Yet another 'Cannot access LAN through VPN' post



  • Due to the shitty modem Bell gave me, I cannot give my pfsense box a regular WAN IP, it has to be given an IP within the 192.168.1.0/24 range. It's LAN ip is 192.168.0.1/24. (See this post for additional details) I can provide a crude network diagram if need be.

    I followed the OpenVPN video by Lawrence Systems to set up my VPN server. I can connect to the VPN using my android phone if I have the phone connected to my home hub's WIFI (this wifi is part of the 192.168.1.0/24 network)

    Server wizard step 9: https://i.imgur.com/I96axBc.png
    Server wizard step 10: https://i.imgur.com/erdMktJ.png
    Server tweak: https://i.imgur.com/URDzOdP.png I changed the server mode to remote access using SSL/TLS only
    Client export config tool: https://i.imgur.com/PVaxQAw.png (192.168.1.12 is the WAN IP of my pfsense box)
    WAN firewall rules: https://i.imgur.com/w963ufV.png
    LAN firewall rules: https://i.imgur.com/I45512C.png
    OpenVPN firewall rules: https://i.imgur.com/uVobThp.png
    IPv4 routes: https://i.imgur.com/ld7jX7Q.png em0 is WAN, em1 is LAN, 10.10.10.1 is pfblockerng I believe.

    I've spent maybe two hours trying to get this to work. What am I missing?



  • What's the question?

    I assume you can connect to the OpenVPN-Server fine but you cannot connect to things on LAN right?

    If that's the case, turn the OpenVPN-Interface into a TAP interface (L2), then turn LAN into a bridge, adding the OpenVPN-TAP-Interface and the LAN-NIC to the bridge.

    Restart the OpenVPN-Server, export the OpenVPN-config to the phone again, refresh and reconnect.

    Now the phone should get an ip-address and be bridged into the LAN, problem solved. (This can take a few seconds if STP is enabled on the bridge).

    The other option is to use a TUN interface. The downside here is that stuff like broadcasting is not working. Nevertheless you can go down two routes:

    Easy route:

    Give the VPN-Clients a different subnet, e.g. 10.1.1.0/24 and route them to the LAN-subnet. As the LAN uses pfSense as default gateway, LAN is able to find the way back.

    Hard route:

    You use brouting to make this happen. You have to understand that routing and subnetting are NOT the same.

    So on the LAN-Interface you have 192.168.0.0/24 as subnet and 192.168.0.1/24 as ip-address. On OpenVPN's TUN interface you have 192.168.0.241/24 (YES, 24) as IP-address. Also you hand out IP-addresses in the range of 192.168.0.240/28 to the clients. You add a static route of 192.168.0.240/28 to the tun interface (YES, THE INTERFACE) and enable proxy ARP for the interface.

    Now a client dials in via tun interface, gets an IP-address in the range of 192.168.0.240/28 and the firewall proxies the arp requests from one site to the other. As it knows what's going on, it magically copies the packets back and forth and you're a happy camper.

    You need to understand what this does, how proxy arp works and that you can get yourself into a lot of trouble if other networks exist and you haven't configured this correctly.

    KR,

    G.


Log in to reply