How to access OpenVPN roadwarrior clients from LAN

pwnell

In a simplified setup, supposed you have the following. Two OpenVPN Roadwarrior clients connecting via internet to pfSense OpenVPN server. They are on the 10.10.2.0/24 network (defined by OpenVPN Tunnel network). So client 1 is 10.10.2.10 and client 2 is 10.10.2.11. The pfSense box also has a LAN interface, say 192.168.10.0/24.

I have no issue configuring this system so that the two openvpn clients can access LAN resources. A simple FW allow rule on the OpenVPN interface with source OpenVPN net to LAN net works.

However I also want the ability from LAN to connect to the OpenVPN clients. I can access the clients just fine from the pfSense box itself, however I cannot figure out how to route from LAN to OpenVPN net. When I add an allow rule on the LAN interface with source LAN net and destination OpenVPN net, it does not route. I can see the packets hit the firewall but then goes nowhere.

What am I missing? I know the client has a specific port open that I can access via pfSense directly, just not when routing from LAN through pfSense to OpenVPN net.

netblues

@pwnell Since this works without anything special, make sure you are not natting anything relevant to vpn.

pwnell

Well I have no outbound NAT rules apart for the auto created rule, and inbound NAT rules do not seem relevant as they are all on the WAN interface and not OpenVPN.

PS: When I do a tcpdump on pfsense on the Openvpn interface, I can see the LAN packet arriving and being sent to the OpenVPN client IP. I never get anything back from the OpenVPN client.

netblues

@pwnell Are you sure no firewall is blocking things on client?
I just tried pinging my android phone connectd over openvpn from a local lan host and it pings nicely.
Accessing it from pf seems to come from connected network, and windows firewalls tend to allow such connections, but block other subnets

pwnell

I am pretty sure no rules are blocking it. One thing to clarify - not sure if this makes a difference, in my case there are two LAN interfaces, call them LAN1 and LAN2. I want the OpenVPN clients to access LAN2 but not LAN1. I want to access the OpenVPN clients from LAN1.

So in OpenVPN my IPv4 Local network(s) are set to LAN2 only. Not sure if this affects traffic in the other direction.

pwnell

@netblues That last statement is probably it. I will disable the Windows firewall temporarily and see if it is the cause.

netblues

@pwnell Are you redirecting all networks through openvpn or just a selection? What is the setting on openvpn server?

pwnell

Not sure what you mean. I am not forcing all client traffic through OpenVPN if that is what you mean ( Redirect IPv4 Gateway). LAN1 and LAN2 sends data out via WAN, unrelated to OpenVPN.

netblues

@pwnell said in How to access OpenVPN roadwarrior clients from LAN:

So in OpenVPN my IPv4 Local network(s) are set to LAN2 only. Not sure if this affects traffic in the other direction.

Of course it does. Replies to lan1 from your clients end up to their default gateway and not open vpn.
You need to add both lans and filter at the openvpn interface as needed.

pwnell

@netblues said in How to access OpenVPN roadwarrior clients from LAN:

Of course it does. Replies to lan1 from your clients end up to their default gateway and not open vpn.
You need to add both lans and filter at the openvpn interface as needed.

Ok that was it - thanks for your help.

netblues

@pwnell You are welcome.