Can't reach Lan host in OpenVPN tab mode



  • Hi,

    I had configure a OpenVPN in tab mode (Bridge). I follow this manual : https://forum.netgate.com/topic/42698/how-to-openvpn-tap-bridging-with-lan

    Everything work fine, the remote client connect well, DHCP is Assigned well, I can ping the Lan and Wan interface, but I can't ping the host in the Lan network.

    I add a "permit all" rule in the firewall on the Wan, Lan and OpenVPN interface, but even this don't have connection to the host in the Lan.

    The bridged is with the Lan interface.

    Any help please.



  • @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

    I add a "permit all" rule in the firewall on the Wan,

    I understand that you are testing, but a "permit all" on WAN is bad, very bad.

    As told in the Official pfSEnse Video's, "bridging" is possible, but tricky.

    Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

    The default LAN rule works just fine - what did you change ?



  • @Gertjan said in Can't reach Lan host in OpenVPN tab mode:

    but tricky

    Hi, thanks for your reply.

    I know a permit all is a bad idea, but just wand to make this work.

    I install the OpenVPN client in a Windows PC (this PC is the cliend that will connect to the pfsense OpenVPN server. It is outside the pfsense networks), import the ".ovpn" downloaded form the pfsense, and I connect to the pfsense OpenVPN server via the pfsense Wan interface. From the Windows PC I can ping the Wan and Lan interface of the pfsense, but can't reach the hosts on the pfsense Lan side.

    Thanks...



  • Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

    Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

    ipconfig /all
    

    On your connected PC says what ?

    OpenVPN client log ?
    Open VPN server log ?



  • @Gertjan

    Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

    You mean if I can open it form the windows client when I connect to the VPN. No, I can't. The Ip is 172.16.1.1. I can Ping it but can't access http. In the local 172.16.1.x I can access http, this the way that i configure the pfsense.

    ipconfig /all

    C:\Users\Alberto Leonor>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : DESKTOP-GJ1C193
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Ethernet:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
    Physical Address. . . . . . . . . : DC-4A-3E-EF-2C-0D
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Local Area Connection* 2:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
    Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7A
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Local Area Connection* 3:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
    Physical Address. . . . . . . . . : 0A-D4-0C-37-0E-79
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    **Ethernet adapter Ethernet 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : TAP-Windows Adapter V9
    Physical Address. . . . . . . . . : 00-FF-9B-C6-92-BE
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 172.16.1.130(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:24 PM
    Lease Expires . . . . . . . . . . : Wednesday, April 15, 2020 3:18:23 PM
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . : 172.16.1.0
    NetBIOS over Tcpip. . . . . . . . : Enabled**

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3165
    Physical Address. . . . . . . . . : 08-D4-0C-37-0E-79
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 172.20.10.3(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.240
    Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:15 PM
    Lease Expires . . . . . . . . . . : Wednesday, April 17, 2019 3:03:50 PM
    Default Gateway . . . . . . . . . : 172.20.10.1
    DHCP Server . . . . . . . . . . . : 172.20.10.1
    DNS Servers . . . . . . . . . . . : 172.20.10.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Bluetooth Network Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
    Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7D
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    C:\Users\Alberto Leonor>

    OpenVPN client log
    Tue Apr 16 15:18:22 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
    Tue Apr 16 15:18:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Apr 16 15:18:22 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
    Tue Apr 16 15:18:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.52.36.250:1194
    Tue Apr 16 15:18:22 2019 UDP link local (bound): [AF_INET][undef]:1194
    Tue Apr 16 15:18:22 2019 UDP link remote: [AF_INET]179.52.36.250:1194
    Tue Apr 16 15:18:23 2019 [OPENVPNSERVER] Peer Connection Initiated with [AF_INET]179.52.36.250:1194
    Tue Apr 16 15:18:24 2019 open_tun
    Tue Apr 16 15:18:24 2019 TAP-WIN32 device [Ethernet 2] opened: \.\Global{9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}.tap
    Tue Apr 16 15:18:24 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.1.130/255.255.255.0 on interface {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D} [DHCP-serv: 172.16.1.0, lease-time: 31536000]
    Tue Apr 16 15:18:24 2019 Successful ARP Flush on interface [41] {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}
    Tue Apr 16 15:18:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Apr 16 15:18:29 2019 Initialization Sequence Completed

    Open VPN server log
    Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:25:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:26:01 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:26:01 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:26:02 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:26:02 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:28:04 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:28:04 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:28:05 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:28:05 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:30:07 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:30:08 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:31:09 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:31:09 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:31:10 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:31:10 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:33:00 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client disconnected
    Apr 16 15:33:12 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Apr 16 15:33:12 openvpn 86479 MANAGEMENT: CMD 'status 2'
    Apr 16 15:33:13 openvpn 86479 MANAGEMENT: CMD 'quit'
    Apr 16 15:33:13 openvpn 86479 MANAGEMENT: Client disconnected

    Does this help?
    Thanks.



  • @Gertjan

    I found and unassigned interface. It this don't matter?

    Attached Image.

    Capture.JPG


  • LAYER 8 Rebel Alliance



  • @Rico
    Hi Rico,

    The configuration is exactly like the guide you send me.

    Hope you could help me,
    Thanks,



  • Question :

    @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

    Description . . . . . . . . . . . : TAP-Windows Adapter V9
    .....
    DHCP Server . . . . . . . . . . . : 172.16.1.0

    A DHCP server living on an IP ending with 0 ?? That's new for me.



  • @Gertjan

    Yes, this is so weird for me too.

    I set the DHCP setting in the "Server Bridge DHCP Start/End" in the OpenVPN server setting.

    Any idea?



  • @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

    Any idea?

    Yes.
    A DHCP server needs a host address. Not a network address, like the one terminating with 0.

    But maybe this is just don't care situation because :

    @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

    Everything work fine, the remote client connect well, DHCP is Assigned well ....



  • @Gertjan

    That set. I dont know if firewall is blocking traffic or something like this.



  • Me neither ;)
    But a firewall does what you want - you are the boss ^^
    Idea : make your rules verbose and have a look at the firewall logs.


Log in to reply