Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client device running OpenVPN not connecting to LAN

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheSkelly
      last edited by

      Hi all,

      I'm having an issue with access to local LAN resources for an OpenVPN connected device. I don't think this is a 'typical' problem so I'm struggling to find anything online which helps (or perhaps I'm not using the right keywords!).

      The situation: I have a device on my network which is connecting to an external OpenVPN server. The VPN connection is successful, and I am able to access REMOTE LAN resources/internet with no issues. However, when the VPN is connected, I lose access to any LOCAL LAN devices.

      Example:
      OpenVPN Client turned OFF:
      10.20.0.2 (VLAN20) can connect to 10.30.0.2 (VLAN30).
      OpenVPN Client turned ON:
      10.20.0.2 (VLAN20) cannot connect to 10.30.0.2 (VLAN30).

      Interestingly, when the client is turned ON, 10.20.0.2 can still access things on the LAN for which a state exists - however killing the state and attempting to re-establish is unsuccessful.

      Here are my firewall rules for VLAN20:
      aa886167-6cc6-4825-b554-c5fd6bca4044-image.png

      Even with the logged blocked rule at the end, no blocked entries appear in the firewall... so I'm quite confused as to what may be going on here! ๐Ÿ˜–

      Thank you for taking the time to read this/offer any suggestions ๐Ÿ˜Š

      Additional Information:
      VLAN20 (OpenVPN Client Device 10.20.0.2) serves on 10.20.0.1/24

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @TheSkelly
        last edited by

        @theskelly
        Check the clients routing table. I guess, the VPN server pushes routes which overlap your LAN. So that traffic destined to internal IP are directed to the VPN server.
        Which remote networks does the client need to access?

        T 1 Reply Last reply Reply Quote 0
        • T
          TheSkelly @viragomann
          last edited by

          @viragomann I like your thinking, however there shouldn't be any overlap... The remote network is a 192.168.0.1/24 network, and my local network connecting to the VPN is 10.20.0.1/24.

          The VPN assigns addresses on 10.8.0.0/24 which does not overlap with any network segments on either side of the VPN connection...

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @TheSkelly
            last edited by

            @theskelly
            It doesn't depend on the true remote networks, but on the routes which are added to the client when the connection is established. Therefor I requested you to check the routing table.

            T 1 Reply Last reply Reply Quote 0
            • T
              TheSkelly @viragomann
              last edited by TheSkelly

              @viragomann

              Ah, my apologies for the misunderstanding.

              The vpn server config contains the following:

              server 10.8.0.0 255.255.255.0
              push "route 192.168.0.0 255.255.255.0"
              push "redirect-gateway def1 bypass-dhcp"
              

              My understanding of this is that the first line specifies the IP range in which the VPN Server dishes out IP's to clients.
              The second line allows the clients to route to the specified network on the server side.
              The third line forces traffic through the VPN tunnel (by redirecting the default gateway).

              is another 'push route' required to specify local access?

              Here is the routing table for my connected windows machine:

              ca314054-59cc-4803-a8b0-409ce3017049-image.png

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @TheSkelly
                last edited by

                @theskelly said in Client device running OpenVPN not connecting to LAN:

                My understanding of this is that the first line specifies the IP range in which the VPN Server dishes out IP's to clients.

                Correct.

                @theskelly said in Client device running OpenVPN not connecting to LAN:

                The second line allows the clients to route to the specified network on the server side.
                The third line forces traffic through the VPN tunnel (by redirecting the default gateway).

                Both lines instruct the clients to add a route after the connection is established. The first one pushes the route for 192.168.0.0/24, the second pushes the default route to the clients.
                So the second line might be responsible for your routing problem. It directs the whole traffic from the client over the VPN. So yeah, this of course is overlapping your local networks and the client may send packets to the VPN server instead of the local router.

                T 1 Reply Last reply Reply Quote 0
                • T
                  TheSkelly @viragomann
                  last edited by

                  @viragomann thank you! You're on the money with that one. Disabling the redirect of the default gateway allows me to retain connectivity to the client LAN.

                  However the drawback of this is that now, internet-bound traffic does not tunnel through the VPN. I assume the happy medium here is to re-enable the gateway redirect and also add in a route to allow traffic to find its way to the client LAN. Would another 'push route' be used to achieve this? (I've seen a few things about 'iroute' online which is just confusing me! ๐Ÿ˜ง )

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @TheSkelly
                    last edited by

                    @theskelly
                    No iroute is for routing traffic to a specific client in OpenVPN.

                    If you need to direct the internet traffic over the vpn you have to set the default route, which prevents you from accessing other network segments, as you experienced already.
                    That's why you should set up a vpn for internet access on the router instead. If you still want to run it on the client device, you can play around with routing metrics and static routes.

                    Try the following:
                    Add the redirect gateway line to the server settings again and also add the line

                    push "route-metric 512"
                    

                    Restart the server and try again with these settings.

                    If it doesn't work add a static route for the local networks to the client. How to do that depends on your OS.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      TheSkelly @viragomann
                      last edited by

                      @viragomann thanks for the guidance! Unfortunately the metric 512 line didn't work. I'm not so keen on configuring routes for each client - so perhaps I'll make pfsense the client instead.

                      Thank you again! ๐Ÿ˜Š

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @TheSkelly
                        last edited by

                        @theskelly said in Client device running OpenVPN not connecting to LAN:

                        so perhaps I'll make pfsense the client instead.

                        Ttat's a very good decission. ๐Ÿ™‚

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.