OpenVPN can't access internal Network but can reach web

davep1553 · Jul 26, 2019, 1:08 PM

Ok, please forgive me if this is dumb, this is my first pfsense box.

I'm trying to setup OpenVPN so I can connect to my network remotely as well as connect to the internet a little more securely when I'm remote. I'm currently using my android phone to test, I've turned the wifi off so I'm just using the cellular network.

On my network the pfsense is set to internal ip 192.168.1.1/22, public ip from my ISP is 73.x.x.x (not going to show my full public IP addresses)
DHCP is configured to hand out IP addresses starting with 192.168.3.9 but most things are configured to static ip address in either the 192.168.1.x or 192.168.2.x space

Took me a while but I finally got my phone connecting. (I'm skipping settings I can't imagine are relevant but if you need one ask)
UDP on IPv4 only
tun - layer 3 tunnel mode
yes - use a TLS Key
TLS Authentication
Peer CA OpenVPN
IPv4 Tunnel Network 192.168.0.0/22
Yes - Force all client-generated IPv4 traffic through the tunnel.
no - Inter-client communication

On my network I have a nas at 192.168.1.105, and a PC at 192.168.2.13, the PC can access the NAS no issues.

Without VPN my phone gets an IP of 166.x.x.x
When I connect via VPN my phone is issued 192.168.0.2
When from my phone I look up my IP address via google it reports my IP as the 73.x.x.x, so my internet trafic is being routed thru the VPN and the pfsense box.
But I'm unable to connect to the NAS and the PC is unable to ping my phone. What am I missing?

davep1553 · Jul 26, 2019, 1:11 PM

login-to-view

KOM · Jul 26, 2019, 1:37 PM

Local firewalls? Windows firewall will not respond to pings from outside its local subnet, for example.

Gertjan · Jul 26, 2019, 1:47 PM

This one :
@davep1553 said in OpenVPN can't access internal Network but can reach web:

IPv4 Tunnel Network 192.168.0.0/22

Overlaps

@davep1553 said in OpenVPN can't access internal Network but can reach web:

192.168.1.105, and a PC at 192.168.2.13

(network /22)

So,the tunnel network overlaps your LAN network.

In that case, you have a no-go.

Make your VPN tunnel network something like 10.0.0.0/22 ;)

davep1553 · Jul 26, 2019, 1:51 PM

All these 192.168 IPs are on the same subnet. When I move the phone onto wifi and have the DHCP assign it an ip address of 192.168.0.200 it is able to access the NAS and the PC is able to ping the phone.

Gertjan · Jul 26, 2019, 1:54 PM

@davep1553 said in OpenVPN can't access internal Network but can reach web:

All these 192.168 IPs are on the same subnet.

The VPN IPv4 Tunnel Network must be outside the local LAN network(s).

davep1553 · Jul 26, 2019, 1:57 PM

Gertjan,

Thank you, I changed it to 192.168.9.0/24 and now things appear to be working!!

I'd tried that at one point but when I did the OpenVPN service wouldn't start for some reason, the log said something about a subnet mismatch (don't have log anymore) and I couldn't connect at all, when I brought it in to 192.168.0.0 the service would run.

Not sure what the problem was before but it's working now. Thanks again!