Access OpenVPN Client LAN from PFSense LAN

mw2u

Hello everyone,

I have two locations, lets say A and B.

In location "A" I have a router that supports OpenVPN Server.
LAN: 10.10.6.0/24 ,VPN Subnet: 10.6.0.0/24

In location "B" I have a PFSense Server. LAN 10.10.2.0/24 and 2 WANS with public IPs.
I added the VPN as a client, everything works, I can ping entire "A" network from pfsense ping tool.

The problem is that I can't make it work from LAN "B". I want everyone from LAN "B" to be able to access devices from LAN "A"

What I did so far:
Assignment new interface (ovpnc1).
Added as dynamic gateway, disabled monitoring, added firewall rules.

From this point I tried static routes, NAT rules and I ran out of ideas, I don't even know how to debug/trace this.

Thank you very much, any idea can help me.

viragomann

@mw2u said in Access OpenVPN Client LAN from PFSense LAN:

I can ping entire "A" network from pfsense ping tool.

Even if you change the source to LAN?

mw2u

@viragomann No, If I change to source LAN it's not working.

viragomann

@mw2u
I assume the router in A is the default gateway on the devices behind it.

I also assume you have already add a firewall rule which allow any, also any protocols.

Does the remote router allow the access from the LAN?

mw2u

@viragomann Yes, its the default gateway for devices behind it.
Yes, I added a firewall rule for "vpn client" which Pass IPv4, any protocol, source any, destination any.
Yes.

viragomann

@mw2u
So the problem will be on site A.
Not really clear, why you're able to ping any LAN device in A from the B pfSense, possibly the router does S-NAT on this connection while it doesn't on connection from the A-LAN, cause he is not aware of that subnet.

If it does NAT, maybe the destination device simply blocks access, cause it is coming from outside of its own subnet. This is the default behavior of computers firewall with networking enabled.

You may investigate the problem on site A by sniffing the traffic.

mw2u

@viragomann I didn't think it might be an "A" problem, but I'll research and come back. Thank you!

viragomann

@mw2u said in Access OpenVPN Client LAN from PFSense LAN:

No, If I change to source LAN it's not working.

This lead the only conclusion, that the failure is on A.
Also possible that the push option for the LAN B network is missed in the OpenVPN config of router A.

mw2u

I did a lot of tests, nothing seems to work.
There is no problem in "A", I tested installing the client on windows, push option are present. From windows everything works perfect.

viragomann

@mw2u
Not clear what you expect to test on Windows. Windows is no router and I'm sure you haven't configured it as one.

Did you sniff any traffic on A site?

I cannot help to fight the problem on A site without any information of the behavior there.
The only thing you can do on pfSense to get it work is a workaround with NAT, which is the very last option.

mw2u

@viragomann Like I said, in location A is a router with a openvpn server. I installed openvpn client on windows and i checked if server push route and if i can access all devices behind that router and everything its good. This makes me thinking something its not right on B, in pfsense client config.

viragomann

@mw2u said in Access OpenVPN Client LAN from PFSense LAN:

I installed openvpn client on windows and i checked if server push route and if i can access all devices behind that router and everything its good.

So it's exactly the same as from the point of pfSense in B. pfSense can access all clients in A as well.

Configure the Windows computer as a router, set it as default gateway and try to access A from the network behind it, if you want a true comparison.