Unable to reach LAN IP after connecting to openvpn



  • Hi,

    My local network is 192.168.1.0/24 and for the same DHCP has been configured. My open vpn tunnel network segment is 192.168.2.0/24 which is also DHCP enabled for vpn users.

    Now the problem is when user are get connected to the VPN they are getting ip like 192.168.2.x and not able to even ping 192.168.1.x series.

    Please help me how the users from 192.168.2.x will able to reach 192.168.1.x network.

    Regards,
    Ayan



  • @ayanbanerjee One more thing I need to add that only the lan GW ip that is 192.168.1.2 is reachable from vpn but not other ips.



  • I having similar issue
    I followed this guys video
    https://www.youtube.com/watch?v=Q6YbCQEiC3c
    I was able to connect from a home depot connection to my home pfsense.. I get the 192.168.1.100 ip and it shows my internet IP but I cant ping I cant access my local network as my local network is 192.168.0.x so I cant even remote desktop say server1 so I cant access openvpn like I'm physically on my local network yet it says its connect.. and I was told you can access your local LAN like you physically on the network with openvpn when your away


  • Rebel Alliance Global Moderator

    @comet424 said in Unable to reach LAN IP after connecting to openvpn:

    and I was told you can access your local LAN like you physically on the network with openvpn when your away

    You can.. You just have to setup whatever you local network is so it gets handed off to the client. And your going to run into problems if your home network is the same as the remote network the client is on.

    So say your home network is 192.168.0/24 and your at starbucks and they give your client a 192.168.0/24 IP.. Your client is not going to go down the tunnel to get to 192.168.0 because to it is physical on that network.

    This why its best to not use a common IP scheme at home if your planning on vpn into it.. 192.168.0 and 192.168.1 are very common default networks so pick something else for your home network address schemes so your unlikely to run into a conflict.

    or set vpn client to always go down the tunnel with force, but you should always setup your local networks that you will want to get to as well. Example0_1529067296294_localnetworks.png



  • ok ill try it at a tim hortons coffee shop today as I gotta goto the dentist.. I click on the Force all client...
    I tried connecting my cell on my current network with the openvpn and same as before I notice I cant ping my network
    disconnect open vpn.. I can ping 192.168.0.15 (freenas server)
    connect to open vpn I can no longer ping 192.168.0.15 or any ip address's I have noticed when I have tried other tutorials I loose internet once connected to a vpn disconnect vpn internet is back... but ill try the force one first

    and maybe its not working right right now cuz I'm on my network at home so ill give it a shot after my dentist appointment this morning

    reason for vpn I wanna be able to remote destop my windows servers without needing to set different ports for remote desktop and port forwarding.. and I wasn't able to figure how to get it to go server1.example.com server2.example.com server3.example.com be some kinda reverse name thing or something
    and my final goal is to have a freenas at home and a freenas at my sisters house that sync data between them but securely

    and 2nd last goal is to purchase a vpn service so my searching online etc isn't monitored by my service provider.... but first issue was the accessing my network easily... hopefully this not too confusing I do have dyslexia so what comes out of my head isn't always written right



  • @comet424 Thanks for your help but I am able to access the pfsense local ip after connected to vpn but able to access other ips which are in the same series.

    Regards,
    Ayan



  • and I forgot to say if I use openvpn on my cell on my current network right now I loose internet I was mentioning above.. and that's with the force IP client button checked off you mentioned.. I disconnect from openvpn and internet is back... is that another setting I need or is it just conflicting

    hopefully fixs when I test at the coffee shop



  • ayanbanerjee ah ok.. your 1 up on me.. I unable to ping my pfsense router 192.168.0.1 or 192.168.0.100.1 for the virtual network.. I followed that guys video and I unable to ping anything or get internet and I followed his instructions I watched the video 10 times still no luck and I mentioned it on youtube if you have the same ip address at like the guy said about starbucks what happens.. as its going to happen.. so I going to try his Force the client button and I going to try after the dentist... if doesn't work I going to try changing my ip address from 192.168.0.x to 192.168.254.x and the virtual ip to 192.168.253.x say as odds are no one uses it.. and I not sure if I can use 192.169.x.x over 20 yrs I been taught and used 192.168.0.x back in 90s using Wingate and Sygate trying to share internet over a dialup and network and network cards with dip switchs
    problems over years gotten better but still problems I seen just different ones lol. like this vpn stuff I trying to teach myself lol



  • @comet424 As per the video I have changed the VPN ip pool 172.16.12.x but same thing ... still I am unable to ping any of the lan ip which are belongs on 192.168.1.x series.


  • Rebel Alliance Global Moderator

    Please post up your openvpn config, your client config and what IP is your client on when you connect..

    Not going to watch a 15 min video for something that takes 30 seconds to setup. Clickity Clickity through the wizard, export the client config = done..



