121    306
      192.168.43.255  255.255.255.255        On-link    192.168.43.121    306
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
            224.0.0.0        240.0.0.0        On-link        10.132.6.2    291
            224.0.0.0        240.0.0.0        On-link    192.168.43.121    306
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
      255.255.255.255  255.255.255.255        On-link        10.132.6.2    291
      255.255.255.255  255.255.255.255        On-link    192.168.43.121    306



  • Is the pfSense running the vpn server the default gateway on the LAN device?

    Check if the system firewall of the server itself blocks the access.



  • Awesome. I could ping the server from the internal LAN, so I didn't think much about the Windows firewall. After turning that Windows firewall off to test, I could access the server over the VPN just fine. I turned the firewall back on and added a rule allowing incoming traffic from my OpenVPN IP range. We're all good now. Thanks for the help!