Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN routing issue with LAN

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mattt
      last edited by mattt

      Hi guys,

      After searching and tinkering for the last week I just can't seem to get this sorted.

      I'm running pfSense 2.4.4-RELEASE-p3 with multiple OpenVPN clients running as a VPN gateway group. Clients within an alias are routed through the tunnel. All of that runs perfectly.

      My issue is that I cannot connect to or ping devices FROM devices routed through the VPN client connection TO devices on the LAN/VLAN that are not routed through the client VPN tunnel. I can ping devices FROM LAN TO the devices on the OpenVPN client tunnel.

      I would like for all the devices within my LAN/VLAN to be able to communicate regardless of whether they are in the OpenVPN alias or not. If I need to lock down things further afterwards that's fine.

      I have tried a lot of variations of firewall rules including Pass Any Any Any on the OpenVPN rules. My LAN already has that rule.

      LAN_RULES.png

      OpenVPN_RULES.png

      1 Reply Last reply Reply Quote 0
      • J
        JohnKap
        last edited by

        Have you created an interface for the OpenVPN client?

        Interface, assignments, add - and from the dropdown menu select the OpenVPN client to create an interface for. In my screen dump below, I have 3 OpenVPN clients

        08db5dc2-e8b7-4cdf-ae2c-6d25b24acd3e-image.png

        Once you've done that you can set allow/deny firewall rules to control what can & can't get to and from the client.

        M 1 Reply Last reply Reply Quote 0
        • M
          mattt @JohnKap
          last edited by

          @JohnKap Yes, I've done that and added rules but no matter what rules I add traffic does not get through. I thought Pass Any Any Any would do the trick but it doesn't.

          I found another thread and was thinking of trying the NAT trick here instead.

          1 Reply Last reply Reply Quote 0
          • M
            mattt
            last edited by

            I'm wondering now since my VPN clients are in a gateway group does that affect how these rules work?

            I tried adding NAT rules as is described here but that does not make a difference.

            I feel like I'm losing my mind. I've tried so many things and nothing seems to work...

            1 Reply Last reply Reply Quote 0
            • M
              mattt
              last edited by

              OK I've gotten this more condensed I think,

              1. VLAN clients that are using the VPN client tunnel can ping LAN/VLAN/VPN clients.
              2. LAN clients NOT USING the VPN client tunnel can ping LAN/VLAN/VPN clients.
              3. LAN clients USING the VPN client tunnel CANNOT ping VLAN clients using the VPN client tunnel.

              So everything is almost working the way I need it to. Just need to sort out no. 3.

              J 1 Reply Last reply Reply Quote 0
              • J
                JohnKap @mattt
                last edited by

                @mattt

                42cabc89-b4b6-4b28-ba0b-30b6e97c3c62-image.png

                is this option set?

                M 1 Reply Last reply Reply Quote 0
                • M
                  mattt @JohnKap
                  last edited by

                  @JohnKap said in OpenVPN routing issue with LAN:

                  @mattt

                  42cabc89-b4b6-4b28-ba0b-30b6e97c3c62-image.png

                  is this option set?

                  These are OpenVPN clients. I don't see that option under clients, only under the OpenVPN server section.

                  My issue is with LAN devices that are pushed through the OpenVPN client tunnel not being about to ping VLAN clients using the VPN client tunnel.

                  It's the last piece of the puzzle. I will further lock things down with the VLAN but I wanted to get everything communicating properly first.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mattt
                    last edited by mattt

                    Traceroute to a box on the VLAN from LAN device using the OpenVPN client tunnel on pfSense:

                    traceroute to 192.168.20.2 (192.168.20.2), 30 hops max, 60 byte packets
                    1 10.15.0.1 (10.15.0.1) 51.183 ms 51.160 ms 52.507 ms
                    2 {EXTERNAL_VPN_IP} (EXTERNAL_VPN_IP) 53.454 ms 53.635 ms 54.852 ms

                    So it looks like it does not recognize the IP as being local?

                    EDIT: from pfSense admin I can ping any device from any source and it works. So it's just the the clients can't seem to find the correct route.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JohnKap
                      last edited by

                      Can you have a look at diagnostics / routes. I'm guessing each client that connects gets a /32 and there is no route between the clients.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mattt @JohnKap
                        last edited by mattt

                        @JohnKap said in OpenVPN routing issue with LAN:

                        Can you have a look at diagnostics / routes. I'm guessing each client that connects gets a /32 and there is no route between the clients.

                        These are the local routes for the OpenVPN clients:

                        10.15.0.0/16
                        10.8.1.0/24
                        10.24.44.0/22

                        External all have IP_ADDRESS/32

                        I'm learning as I go. Does this have significance to my situation?Screen Shot 2020-06-10 at 8.14.25 PM.png Screen Shot 2020-06-10 at 8.15.33 PM.png Screen Shot 2020-06-10 at 8.16.02 PM.png

                        1 Reply Last reply Reply Quote 0
                        • M
                          mattt
                          last edited by

                          I discovered I can ping the VLAN gateway IP from a LAN device using the VPN tunnel just not anything else on the VLAN.

                          ALL devices on the VLAN are forced through the VPN tunnel. It seems like they should all be able to talk to each other since they are all on the same VPN subnet even though they are on different actual subnets.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mattt
                            last edited by

                            I dug into this a bt further today and found this article: Bypassing Policy Routing

                            Now it all works! I guess I can add stricter rules per VLAN now as needed?

                            1 Reply Last reply Reply Quote 1
                            • B
                              bjk002
                              last edited by

                              tun mode.

                              Under OpenVPN, Client Export Utility, Advanced, Additional Configuration Options, add a line as such:

                              push "route 192.168.10.0 255.255.255.0"

                              ,where 192.168.10.0 is the network you want to allow clients access..

                              M 1 Reply Last reply Reply Quote 0
                              • M
                                mattt @bjk002
                                last edited by

                                @bjk002 said in OpenVPN routing issue with LAN:

                                tun mode.

                                Under OpenVPN, Client Export Utility, Advanced, Additional Configuration Options, add a line as such:

                                push "route 192.168.10.0 255.255.255.0"

                                ,where 192.168.10.0 is the network you want to allow clients access..

                                Apologies if I used improper terminology but this was actually LAN hosts that were routed through the OpenVPN Client tunnel could not connect to other devices on the VLAN/LAN. My solution is posted above :)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.