  • @johnpoz Hi,

    Please find below the VPN config details

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-disable
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 182.71.195.102 1194 udp
    verify-x509-name "IndepayVPNCertificate" name
    auth-user-pass
    pkcs12 pfSense-UDP4-1194-ayanbanerjee.p12
    tls-auth pfSense-UDP4-1194-ayanbanerjee-tls.key 1
    remote-cert-tls server

    0_1529073274349_53345877-30de-4325-90f9-df749b172009-image.png
    0_1529073310833_8a5c56ca-9bfd-4a37-80a9-058693abc29d-image.png
    0_1529073341255_8294a42a-f9af-487d-ae77-58e34e8af6d9-image.png
    0_1529073379659_18d7b4d3-3b5c-4c62-8541-46d585327ef2-image.png

    172.16.12.2 is getting when my vpn got connected.


  • Rebel Alliance Global Moderator

    why are you putting that in custom options? Remove that.

    Is your client getting the option to force all traffic out tunnel. What is the clients IP, not its vpn tunnel IP it gets. As already mentioned if your remove client is on the same network as your remote network its not going to work.

    Lets see your clients route after you connect and the status of when your client connects... example

    see here is my routes being added to the client per my above post

    Fri Jun 15 09:46:45 2018 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Fri Jun 15 09:46:45 2018 MANAGEMENT: >STATE:1529074005,ADD_ROUTES,,,,,,
    Fri Jun 15 09:46:45 2018 C:\Windows\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 10.0.8.1
    Fri Jun 15 09:46:45 2018 Route addition via service succeeded
    Fri Jun 15 09:46:45 2018 C:\Windows\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.0.8.1
    Fri Jun 15 09:46:45 2018 Route addition via service succeeded
    Fri Jun 15 09:46:45 2018 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.0.8.1
    Fri Jun 15 09:46:45 2018 Route addition via service succeeded
    Fri Jun 15 09:46:45 2018 Initialization Sequence Completed

    0_1529074245820_routesonclient.png



  • I just got home from dentist so it didn't work at the denist internet... I can connect using my cell to pfsense.. says I get the 192.168.100.2 address but I loose internet and I cant ping...

    how do I post the config files or do I post just the screen captures?



  • I did config export files only this is what I got
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 174.94.28.5 1194 udp
    verify-x509-name "mikeshouseserver" name
    pkcs12 pfSense-UDP4-1194-mikeshouseclient.p12
    tls-auth pfSense-UDP4-1194-mikeshouseclient-tls.key 1
    remote-cert-tls server



  • 2_1529079277609_pfsense3.jpg 1_1529079277609_pfsense2.jpg 0_1529079277608_pfsense1.jpg



  • 3_1529079316715_pfsense7.jpg 2_1529079316715_pfsense6.jpg 1_1529079316715_pfsense5.jpg 0_1529079316715_pfsense4.jpg



  • sorry pics seem to have posted out of order... but that's the settings of the server settings.. is there any other screen shots you need?


  • Rebel Alliance Global Moderator

    @comet424 said in Unable to reach LAN IP after connecting to openvpn:

    but I loose internet and I cant ping…

    Can't ping what?? Is what your trying to ping set to allow you to ping from 192.168.100/24 - for example windows out of the box firewall will not answer ping unless your on the same network..

    You have to adjust the host firewall. For you to get internet access via this vpn connection, did you set your outbound nat for your tunnel network.. Should of done that for you, but if you had changed to say manual mode on your outbound nat than it wouldn't..

    When you connect to your vpn, can you ping your lan IP of pfsense?



  • @johnpoz Hi, I have already removed the custom option.
    0_1529079857178_85faf4f5-9455-45c9-aa37-88b7c63f7a38-image.png
    My client IP is 192.168.5.100


  • Rebel Alliance Global Moderator

    so do a traceroute.. What do you get from that?

    example here is traceroute to IP on my home lan network

    C:\Windows\System32>tracert -d 192.168.9.100

    Tracing route to 192.168.9.100 over a maximum of 30 hops

    1 101 ms 108 ms 103 ms 10.0.8.1
    2 106 ms 101 ms 109 ms 192.168.9.100

    Trace complete.

    C:\Windows\System32>

    Its long because my proxy is all the way in TX, while I am at work in Chicago, so from chicago to hou, back to chicago, etc. So yeah some added latency.

    Ping and traceroute to the pfsense lan IP.. For example my pfsense IP on my lan is 192.168.9.253.. You trying to talk to devices on your lan might have host firewalls blocking your remote tunnel IP.



  • @johnpoz Hi, here is the story, I am able to reach the pfsense lan ip which is 192.168.1.2 but to ping any f the ip which are belongs to 192.168.1.x series.


  • Rebel Alliance Global Moderator

    Well then your going down the tunnel and as already stated points to host firewall, or the host your trying to ping using a different gateway other than pfsense.

    You not being able to get to say public iP 8.8.8.8 down the tunnel would point to outbound nat not configured for your tunnel network on pfsense.



