Issue with OpenVPN access back to client
-
I'm having an issue with openVPN, not sure what setting I missed
I have a work network on a normal intel PC
LAN 192.168.0.0/24
VPN 192.168.70.0/24I also have a HyperV at my house connecting to my work network
Home 192.168.5.0/24
HyperV 192.168.2.0/24
VPN 192.168.70.0/24I'm using peer to peer (Shared Key), port 1195
I used this as a guide
https://www.youtube.com/watch?v=-8xt7LUtYH4&feature=youtu.bePFSense states I should not be using routing, but if I leave it alone, the home pc works perfect, but cannot access the home network from work, when I try to change what I think is logical, I end up not being able to communicate anywhere.
From home, I can ping .70.2, .70.1 and .0.202 .0.200 or any other pc at the work location.
Now I need something to communicate back to my home, I use tracert and I can ping .70.1, but if I try to make my way farther up the tunnel, it tries to use the WAN to connect to it, showing my public IP, etc.. I cannot ping or go any farther on the 0.0/24 network past the local tunnel address of .70.1.
Any help would be appreciated, thanks in advance.
-
Post your OpenVPN settings from both server and client.
-
Server
Peer to Peer (Shared Key)
UDP on IPv4 Only
tun - Layer 3 Tunnel Mode
WAN
1195
UsernameVPN
use default direction
-Shared Key-
AES-256-CBC (256 bit key, 128 bit block)
Enable Negotiable Cryptographic Parameters
AES-256-CBC
SHA256 (256-bit)
BSD Cryptodev Engine
192.168.70.0/24
ipv6 - blank
192.168.2.0/24
ipv6-blank
25
disable compression
TOS disabled
ping inactive - 0
ping method - Keepalive
interval - 10
Timeout - 60
Custom Options - Blank
UDP Fast I/O Disabled
Exit Notify - Disabled
Send/Receive Buffer - Default
Gateway Creation - Both
Verbosity Level - Default
-Firewall/Rules/OpenVPN
Check 17/272MiB IPv4* * * * * * none -Client (home)
Peer to Peer (Shared Key)
USP on IPv4 Only
tun - Layer 3
WAN
Local port - Blank
Server - FDQN of office domain
1195
Proxy host - blank
proxy port - blank
proxy auth - none
Description - Company VPN
TLS - Default
Peer Certificate - None
-Share Key-
AES-256-CBC (256 bit Key, 128 bit block)
Enable Negotiable Cryptographic Parameters
AES-256-CBC
SHA256 (256-bit)
No Hardware Crypto (Hyper-V Disabled)
192.168.70.0/24
ipv6 - blank
192.168.0.0/24
ipv6-blank
Limit Outgoing bandwidth - blank
disable compression
TOS disabled
Don't add or remove routes - unchecked
ping inactive - 0
ping method - Keepalive
interval - 10
Timeout - 60
Custom Options - Blank
UDP Fast I/O Disabled
Exit Notify - Disabled
Send/Receive Buffer - Default
Gateway Creation - Both
Verbosity Level - Default
-Firewall/Rules/OpenVPN
Check 0/0B IPv4 TCP * * * * * none - -And as I am writing this out, I discovered what it was
on the OpenVPN firewall rule, the protocol was set to TCP and not any. Once I flipped to "any", it appears all is working.
TCP is default, so I didn't catch that all data from the VPN is through UDP and the firewall was not allowing it.Hopefully this helps someone else, as TCP is the "default"
-
@KruglerD said in Issue with OpenVPN access back to client:
TCP is default, so I didn't catch that all data from the VPN is through UDP and the firewall was not allowing it.
UDP is only the OpenVPN tunnel itself. That has nothing to so with packets passing the OpenVPN interface.
However, pings are on ICMP, neiter TCP nor UdP, hence it didn't work. -
Maybe, and maybe that is why my phone would not communicate is it would ping first, but switching from TCP to Any allowed my phone to operate as expected.
-
OK, this has happened several times. What does "Type-of-Service" do? I have had this happen where everything is working just fine, and then all communication drops between the two networks. I go in and toggle off the "Type-Of-Service" on both firewalls and communication is restored.
I have the TOS on (I'm thinking) so that my VOIP phone on the 2.0 network can utilize traffic shaping on the server on the 0.0 network with higher quality.
I have not changed anything over the last few days, but just all of a sudden, this was blocked.
I'm on 2.4.5-RELEASE-p1 on both machines.