can't reach my access points on my lan side using openVPN



  • I am using openvpn enable inter client communication and also used advance config to push static routes and it didin't work still wasn't able to connect to access points. In addition I enabled pushed all generated traffic through the tunnel, which also didn't work.
    Lan ip 192.168.1.1/24
    openVPN tunnel network: 192.168.100.0/24; I have changed this ip multiple times to different classes from A right to C and it still didn't work.
    Pfsense version 2.4.4 64bit

    ---What works--
    I am able to reach the firewall by its lan ip when openVPN enabled.


  • Global Moderator

    Can you attach screenshots of

    • OpenVPN server config
    • Firewall Rules for OpenVPN
    • route table from OpenVPN client when it has OpenVPN up


  • 0_1541318488851_Screenshot_2018-11-04 Anonymous Anonymous dev - VPN OpenVPN Servers Edit.png 0_1541318546703_Screenshot_2018-11-04 Anonymous Anonymous dev - Firewall Rules OpenVPN.png 0_1541319399920_routes.png


  • Global Moderator

    I see no traffic on OpenVPN tunnel. Can you try to use Packet Capture (Diagnostics/Packet Capture) to check if there are any incoming packets in tunnel?

    • Interface: OpenVPN
    • promiscuous mode enabled
    • start
      Capture traffic for a while (2-3 minutes) then Stop and check.

  • Global Moderator

    @tripplex95 said in can't reach my access points on my lan side using openVPN:

    I am able to reach the firewall by its lan ip when openVPN enabled.

    Sorry, I only now saw this comment - if you can reach LAN IP but can't reach any host behind LAN - you need to check route table on hosts behind LAN.
    And if you try Packet Capture on LAN I think you will see output packets from your Remote host but no replies from hosts on LAN (and it's definitely problem with route table on these hosts)



  • You can reach the LAN address of the firewall from one of the OpenVPN clients?

    Can you show your OpenVPN firewall rules? Set to LAN net and not LAN address right?



  • It's there apart of the screen shot. Look above the cmd route output.



  • @asamat this so an issue. so I have to set a static routes in the access points to be able to access them via openvpn?


  • Global Moderator

    If your access points don't have pfSense as default GW - yes, you need to add static route like
    Destination: 10.0.8.0/24
    GW: <pfSense IP>



  • @asamat yes they are configured and have pfsense as there default gateway.



  • It may be because the APs don't want to talk to anything outside their own network - e.g., traffic coming from the VPN tunnel. I've seen this a few times.

    You would need outbound NAT to overcome that.

    Have a look at this thread and jimp's recommendation.



  • @biggsy said in can't reach my access points on my lan side using openVPN:

    It may be because the APs don't want to talk to anything outside their own network - e.g., traffic coming from the VPN tunnel. I've seen this a few times.

    This can be tested easily. tested.
    Change your WAN2 for a LAN2 interface.
    You'll be having a LAN with 192.168.1.1/24 - on this LAN you have your AP (right ?!).
    Make LAN2 (OPT1) like 192.168.2.1/24 - put a pass all firewall rule on it, activate a DHCP server on it, connect to it.

    Now, can you access your AP on LAN coming from your PC hooked on LAN2 ?
    You should be able to do so. (I do soo all the time, accessing devices on other LAN segments).
    If not => go check you AP.