  • @johnpoz Hi, we are using only one GW and that is PfSense local ip 192.168.1.2 and also able to ping 8.8.8.8 or 4.4.2.2 when I am in VPN.
    I am really clueless now :(



  • @johnpoz Hi, I got an log below, please help me to understand the same

    Fri Jun 15 22:54:01 2018 Block_DNS: Using existing sublayer
    Fri Jun 15 22:54:01 2018 Block_DNS: Added permit filters for exe_path
    Fri Jun 15 22:54:01 2018 Block_DNS: Added block filters for all interfaces
    Fri Jun 15 22:54:02 2018 Block_DNS: Added permit filters for TAP interface
    Fri Jun 15 22:54:07 2018 Warning: address 192.168.1.2 is not a network address in relation to netmask 255.255.255.0
    Fri Jun 15 22:54:07 2018 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=9]
    Fri Jun 15 22:54:07 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Fri Jun 15 22:54:07 2018 Initialization Sequence Completed



  • 2_1529086268703_nat3.jpg 1_1529086268703_nat2.jpg 0_1529086268703_nat1.jpg
    here is my outbound nat I set

    as for the pinging what I ment was on my cell I have a Ping program when I'm not on my vpn I can ping say 192.168.0.15 which is my Freenas IP as soon as I connect to VPN I get the 192.168.100.2 for my cell and I loose all internet.. I can no longer ping 192.168.0.15(freenas) I cant ping 192.168.0.1 the router or 192.168.100.1 which be the router I in virtual lan setting and this happens when I connect open vpn using my home internet or at the coffee shop

    I'm sure its something simple like a check box I missed that's causing all this right? for the traceroute id have to be at the coffee shop with the openvpn to get the results you want correct?



  • the only ip address I can ping while on vpn is 192.168.100.2 which is the cells ip address for the vpn..

    so I confused I thought was so simple like the video showed boom boom boom done now your perfectly connected... I had to missed a step some how probably some check box I missed



  • 1_1529087509032_rules2.jpg 0_1529087509032_rules1.jpg
    here is the Rules pics for the firewall for the openvpn


  • Rebel Alliance Global Moderator

    @ayanbanerjee said in Unable to reach LAN IP after connecting to openvpn:

    Fri Jun 15 22:54:07 2018 Warning: address 192.168.1.2 is not a network address in relation to netmask 255.255.255.0

    That is not a network that is a host!!! network would be 192.168.1.0/24


  • Rebel Alliance Global Moderator

    you have 2 different people posting different issues. Its becoming a bit hard to follow..

    One guy says he has no problem getting to the internet through the vpn, the other says he can't etc. Just because your both having issues getting to your lan behind pfsense does not mean they are related to why.

    I wold suggest the 2nd guy start your own thread.



  • @comet424 Based on your screenshots, your outbound NAT only allows the specific IPs of 192.168.0.51 and 192.168.0.52 outbound to internet. Any other clients will not be NAT'd so they will not be route-able on the internet. You need to add outbound NAT for your VPN subnet. If you are receiving an IP of 192.168.100.2 on your phone than I am guessing your VPN subnet is 192.168.100.0/24. You should create a NAT rule for that network outbound. You will not need to select static port on that entry. As a side note, if you want the VPN to just give you access to things on your local network and don't need or want VPN access, you don't need the NAT entry but you need to make sure the box that says "Force all client generated traffic through the VPN" is unchecked in your VPN server settings.

    Hope that helps.



  • @bloodlogic ah I not sure and I posted a new article as I didn't wanna tick off johnpoz and confuse everyone more the 192.168.0.50 is for the router nat.. the 51. is to try to get xbox one to work properly throught pfsense which didn't work... and I did the check all clinent generated track because I was told to try that for conflicts when I uncheck it it didn't help I was told like I thought if I use 192.168.0.x as my local network and I connect to a coffee shop that uses 192.168.0.x as there network if there would be a conflict.. I tried both ways check and uncheck no difference once I connect to vpn I loose all internet connection and no longer can ping expect the virtual IP for the cell



  • @johnpoz Ok but could you please check the line stating regarding route addition failed


  • Rebel Alliance Global Moderator

    Dude you can not had a host address as a route.



  • @johnpoz thanks.. I was done some mistake on configurations.. but the ping issue still not solved.



  • @johnpoz Hi some more inputs from my side ,
    after vpn connection people from LAN able to ping my vpn ip, so its look like its working in one way. by any chance is there anything I need to do in firewall side ?

    Please help.


  • Rebel Alliance Global Moderator

    THE HOST FIREWALL!!! ie the client on the lan side your trying to ping, its software firewall... Went over this way back in the thread..

    Windows out of the box is not going to let some IP (tunnel network your remote guy got from vpn) ping it..



  • @johnpoz I have disabled all the Windows firewall but no luck


  • Rebel Alliance Global Moderator

    If you can ping your lan IP of pfsense, then your going down the tunnel.. Then that means you can get to the lan network... So sniff on the lan interface while you ping some lan client from your vpn... Do you see it send ping go towards the client. Do you see a response..

    Here is example from my phone pinging my 192.168.1.100 box..

    0_1529141496274_pingclientonlan.png


  • Rebel Alliance Global Moderator

    did you mess with openvpn firewall rules.. The wizard will create a any any rule.. Did you delete this - not use the wizard? Modify it?0_1529141847646_vpnrules.png



  • @johnpoz the rule is there, i have used the wizard.

    look like problem is different, all the clients are getting same ip after connecting vpn :(


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy