Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't reach Lan host in OpenVPN tab mode

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hunteralberto
      last edited by hunteralberto

      Hi,

      I had configure a OpenVPN in tab mode (Bridge). I follow this manual : https://forum.netgate.com/topic/42698/how-to-openvpn-tap-bridging-with-lan

      Everything work fine, the remote client connect well, DHCP is Assigned well, I can ping the Lan and Wan interface, but I can't ping the host in the Lan network.

      I add a "permit all" rule in the firewall on the Wan, Lan and OpenVPN interface, but even this don't have connection to the host in the Lan.

      The bridged is with the Lan interface.

      Any help please.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @hunteralberto
        last edited by

        @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

        I add a "permit all" rule in the firewall on the Wan,

        I understand that you are testing, but a "permit all" on WAN is bad, very bad.

        As told in the Official pfSEnse Video's, "bridging" is possible, but tricky.

        Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

        The default LAN rule works just fine - what did you change ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        H 1 Reply Last reply Reply Quote 0
        • H
          hunteralberto @Gertjan
          last edited by

          @Gertjan said in Can't reach Lan host in OpenVPN tab mode:

          but tricky

          Hi, thanks for your reply.

          I know a permit all is a bad idea, but just wand to make this work.

          I install the OpenVPN client in a Windows PC (this PC is the cliend that will connect to the pfsense OpenVPN server. It is outside the pfsense networks), import the ".ovpn" downloaded form the pfsense, and I connect to the pfsense OpenVPN server via the pfsense Wan interface. From the Windows PC I can ping the Wan and Lan interface of the pfsense, but can't reach the hosts on the pfsense Lan side.

          Thanks...

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            Can you ping your host (what host ? where ?) from pfSense, using the console menu ?

            Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

            ipconfig /all
            

            On your connected PC says what ?

            OpenVPN client log ?
            Open VPN server log ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            H 2 Replies Last reply Reply Quote 0
            • H
              hunteralberto @Gertjan
              last edited by

              @Gertjan

              Can you open the pfSense GUI using its URL or http://192.168.1.1 ?

              You mean if I can open it form the windows client when I connect to the VPN. No, I can't. The Ip is 172.16.1.1. I can Ping it but can't access http. In the local 172.16.1.x I can access http, this the way that i configure the pfsense.

              ipconfig /all

              C:\Users\Alberto Leonor>ipconfig /all

              Windows IP Configuration

              Host Name . . . . . . . . . . . . : DESKTOP-GJ1C193
              Primary Dns Suffix . . . . . . . :
              Node Type . . . . . . . . . . . . : Hybrid
              IP Routing Enabled. . . . . . . . : No
              WINS Proxy Enabled. . . . . . . . : No

              Ethernet adapter Ethernet:

              Media State . . . . . . . . . . . : Media disconnected
              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
              Physical Address. . . . . . . . . : DC-4A-3E-EF-2C-0D
              DHCP Enabled. . . . . . . . . . . : No
              Autoconfiguration Enabled . . . . : Yes

              Wireless LAN adapter Local Area Connection* 2:

              Media State . . . . . . . . . . . : Media disconnected
              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
              Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7A
              DHCP Enabled. . . . . . . . . . . : Yes
              Autoconfiguration Enabled . . . . : Yes

              Wireless LAN adapter Local Area Connection* 3:

              Media State . . . . . . . . . . . : Media disconnected
              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
              Physical Address. . . . . . . . . : 0A-D4-0C-37-0E-79
              DHCP Enabled. . . . . . . . . . . : Yes
              Autoconfiguration Enabled . . . . : Yes

              **Ethernet adapter Ethernet 2:

              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : TAP-Windows Adapter V9
              Physical Address. . . . . . . . . : 00-FF-9B-C6-92-BE
              DHCP Enabled. . . . . . . . . . . : Yes
              Autoconfiguration Enabled . . . . : Yes
              IPv4 Address. . . . . . . . . . . : 172.16.1.130(Preferred)
              Subnet Mask . . . . . . . . . . . : 255.255.255.0
              Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:24 PM
              Lease Expires . . . . . . . . . . : Wednesday, April 15, 2020 3:18:23 PM
              Default Gateway . . . . . . . . . :
              DHCP Server . . . . . . . . . . . : 172.16.1.0
              NetBIOS over Tcpip. . . . . . . . : Enabled**

              Wireless LAN adapter Wi-Fi:

