The OVPN client can't reach the local network after successfully establishing
-
Hi, I've configured
OpenVPNserver and communication between client and server is working as well throughTunnel networkand evenLocal network.PFSense IPv4 local:
192.168.10.10/32VPN / OpenVPN / Servers / myVPNserver:
-
General Information:
- Server mode:
Remote Access ( SSL/TLS + User Auth ) - Protocol:
UDP on IPv4 only - Interface:
WAN - Local port:
1194
- Server mode:
-
Tunnel Settings:
- IPv4 Tunnel Network:
172.16.0.0/24 - IPv4 Local network(s):
192.168.10.0/24
- IPv4 Tunnel Network:
-
Advanced configuration:
- Custom options:
push "route 192.168.10.0 255.255.255.0" - Gateway creation:
IPv4 only
_
- Custom options:
- Firewall:
_
Firewall rules (except one) created automatically,NAT / Outbound modeis set toauto.After the client is connected I can ping or use SSH to PFSense using192.168.10.10and172.16.0.1IPs.
But I can't reach other servers in the
192.168.10.0/24network from client. The servers are opened on22/tcpport and PFSense can reach them.Traceroute from connected client to another server example:
:~$ traceroute 192.168.10.120 traceroute to 192.168.10.120 (192.168.10.120), 30 hops max, 60 byte packets 1 172.16.0.1 (172.16.0.1) 55.613 ms 55.606 ms 55.605 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *Traceroute and ping from PFSense to the same server:
[2.5.2-RELEASE][admin@pfSense.home.arpa]/root: traceroute 192.168.10.120 traceroute to 192.168.10.120 (192.168.10.120), 64 hops max, 40 byte packets 1 192.168.10.120 (192.168.10.120) 0.701 ms !Z 0.577 ms !Z 0.518 ms !Z [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: ping 192.168.10.120 PING 192.168.10.120 (192.168.10.120): 56 data bytes 64 bytes from 192.168.10.120: icmp_seq=0 ttl=64 time=0.653 ms 64 bytes from 192.168.10.120: icmp_seq=1 ttl=64 time=0.507 ms 64 bytes from 192.168.10.120: icmp_seq=2 ttl=64 time=0.552 msDid I miss something?
-
@maar said in The OVPN client can't reach the local network after successfully establishing:
Custom options: push "route 192.168.10.0 255.255.255.0"
This should be set by "Local Networks" in the server settings. But it should also work this way.
Is pfSense the default gateway in the local network?
-
@viragomann Wow, thanks! The
default gatewaywas set tonone. After I added the PFSense address it started working.But, I have an IPSec connection to another network and I want to give OpenVPN clients acces to that network as well.
The site-2-site connection is working, PFSense and all servers can reach the second network and vice versa, but the client can only reach PFSense and the
192.168.10.0/24network.- Under
VPN / OpenVPN / Servers / myVPNserverI added:- General Information:
- IPv4 Local network(s):
192.168.10.0/24, 10.0.0.0/16
- IPv4 Local network(s):
- Advanced configuration:
- Custom options:
push "route 192.168.10.0 255.255.255.0";
push "route 10.0.0.0 255.255.0.0";
- Custom options:
- General Information:
- Under
System / Routing / Static RoutesI added:10.0.0.0/16via192.168.10.10/32(PFSense addr) - thanks to that PFSense server can connect to the10.0.0.0/16/network.
IPSec tunnel overview:
In the PFSense firewall all traffic for
IPSecis allowed (rule added by default).I'm not good in drawings, but I tried to draw what I want to achieve. :D
Some outputs:
[from ovpn client] ~$ ping 10.0.10.10 PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data. ^C --- 10.0.10.10 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3053ms ~$ traceroute 10.0.10.10 traceroute to 10.0.10.10 (10.0.10.10), 30 hops max, 60 byte packets 1 172.16.0.1 (172.16.0.1) 47.519 ms 47.084 ms 46.867 ms 2 * * * 3 * * * 4 * * * 5 * * * (...) 28 * * * 29 * * * 30 * * * [from pfsense server] [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: ping 10.0.10.10 PING 10.0.10.10 (10.0.10.10): 56 data bytes 64 bytes from 10.0.10.10: icmp_seq=0 ttl=62 time=11.312 ms 64 bytes from 10.0.10.10: icmp_seq=1 ttl=62 time=10.328 ms 64 bytes from 10.0.10.10: icmp_seq=2 ttl=62 time=10.255 ms 64 bytes from 10.0.10.10: icmp_seq=3 ttl=62 time=10.332 ms ^C --- 10.0.10.10 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 10.255/10.557/11.312/0.437 ms [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: traceroute 10.0.10.10 traceroute to 10.0.10.10 (10.0.10.10), 64 hops max, 40 byte packets 1 pfSense (192.168.10.10) 0.307 ms 0.189 ms 0.120 ms 2 pfSense (192.168.10.10) 0.107 ms 0.124 ms 0.120 ms 3 * * * 4 * * * 5 * * * (...) 61 * * * 62 * * * 63 * * * 64 * * *How to make it work?
- Under
-
@maar said in The OVPN client can't reach the local network after successfully establishing:
Under VPN / OpenVPN / Servers / myVPNserver I added:
General Information:
IPv4 Local network(s): 192.168.10.0/24, 10.0.0.0/16
Advanced configuration:
Custom options:
push "route 192.168.10.0 255.255.255.0";
push "route 10.0.0.0 255.255.0.0";These options do the same things. You should keep the Local Networks and remove it from the advanced options.
Under System / Routing / Static Routes I added:
10.0.0.0/16 via 192.168.10.10/32 (PFSense addr) - thanks to that PFSense server can connect to the 10.0.0.0/16/ network.
You added a static route on pfSense with its own LAN IP as gateway??
That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.Did you add the phase 2 for 172.16.0.0/24 <> 10.0.0.0/16 on as well in AWS?
If you check Status > IPSec are all tunnels marked as connected? -
@viragomann said in The OVPN client can't reach the local network after successfully establishing:
These options do the same things. You should keep the Local Networks and remove it from the advanced options.
Ok, I deleted from the advanced options.
You added a static route on pfSense with its own LAN IP as gateway??
That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.Without that static route,
tracerouteto some-server under10.0.10.10(AWS) leads to nothing and I can't ping it from PFSense server at all. After adding it's working.Did you add the phase 2 for 172.16.0.0/24 <> 10.0.0.0/16 on as well in AWS?
Yes and I added the firewall rules.
If you check Status > IPSec are all tunnels marked as connected?
Tunnels are marked as established without errors. Some workers from AWS kubernetes are working with OVH databases through this tunnel from yesterday without interruptions.
OpenVPN client have access only to the OVH network.
-
@maar said in The OVPN client can't reach the local network after successfully establishing:
You added a static route on pfSense with its own LAN IP as gateway??
That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.Without that static route, traceroute to some-server under 10.0.10.10 (AWS) leads to nothing and I can't ping it from PFSense server at all.
But it should work from the OVH network, I assume.
That static route can bring some miss-routing into your network at all. Maybe the access from OpenVPN clients to AWS works if you remove it.
Some workers from AWS kubernetes are working with OVH databases through this tunnel from yesterday without interruptions.
This doesn't say anything about the tunnel 172.16.0.0/24 <> 10.0.0.0/16. You have three tunnels, each connects one local subnets with one on the remote site. All three have to be established for full function.