Connected to OpenVPN, but no network except for 1 IP Address
-
I have a pretty simple setup at home - using the 192.168.1.0/24 scheme. However, I'm trying to finally add more VPN users, and running into an issue where they can't connect to anything on my local network. Users seem setup correctly from what I can tell - they can connect to my network, get an IP, but then can't talk to anything.
PFsense - 192.168.1.1
OpenVPN is set to 192.168.2.0/24
With my main user that I use, I connect and get a 192.168.2.2 IP, which works fine. However, any other user will get 192.168.2.3, 2.4, etc., and they can't talk to anything on my network. I'm guessing it's something simple I'm missing, but I've spent hours researching and trying different things which no results helping.
Trying different devices and users, it doesn't seem to matter - 192.168.2.2 will connect and work fine. Any other IP won't.
Server settings:
https://imgur.com/FIovrvVClient Settings:
https://imgur.com/cT7C0x8Rules:
https://imgur.com/xCz9MAjLAN settings:
https://imgur.com/mecseGgAny ideas? What am I missing?
-
my guess .. "IPv4 remote network" is not defined probably 192.168.2.0/24 does not know how to reach 192.168.1.0/24 network, it's strange that 192.168.2.2 is working ...
-
To rule out routing conflicts, change your LAN and tunnel subnet to something uncommon:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts -
@kiokoman I enable the remote network as 192.168.2.0/24 right? Did that, re-downloaded client config, and still the same thing.
-
no,
"ipv4 tunnel client" is 192.168.2.0/24
"ipv4 remote network" for the client would be 192.168.1.0/24 -
Gotcha. Just did that, and no luck still. I was assigned 192.168.2.3. I can ping myself, but not 192.168.2.1 or anything on 192.168.1.x network.
-
Please post the clients routing table.
-
Sorry for the delay on this -
https://imgur.com/a/8kJZjFW
I'm connected now via my phone with a 192.168.2.3 address but can't connect to anything. I have a desktop connected via 192.168.2.2 address which works fine.
-
That's the routing table from pfSense, the server, not from the client, who has trouble with accessing something.
-
Sorry for the delay on this. Here is a print out of the 192.168.2.3 address that connects to the VPN but doesn't work connecting to anything on the network:
https://imgur.com/a/LgLGRAE
-
The routes on the client seem to be fine.
Does each user login with a different user name and also certificate if the server is running in SSL/TLS mode?
What does the server log show when a second client is connecting?
-
Yeah, that's what is weird. Different user names. Client log shows it connects just fine and gets DHCP. I feel like it's a routing issue of some sort, but everything looks setup correctly.
-
Sounds stupid, but on my LAN interface, it's setup as 192.168.1.1/24. I'm not limiting myself at all am I ? That's just configuring the IP of the pfSense box, right?
-
For troubleshooting try to ping the LAN address 192.168.1.1.
This should work at least if the client routes are set correctly.
Then try to ping a LAN device. -
Not able to ping either when connected as the 2nd VPN client (1921.68.2.3)
-
So please post the clients IPv4 routing table.
-
Post your server1.conf (/var/etc/openvpn).
-
I posted the IPv4 routing table above earlier, and you stated that it looked fine?
Here is the server1.conf files:
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh multihome tls-server server 192.168.2.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1195 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server+Certificate' 1" lport 1195 management /var/etc/openvpn/server1.sock unix push "route 192.168.2.0 255.255.255.0" push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 4.4.4.4" duplicate-cn ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 ncp-ciphers AES-128-GCM persist-remote-ip float topology subnet ~ ~ ~ ~ ~ ~ ~ ~ -
A couple things I see:
- The tunnel network is being pushed out to your clients as a route to a remote network, which is incorrect. Remove "192.168.2.0/24" from the IPv4 Local network(s) line.
- Considering this is a routed, split-tunnel deployment, why push public DNS servers?
Another thing to watch out for is... in a routed solution, the LAN subnets have to be unique across both ends. So, in your situation, any client that's connecting from a LAN subnet of either 192.168.1.0/24 or 192.168.2.0/24 will break the routing to the tunnel.
On the server-side, ideally, you will want to move away from popular subnets used by common SOHO routers (192.168.1.0/24, 192.168.2.0/24, etc) on both the LAN and the tunnel network.
-
This post is deleted!
