Issue with OpenVPN access back to client


  • I'm having an issue with openVPN, not sure what setting I missed

    I have a work network on a normal intel PC
    LAN 192.168.0.0/24
    VPN 192.168.70.0/24

    I also have a HyperV at my house connecting to my work network
    Home 192.168.5.0/24
    HyperV 192.168.2.0/24
    VPN 192.168.70.0/24

    I'm using peer to peer (Shared Key), port 1195
    I used this as a guide
    Youtube Video

    PFSense states I should not be using routing, but if I leave it alone, the home pc works perfect, but cannot access the home network from work, when I try to change what I think is logical, I end up not being able to communicate anywhere.

    From home, I can ping .70.2, .70.1 and .0.202 .0.200 or any other pc at the work location.

    Now I need something to communicate back to my home, I use tracert and I can ping .70.1, but if I try to make my way farther up the tunnel, it tries to use the WAN to connect to it, showing my public IP, etc.. I cannot ping or go any farther on the 0.0/24 network past the local tunnel address of .70.1.

    Any help would be appreciated, thanks in advance.


  • Post your OpenVPN settings from both server and client.


  • Server
    Peer to Peer (Shared Key)
    UDP on IPv4 Only
    tun - Layer 3 Tunnel Mode
    WAN
    1195
    UsernameVPN
    use default direction
    -Shared Key-
    AES-256-CBC (256 bit key, 128 bit block)
    Enable Negotiable Cryptographic Parameters
    AES-256-CBC
    SHA256 (256-bit)
    BSD Cryptodev Engine
    192.168.70.0/24
    ipv6 - blank
    192.168.2.0/24
    ipv6-blank
    25
    disable compression
    TOS disabled
    ping inactive - 0
    ping method - Keepalive
    interval - 10
    Timeout - 60
    Custom Options - Blank
    UDP Fast I/O Disabled
    Exit Notify - Disabled
    Send/Receive Buffer - Default
    Gateway Creation - Both
    Verbosity Level - Default
    -Firewall/Rules/OpenVPN
    Check 17/272MiB IPv4* * * * * * none -

    Client (home)
    Peer to Peer (Shared Key)
    USP on IPv4 Only
    tun - Layer 3
    WAN
    Local port - Blank
    Server - FDQN of office domain
    1195
    Proxy host - blank
    proxy port - blank
    proxy auth - none
    Description - Company VPN
    TLS - Default
    Peer Certificate - None
    -Share Key-
    AES-256-CBC (256 bit Key, 128 bit block)
    Enable Negotiable Cryptographic Parameters
    AES-256-CBC
    SHA256 (256-bit)
    No Hardware Crypto (Hyper-V Disabled)
    192.168.70.0/24
    ipv6 - blank
    192.168.0.0/24
    ipv6-blank
    Limit Outgoing bandwidth - blank
    disable compression
    TOS disabled
    Don't add or remove routes - unchecked
    ping inactive - 0
    ping method - Keepalive
    interval - 10
    Timeout - 60
    Custom Options - Blank
    UDP Fast I/O Disabled
    Exit Notify - Disabled
    Send/Receive Buffer - Default
    Gateway Creation - Both
    Verbosity Level - Default
    -Firewall/Rules/OpenVPN
    Check 0/0B IPv4 TCP * * * * * none - -

    And as I am writing this out, I discovered what it was
    on the OpenVPN firewall rule, the protocol was set to TCP and not any. Once I flipped to "any", it appears all is working.
    TCP is default, so I didn't catch that all data from the VPN is through UDP and the firewall was not allowing it.

    Hopefully this helps someone else, as TCP is the "default"


  • @KruglerD said in Issue with OpenVPN access back to client:

    TCP is default, so I didn't catch that all data from the VPN is through UDP and the firewall was not allowing it.

    UDP is only the OpenVPN tunnel itself. That has nothing to so with packets passing the OpenVPN interface.
    However, pings are on ICMP, neiter TCP nor UdP, hence it didn't work.


  • Maybe, and maybe that is why my phone would not communicate is it would ping first, but switching from TCP to Any allowed my phone to operate as expected.


  • OK, this has happened several times. What does "Type-of-Service" do? I have had this happen where everything is working just fine, and then all communication drops between the two networks. I go in and toggle off the "Type-Of-Service" on both firewalls and communication is restored.
    I have the TOS on (I'm thinking) so that my VOIP phone on the 2.0 network can utilize traffic shaping on the server on the 0.0 network with higher quality.
    I have not changed anything over the last few days, but just all of a sudden, this was blocked.
    I'm on 2.4.5-RELEASE-p1 on both machines.