Yet another 'Cannot access LAN through VPN' post
UntouchedWagons last edited by UntouchedWagons
Due to the shitty modem Bell gave me, I cannot give my pfsense box a regular WAN IP, it has to be given an IP within the 192.168.1.0/24 range. It's LAN ip is 192.168.0.1/24. (See this post for additional details) I can provide a crude network diagram if need be.
I followed the OpenVPN video by Lawrence Systems to set up my VPN server. I can connect to the VPN using my android phone if I have the phone connected to my home hub's WIFI (this wifi is part of the 192.168.1.0/24 network)
Server wizard step 9: https://i.imgur.com/I96axBc.png
Server wizard step 10: https://i.imgur.com/erdMktJ.png
Server tweak: https://i.imgur.com/URDzOdP.png I changed the server mode to remote access using SSL/TLS only
Client export config tool: https://i.imgur.com/PVaxQAw.png (192.168.1.12 is the WAN IP of my pfsense box)
WAN firewall rules: https://i.imgur.com/w963ufV.png
LAN firewall rules: https://i.imgur.com/I45512C.png
OpenVPN firewall rules: https://i.imgur.com/uVobThp.png
IPv4 routes: https://i.imgur.com/ld7jX7Q.png em0 is WAN, em1 is LAN, 10.10.10.1 is pfblockerng I believe.
I've spent maybe two hours trying to get this to work. What am I missing?
Grimeton last edited by
What's the question?
I assume you can connect to the OpenVPN-Server fine but you cannot connect to things on LAN right?
If that's the case, turn the OpenVPN-Interface into a TAP interface (L2), then turn LAN into a bridge, adding the OpenVPN-TAP-Interface and the LAN-NIC to the bridge.
Restart the OpenVPN-Server, export the OpenVPN-config to the phone again, refresh and reconnect.
Now the phone should get an ip-address and be bridged into the LAN, problem solved. (This can take a few seconds if STP is enabled on the bridge).
The other option is to use a TUN interface. The downside here is that stuff like broadcasting is not working. Nevertheless you can go down two routes:
Give the VPN-Clients a different subnet, e.g. 10.1.1.0/24 and route them to the LAN-subnet. As the LAN uses pfSense as default gateway, LAN is able to find the way back.
You use brouting to make this happen. You have to understand that routing and subnetting are NOT the same.
So on the LAN-Interface you have 192.168.0.0/24 as subnet and 192.168.0.1/24 as ip-address. On OpenVPN's TUN interface you have 192.168.0.241/24 (YES, 24) as IP-address. Also you hand out IP-addresses in the range of 192.168.0.240/28 to the clients. You add a static route of 192.168.0.240/28 to the tun interface (YES, THE INTERFACE) and enable proxy ARP for the interface.
Now a client dials in via tun interface, gets an IP-address in the range of 192.168.0.240/28 and the firewall proxies the arp requests from one site to the other. As it knows what's going on, it magically copies the packets back and forth and you're a happy camper.
You need to understand what this does, how proxy arp works and that you can get yourself into a lot of trouble if other networks exist and you haven't configured this correctly.