Can't access network using OpenVPN. (New to setting up VPN)
-
Hi,
I have setup OpenVPN for 3 users to access our small network. I've attached basic network diagram. I am able to connect to the Firewall using OpenVPN, but cannot get past the Inside interface of the firewall. I also cannot ping or trace anything from the 192.168.0.x to the LAN when connected via VPN. I'm guessing I will need to add a route on the firewall but I'm not sure what the route statement should be. I want users able to access any of the devices on the local network 192.168.1.x/24. I've only shared 2 servers to make it a little clearer.
Thank you again for your help. -
On your OpenVPN server settings, did you plug in the settings to get to your internal LAN networks?
Jeff
-
@akuma1x I will double check. I thought I did.
-
@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
I have setup OpenVPN for 3 users to access our small network.
pfSense is "RTR-01" or the "Firewall" ?
And if it is the Firewall (your image), why using this sub router "RTR-01" in your network ??@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
I also cannot ping or trace anything from the 192.168.0.x to the LAN when connected via VPN
RTR-01 should have WAN based firewall rules. or even NAT rules.
-
@akuma1x Yes, I have IPv4 Local Network(s) 192.168.0.0/24, 192.168.1.0/24 in the VPN server settings.
-
@Gertjan thank you for responding. The pfSense is firewall and RTR-01 is a seperate device. Client feels more comfortable having an additional layer.
Regular traffic is passing from Firewall to RTR-01. No traffic from OpenVPN 192.168.4.x/24 is getting past the 192.168.0.1 interface on the firewall to 192.168.0.2 --> 192.168.1.1 subnet Hope that makes sense. -
@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
Client feels more comfortable having an additional layer.
As long as the also feel comfortable with the bill that you'll be sending.
They want a big wall. Great for attacks from the outside. And then they ask for big, well indicated entrance door : the VPN.
And to go one step deeper in the network, you have to open up this second router, partially, by placing NAT rules for both servers on the 192.168.1.0/24 network.@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
No traffic from OpenVPN 192.168.4.x/24 is getting past the 192.168.0.1 interface on the firewall to 192.168.0.2 --> 192.168.1.1 subnet Hope that makes sense.
You did set up the access on the RTR-01 device, so that upstream traffic can get in ?
You tested it, by connecting a device to the 192.168.0.0/24 network, and connect the to server 1 & 2 through the RTR-01 ?
If that works, the VPN server (client) on "Firewall", which has access to 192.168.0.0./24 has also access to the servers. -
@Gertjan You're suggesting that I should remove RTR01? I will recommend that to them again. I would like to remove that router.
Thanks again for responding and I apologize if I don't understand your questions.You did set up the access on the RTR-01 device, so that upstream traffic can get in ?
---Upstream traffic as in VPN or are you asking any traffic such as HTTPS etc? If any traffic, then yes all traffic is passing except VPN. The only traffic not getting to 192.168.0.1, 192.168.0.2 or 192.168.1.x is VPN
You tested it, by connecting a device to the 192.168.0.0/24 network, and connect the to server 1 & 2 through the RTR-01 ?
--- you're suggesting I should put another device before the Router and test if I can access server01 or 02?
If that works, the VPN server (client) on "Firewall", which has access to 192.168.0.0./24 has also access to the servers. -
@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
---Upstream traffic as in VPN or are you asking any traffic such as HTTPS etc? If any traffic, then yes all traffic is passing except VPN. The only traffic not getting to 192.168.0.1, 192.168.0.2 or 192.168.1.x is VPN
There is no VPN traffic coming out of Firewalll LAN's interface (to RTR-01).
The VPN traffic ends IN the Firewall. That is where the tunnel ends.
Out of the Firewall comes the traffic that was initiated in front of the VPN client : browser traffic ? Mail traffic ? DNS traffic ? Whatever.@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
You're suggesting that I should remove RTR01? I will recommend that to them again. I would like to remove that router.
Be careful. I have only your image. It doesn't explain the reason why RTR-01 exists.
With some NAT rules on RTR-01, making only the servers 1&2 accessible from the Firewall's LAN, RTR-01 could 'hide' other devices that exists on RTR-01's LAN.@coolcatrandy said in Can't access network using OpenVPN. (New to setting up VPN):
--- you're suggesting I should put another device before the Router and test if I can access server01 or 02?
Yeah.
Your PC, put it in the Firewall LAN, so it will be between Firewall and RTR-01. Your PC will have a IP in the 192.168.0.0./24 range.
Now set up RTR-01 correctly, so you can access server 1&2.
When done, go check the VPN server settings. As soon as you access LAN of the Firewall, you can access the servers 1&2. -
@Gertjan I will have a tech on site tomorrow to test access to 192.168.1.0/24 from 192.168.0.0/24. Just FYI, I'm now able to connect to 192.168.0.1. I added push "route 192.168.0.0 255.255.255.0" to the Custom Options in the VPN Server settings. I am still not able to connect to 192.168.0.2, nor can I ping that interface. I'll give an update when I have more information.
Thanks again for helping. -
Brief update. I am in fact able to ping 192.168.0.2 still cannot traverse to 192.168.1.0/24
-
@Gertjan I managed to talk the client into agreeing to remove the router. So everything is working fine. Thank you again for all your help.