Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients can't ping LAN

    Scheduled Pinned Locked Moved OpenVPN
    39 Posts 3 Posters 12.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @jacobisreal
      last edited by

      @jacobisreal said in OpenVPN clients can't ping LAN:

      Now, does this setup cause any security vulnerabilities or are we good?

      The drawback of this is that you're not able to determine the origin source on the destination device. However, since the only way into the network is over the VPN you have full control over it.

      J 2 Replies Last reply Reply Quote 0
      • J Offline
        jacobisreal @viragomann
        last edited by

        @viragomann Yeah, everything I read about this cloud provider said I MUST use NAT for this. Now that your genius minds have resolved that, can you maybe help with:

        • How can I automate the OpenVPN client config download for the user? In other words, if I create the user, is there a way to make it so pfSense will allow them to download their .ovpn file if they, like maybe login to the pfSense WAN ip? Something to make config of the clients easier. Kind of like OpenVPN Access server but without paying a license fee?

        • How can I lock down the pfSense admin GUI so that only MY public IP can access it, ie from my home ISP (Comcast)?

        I really, really appreciate you guys, you've saved my non-profit money and me countless hours. Thank you so much!

        V 1 Reply Last reply Reply Quote 0
        • J Offline
          jacobisreal @viragomann
          last edited by

          @viragomann Those douchebags at Digital Ocean and OpenVPN wanted us to pay for an OpenVPN Access server and pay $75/mo for just ten users! This way, we can really grow and not pay. I had to really freak the config, they don't have an image for pfSense so I had to create a FreeBSD box, then dd a raw image of pfSense over it and in pfSense setup re-create the partitions, etc etc - this has not been easy but now that it works, we're set man. Thank you both so much, I really can't say it enough. Bless you!!

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @jacobisreal
            last edited by

            @jacobisreal said in OpenVPN clients can't ping LAN:

            How can I automate the OpenVPN client config download for the user? In other words, if I create the user, is there a way to make it so pfSense will allow them to download their .ovpn file if they, like maybe login to the pfSense WAN ip? Something to make config of the clients easier.

            That was already asked here multiple times. So there are some thread regarding to this topic. I didn't occupy.
            pfSense itself has no function for that at all. Maybe there are solutions with additional scripts.

            @jacobisreal said in OpenVPN clients can't ping LAN:

            How can I lock down the pfSense admin GUI so that only MY public IP can access it, ie from my home ISP (Comcast)?

            The GUI should only be accessible from your VPN. To set rule you need a static VPN IP. You can achieve this by Client Specific Override.
            If you also want SSH access, generate a key for and assing it to your user.

            1 Reply Last reply Reply Quote 0
            • J Offline
              jacobisreal @viragomann
              last edited by

              @viragomann Could I at least log invalid logins to the OpenVPN server and track the IPs going into the WAN IP on pfSense since it's the entrypoint for the VPN and the LAN? If so, how?

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @jacobisreal
                last edited by

                @jacobisreal
                The logins are also written into the OpenVPN log.
                You can send to log to a syslog server for saving them.

                J 1 Reply Last reply Reply Quote 1
                • J Offline
                  jacobisreal @viragomann
                  last edited by

                  @viragomann I saw a syslog package in the Package Manager - will that do or do I need to send the logs to a separate server?

                  V 1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann @jacobisreal
                    last edited by

                    @jacobisreal
                    No, that's a syslog server on pfSense. I'd recommend to run the server on a separate VM.
                    In Status > System Logs > Settings you can then Enable Remote Logging.

                    Another simply option is to dayly download the log files. But consider that they are round robin and the size is limited. You can adjust it in the logging settings.

                    J 1 Reply Last reply Reply Quote 1
                    • J Offline
                      jacobisreal @viragomann
                      last edited by jacobisreal

                      @viragomann Gotcha, I see the setting. Before I freak anything up I'm taking another snapshot backup lol. Thanks so much. Any suggestions about how to filter internet sites / URLs for users connected via the OpenVPN? Also, the automatic .ovpn client config file download? Sorry, I must be overloading you... Progress!!

                      V 1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann @jacobisreal
                        last edited by

                        @jacobisreal said in OpenVPN clients can't ping LAN:

                        Any suggestions about how to filter internet sites / URLs for users connected via the OpenVPN?

                        If you haven't "Redirect gateway" checked in the OpenVPN server setting internet traffic is not routed to pfSense normally. You have to consider that the users can add routes by themselves, however.
                        So you should add rules to the VPN interface to restrict access for your needs.
                        If you also want to pass internet traffic from the clients over the VPN rules are more complicated. But this depends on your needs.

                        @jacobisreal said in OpenVPN clients can't ping LAN:

                        Also, the automatic .ovpn client config file download?

                        Already talked about that above. There is nothing intended on pfSense. But search the forum, maybe someone has posted a script to aid distributing VPNs.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.