Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Yet another 'Cannot access LAN through VPN' post

    OpenVPN
    2
    2
    223
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      UntouchedWagons
      last edited by UntouchedWagons

      Due to the shitty modem Bell gave me, I cannot give my pfsense box a regular WAN IP, it has to be given an IP within the 192.168.1.0/24 range. It's LAN ip is 192.168.0.1/24. (See this post for additional details) I can provide a crude network diagram if need be.

      I followed the OpenVPN video by Lawrence Systems to set up my VPN server. I can connect to the VPN using my android phone if I have the phone connected to my home hub's WIFI (this wifi is part of the 192.168.1.0/24 network)

      Server wizard step 9: https://i.imgur.com/I96axBc.png
      Server wizard step 10: https://i.imgur.com/erdMktJ.png
      Server tweak: https://i.imgur.com/URDzOdP.png I changed the server mode to remote access using SSL/TLS only
      Client export config tool: https://i.imgur.com/PVaxQAw.png (192.168.1.12 is the WAN IP of my pfsense box)
      WAN firewall rules: https://i.imgur.com/w963ufV.png
      LAN firewall rules: https://i.imgur.com/I45512C.png
      OpenVPN firewall rules: https://i.imgur.com/uVobThp.png
      IPv4 routes: https://i.imgur.com/ld7jX7Q.png em0 is WAN, em1 is LAN, 10.10.10.1 is pfblockerng I believe.

      I've spent maybe two hours trying to get this to work. What am I missing?

      1 Reply Last reply Reply Quote 0
      • GrimetonG
        Grimeton
        last edited by

        What's the question?

        I assume you can connect to the OpenVPN-Server fine but you cannot connect to things on LAN right?

        If that's the case, turn the OpenVPN-Interface into a TAP interface (L2), then turn LAN into a bridge, adding the OpenVPN-TAP-Interface and the LAN-NIC to the bridge.

        Restart the OpenVPN-Server, export the OpenVPN-config to the phone again, refresh and reconnect.

        Now the phone should get an ip-address and be bridged into the LAN, problem solved. (This can take a few seconds if STP is enabled on the bridge).

        The other option is to use a TUN interface. The downside here is that stuff like broadcasting is not working. Nevertheless you can go down two routes:

        Easy route:

        Give the VPN-Clients a different subnet, e.g. 10.1.1.0/24 and route them to the LAN-subnet. As the LAN uses pfSense as default gateway, LAN is able to find the way back.

        Hard route:

        You use brouting to make this happen. You have to understand that routing and subnetting are NOT the same.

        So on the LAN-Interface you have 192.168.0.0/24 as subnet and 192.168.0.1/24 as ip-address. On OpenVPN's TUN interface you have 192.168.0.241/24 (YES, 24) as IP-address. Also you hand out IP-addresses in the range of 192.168.0.240/28 to the clients. You add a static route of 192.168.0.240/28 to the tun interface (YES, THE INTERFACE) and enable proxy ARP for the interface.

        Now a client dials in via tun interface, gets an IP-address in the range of 192.168.0.240/28 and the firewall proxies the arp requests from one site to the other. As it knows what's going on, it magically copies the packets back and forth and you're a happy camper.

        You need to understand what this does, how proxy arp works and that you can get yourself into a lot of trouble if other networks exist and you haven't configured this correctly.

        KR,

        G.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post