              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3165
              Physical Address. . . . . . . . . : 08-D4-0C-37-0E-79
              DHCP Enabled. . . . . . . . . . . : Yes
              Autoconfiguration Enabled . . . . : Yes
              IPv4 Address. . . . . . . . . . . : 172.20.10.3(Preferred)
              Subnet Mask . . . . . . . . . . . : 255.255.255.240
              Lease Obtained. . . . . . . . . . : Tuesday, April 16, 2019 3:18:15 PM
              Lease Expires . . . . . . . . . . : Wednesday, April 17, 2019 3:03:50 PM
              Default Gateway . . . . . . . . . : 172.20.10.1
              DHCP Server . . . . . . . . . . . : 172.20.10.1
              DNS Servers . . . . . . . . . . . : 172.20.10.1
              NetBIOS over Tcpip. . . . . . . . : Enabled

              Ethernet adapter Bluetooth Network Connection:

              Media State . . . . . . . . . . . : Media disconnected
              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
              Physical Address. . . . . . . . . : 08-D4-0C-37-0E-7D
              DHCP Enabled. . . . . . . . . . . : Yes
              Autoconfiguration Enabled . . . . : Yes

              C:\Users\Alberto Leonor>

              OpenVPN client log
              Tue Apr 16 15:18:22 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
              Tue Apr 16 15:18:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
              Tue Apr 16 15:18:22 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
              Tue Apr 16 15:18:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.52.36.250:1194
              Tue Apr 16 15:18:22 2019 UDP link local (bound): [AF_INET][undef]:1194
              Tue Apr 16 15:18:22 2019 UDP link remote: [AF_INET]179.52.36.250:1194
              Tue Apr 16 15:18:23 2019 [OPENVPNSERVER] Peer Connection Initiated with [AF_INET]179.52.36.250:1194
              Tue Apr 16 15:18:24 2019 open_tun
              Tue Apr 16 15:18:24 2019 TAP-WIN32 device [Ethernet 2] opened: \.\Global{9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}.tap
              Tue Apr 16 15:18:24 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.1.130/255.255.255.0 on interface {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D} [DHCP-serv: 172.16.1.0, lease-time: 31536000]
              Tue Apr 16 15:18:24 2019 Successful ARP Flush on interface [41] {9BC692BE-40A9-4D8C-98FC-85C1C54EF87D}
              Tue Apr 16 15:18:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
              Tue Apr 16 15:18:29 2019 Initialization Sequence Completed

              Open VPN server log
              Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:25:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:25:06 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:26:01 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:26:01 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:26:02 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:26:02 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:27:03 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:27:03 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:28:04 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:28:04 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:28:05 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:28:05 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:29:06 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:29:06 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:30:07 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:30:08 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:30:08 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:31:09 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:31:09 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:31:10 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:31:10 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:32:11 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:32:11 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:32:59 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:33:00 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:33:00 openvpn 86479 MANAGEMENT: Client disconnected
              Apr 16 15:33:12 openvpn 86479 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
              Apr 16 15:33:12 openvpn 86479 MANAGEMENT: CMD 'status 2'
              Apr 16 15:33:13 openvpn 86479 MANAGEMENT: CMD 'quit'
              Apr 16 15:33:13 openvpn 86479 MANAGEMENT: Client disconnected

              Does this help?
              Thanks.

              GertjanG 1 Reply Last reply Reply Quote 0
              • H
                hunteralberto @Gertjan
                last edited by

                @Gertjan

                I found and unassigned interface. It this don't matter?

                Attached Image.

                Capture.JPG

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Follow this guide and recheck all your settings: https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html

                  -Rico

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    hunteralberto @Rico
                    last edited by hunteralberto

                    @Rico
                    Hi Rico,

                    The configuration is exactly like the guide you send me.

                    Hope you could help me,
                    Thanks,

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @hunteralberto
                      last edited by

                      Question :

                      @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

                      Description . . . . . . . . . . . : TAP-Windows Adapter V9
                      .....
                      DHCP Server . . . . . . . . . . . : 172.16.1.0

                      A DHCP server living on an IP ending with 0 ?? That's new for me.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      H 1 Reply Last reply Reply Quote 0
                      • H
                        hunteralberto @Gertjan
                        last edited by

                        @Gertjan

                        Yes, this is so weird for me too.

                        I set the DHCP setting in the "Server Bridge DHCP Start/End" in the OpenVPN server setting.

                        Any idea?

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @hunteralberto
                          last edited by Gertjan

                          @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

                          Any idea?

                          Yes.
                          A DHCP server needs a host address. Not a network address, like the one terminating with 0.

                          But maybe this is just don't care situation because :

                          @hunteralberto said in Can't reach Lan host in OpenVPN tab mode:

                          Everything work fine, the remote client connect well, DHCP is Assigned well ....

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          H 1 Reply Last reply Reply Quote 0
                          • H
                            hunteralberto @Gertjan
                            last edited by

                            @Gertjan

                            That set. I dont know if firewall is blocking traffic or something like this.

                            1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan
                              last edited by

                              Me neither ;)
                              But a firewall does what you want - you are the boss ^^
                              Idea : make your rules verbose and have a look at the firewall logs.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.