Connected to OpenVPN, but no network except for 1 IP Address



  • I have a pretty simple setup at home - using the 192.168.1.0/24 scheme. However, I'm trying to finally add more VPN users, and running into an issue where they can't connect to anything on my local network. Users seem setup correctly from what I can tell - they can connect to my network, get an IP, but then can't talk to anything.

    PFsense - 192.168.1.1

    OpenVPN is set to 192.168.2.0/24

    With my main user that I use, I connect and get a 192.168.2.2 IP, which works fine. However, any other user will get 192.168.2.3, 2.4, etc., and they can't talk to anything on my network. I'm guessing it's something simple I'm missing, but I've spent hours researching and trying different things which no results helping.

    Trying different devices and users, it doesn't seem to matter - 192.168.2.2 will connect and work fine. Any other IP won't.

    Server settings:
    https://imgur.com/FIovrvV

    Client Settings:
    https://imgur.com/cT7C0x8

    Rules:
    https://imgur.com/xCz9MAj

    LAN settings:
    https://imgur.com/mecseGg

    Any ideas? What am I missing?


  • LAYER 8

    my guess .. "IPv4 remote network" is not defined probably 192.168.2.0/24 does not know how to reach 192.168.1.0/24 network, it's strange that 192.168.2.2 is working ...



  • To rule out routing conflicts, change your LAN and tunnel subnet to something uncommon:
    https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts



  • @kiokoman I enable the remote network as 192.168.2.0/24 right? Did that, re-downloaded client config, and still the same thing.


  • LAYER 8

    no,
    "ipv4 tunnel client" is 192.168.2.0/24
    "ipv4 remote network" for the client would be 192.168.1.0/24



  • Gotcha. Just did that, and no luck still. I was assigned 192.168.2.3. I can ping myself, but not 192.168.2.1 or anything on 192.168.1.x network.



  • Please post the clients routing table.



  • Sorry for the delay on this -

    https://imgur.com/a/8kJZjFW

    I'm connected now via my phone with a 192.168.2.3 address but can't connect to anything. I have a desktop connected via 192.168.2.2 address which works fine.



  • That's the routing table from pfSense, the server, not from the client, who has trouble with accessing something.



  • Sorry for the delay on this. Here is a print out of the 192.168.2.3 address that connects to the VPN but doesn't work connecting to anything on the network:

    https://imgur.com/a/LgLGRAE



  • The routes on the client seem to be fine.

    Does each user login with a different user name and also certificate if the server is running in SSL/TLS mode?

    What does the server log show when a second client is connecting?



  • Yeah, that's what is weird. Different user names. Client log shows it connects just fine and gets DHCP. I feel like it's a routing issue of some sort, but everything looks setup correctly.



  • Sounds stupid, but on my LAN interface, it's setup as 192.168.1.1/24. I'm not limiting myself at all am I ? That's just configuring the IP of the pfSense box, right?



  • For troubleshooting try to ping the LAN address 192.168.1.1.
    This should work at least if the client routes are set correctly.
    Then try to ping a LAN device.



  • Not able to ping either when connected as the 2nd VPN client (1921.68.2.3)



  • So please post the clients IPv4 routing table.



  • Post your server1.conf (/var/etc/openvpn).



  • I posted the IPv4 routing table above earlier, and you stated that it looked fine?

    Here is the server1.conf files:

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    multihome
    tls-server
    server 192.168.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1195
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server+Certificate' 1"
    lport 1195
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.2.0 255.255.255.0"
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 4.4.4.4"
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-128-GCM
    persist-remote-ip
    float
    topology subnet
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    
    


  • A couple things I see:

    • The tunnel network is being pushed out to your clients as a route to a remote network, which is incorrect. Remove "192.168.2.0/24" from the IPv4 Local network(s) line.
    • Considering this is a routed, split-tunnel deployment, why push public DNS servers?

    Another thing to watch out for is... in a routed solution, the LAN subnets have to be unique across both ends. So, in your situation, any client that's connecting from a LAN subnet of either 192.168.1.0/24 or 192.168.2.0/24 will break the routing to the tunnel.

    On the server-side, ideally, you will want to move away from popular subnets used by common SOHO routers (192.168.1.0/24, 192.168.2.0/24, etc) on both the LAN and the tunnel network.



  • This post is deleted!


  • @marvosa Thanks. I removed the DNS and removed the 192.168.2.0/24 from local network line. Connected again just fine on the client, but still can't connect to anything. The network I'm on right now is using a 10.x.x.x scheme. I'm pulling my hair out trying to figure out wtf the problem is.



  • Post new screenshots of both the client's routing table when connected and PFsense.


Log in to reply