Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connected to OpenVPN, but no network except for 1 IP Address

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tocheeba
      last edited by

      I have a pretty simple setup at home - using the 192.168.1.0/24 scheme. However, I'm trying to finally add more VPN users, and running into an issue where they can't connect to anything on my local network. Users seem setup correctly from what I can tell - they can connect to my network, get an IP, but then can't talk to anything.

      PFsense - 192.168.1.1

      OpenVPN is set to 192.168.2.0/24

      With my main user that I use, I connect and get a 192.168.2.2 IP, which works fine. However, any other user will get 192.168.2.3, 2.4, etc., and they can't talk to anything on my network. I'm guessing it's something simple I'm missing, but I've spent hours researching and trying different things which no results helping.

      Trying different devices and users, it doesn't seem to matter - 192.168.2.2 will connect and work fine. Any other IP won't.

      Server settings:
      https://imgur.com/FIovrvV

      Client Settings:
      https://imgur.com/cT7C0x8

      Rules:
      https://imgur.com/xCz9MAj

      LAN settings:
      https://imgur.com/mecseGg

      Any ideas? What am I missing?

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        my guess .. "IPv4 remote network" is not defined probably 192.168.2.0/24 does not know how to reach 192.168.1.0/24 network, it's strange that 192.168.2.2 is working ...

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        T 1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          To rule out routing conflicts, change your LAN and tunnel subnet to something uncommon:
          https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts

          1 Reply Last reply Reply Quote 0
          • T
            tocheeba @kiokoman
            last edited by

            @kiokoman I enable the remote network as 192.168.2.0/24 right? Did that, re-downloaded client config, and still the same thing.

            1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8
              last edited by

              no,
              "ipv4 tunnel client" is 192.168.2.0/24
              "ipv4 remote network" for the client would be 192.168.1.0/24

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 0
              • T
                tocheeba
                last edited by

                Gotcha. Just did that, and no luck still. I was assigned 192.168.2.3. I can ping myself, but not 192.168.2.1 or anything on 192.168.1.x network.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Please post the clients routing table.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tocheeba
                    last edited by tocheeba

                    Sorry for the delay on this -

                    https://imgur.com/a/8kJZjFW

                    I'm connected now via my phone with a 192.168.2.3 address but can't connect to anything. I have a desktop connected via 192.168.2.2 address which works fine.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      That's the routing table from pfSense, the server, not from the client, who has trouble with accessing something.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tocheeba
                        last edited by

                        Sorry for the delay on this. Here is a print out of the 192.168.2.3 address that connects to the VPN but doesn't work connecting to anything on the network:

                        https://imgur.com/a/LgLGRAE

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          The routes on the client seem to be fine.

                          Does each user login with a different user name and also certificate if the server is running in SSL/TLS mode?

                          What does the server log show when a second client is connecting?

                          1 Reply Last reply Reply Quote 0
                          • T
                            tocheeba
                            last edited by

                            Yeah, that's what is weird. Different user names. Client log shows it connects just fine and gets DHCP. I feel like it's a routing issue of some sort, but everything looks setup correctly.

                            1 Reply Last reply Reply Quote 0
                            • T
                              tocheeba
                              last edited by

                              Sounds stupid, but on my LAN interface, it's setup as 192.168.1.1/24. I'm not limiting myself at all am I ? That's just configuring the IP of the pfSense box, right?

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann
                                last edited by

                                For troubleshooting try to ping the LAN address 192.168.1.1.
                                This should work at least if the client routes are set correctly.
                                Then try to ping a LAN device.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tocheeba
                                  last edited by

                                  Not able to ping either when connected as the 2nd VPN client (1921.68.2.3)

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann
                                    last edited by

                                    So please post the clients IPv4 routing table.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      marvosa
                                      last edited by

                                      Post your server1.conf (/var/etc/openvpn).

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tocheeba
                                        last edited by

                                        I posted the IPv4 routing table above earlier, and you stated that it looked fine?

                                        Here is the server1.conf files:

                                        dev ovpns1
                                        verb 1
                                        dev-type tun
                                        dev-node /dev/tun1
                                        writepid /var/run/openvpn_server1.pid
                                        #user nobody
                                        #group nobody
                                        script-security 3
                                        daemon
                                        keepalive 10 60
                                        ping-timer-rem
                                        persist-tun
                                        persist-key
                                        proto tcp-server
                                        cipher AES-128-CBC
                                        auth SHA256
                                        up /usr/local/sbin/ovpn-linkup
                                        down /usr/local/sbin/ovpn-linkdown
                                        client-connect /usr/local/sbin/openvpn.attributes.sh
                                        client-disconnect /usr/local/sbin/openvpn.attributes.sh
                                        multihome
                                        tls-server
                                        server 192.168.2.0 255.255.255.0
                                        client-config-dir /var/etc/openvpn-csc/server1
                                        username-as-common-name
                                        plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1195
                                        tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server+Certificate' 1"
                                        lport 1195
                                        management /var/etc/openvpn/server1.sock unix
                                        push "route 192.168.2.0 255.255.255.0"
                                        push "route 192.168.1.0 255.255.255.0"
                                        push "dhcp-option DNS 8.8.8.8"
                                        push "dhcp-option DNS 4.4.4.4"
                                        duplicate-cn
                                        ca /var/etc/openvpn/server1.ca
                                        cert /var/etc/openvpn/server1.cert
                                        key /var/etc/openvpn/server1.key
                                        dh /etc/dh-parameters.2048
                                        tls-auth /var/etc/openvpn/server1.tls-auth 0
                                        ncp-ciphers AES-128-GCM
                                        persist-remote-ip
                                        float
                                        topology subnet
                                        ~
                                        ~
                                        ~
                                        ~
                                        ~
                                        ~
                                        ~
                                        ~
                                        
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          marvosa
                                          last edited by marvosa

                                          A couple things I see:

                                          • The tunnel network is being pushed out to your clients as a route to a remote network, which is incorrect. Remove "192.168.2.0/24" from the IPv4 Local network(s) line.
                                          • Considering this is a routed, split-tunnel deployment, why push public DNS servers?

                                          Another thing to watch out for is... in a routed solution, the LAN subnets have to be unique across both ends. So, in your situation, any client that's connecting from a LAN subnet of either 192.168.1.0/24 or 192.168.2.0/24 will break the routing to the tunnel.

                                          On the server-side, ideally, you will want to move away from popular subnets used by common SOHO routers (192.168.1.0/24, 192.168.2.0/24, etc) on both the LAN and the tunnel network.

                                          T 1 Reply Last reply Reply Quote 0
                                          • PippinP
                                            Pippin
                                            last edited by

                                            This post is deleted!
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.