Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The OVPN client can't reach the local network after successfully establishing

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 870 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      maar
      last edited by maar

      Hi, I've configured OpenVPN server and communication between client and server is working as well through Tunnel network and even Local network.

      PFSense IPv4 local: 192.168.10.10/32

      1. VPN / OpenVPN / Servers / myVPNserver:
      • General Information:

        • Server mode: Remote Access ( SSL/TLS + User Auth )
        • Protocol: UDP on IPv4 only
        • Interface: WAN
        • Local port: 1194
      • Tunnel Settings:

        • IPv4 Tunnel Network: 172.16.0.0/24
        • IPv4 Local network(s): 192.168.10.0/24
      • Advanced configuration:

        • Custom options: push "route 192.168.10.0 255.255.255.0"
        • Gateway creation: IPv4 only
          _
      1. Firewall:
        1.png
        2.png
        _
        Firewall rules (except one) created automatically, NAT / Outbound mode is set to auto. After the client is connected I can ping or use SSH to PFSense using 192.168.10.10 and 172.16.0.1 IPs.

      But I can't reach other servers in the 192.168.10.0/24 network from client. The servers are opened on 22/tcp port and PFSense can reach them.

      Traceroute from connected client to another server example:

      :~$ traceroute 192.168.10.120
      traceroute to 192.168.10.120 (192.168.10.120), 30 hops max, 60 byte packets
       1  172.16.0.1 (172.16.0.1)  55.613 ms  55.606 ms  55.605 ms
       2  * * *
       3  * * *
       4  * * *
       5  * * *
       6  * * *
       7  * * *
       8  * * *
       9  * * *
      10  * * *
      11  * * *
      12  * * *
      13  * * *
      14  * * *
      15  * * *
      16  * * *
      17  * * *
      18  * * *
      19  * * *
      20  * * *
      21  * * *
      22  * * *
      23  * * *
      24  * * *
      25  * * *
      26  * * *
      27  * * *
      28  * * *
      29  * * *
      30  * * *
      

      Traceroute and ping from PFSense to the same server:

      [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: traceroute 192.168.10.120
      traceroute to 192.168.10.120 (192.168.10.120), 64 hops max, 40 byte packets
       1  192.168.10.120 (192.168.10.120)  0.701 ms !Z  0.577 ms !Z  0.518 ms !Z
      [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: ping 192.168.10.120
      PING 192.168.10.120 (192.168.10.120): 56 data bytes
      64 bytes from 192.168.10.120: icmp_seq=0 ttl=64 time=0.653 ms
      64 bytes from 192.168.10.120: icmp_seq=1 ttl=64 time=0.507 ms
      64 bytes from 192.168.10.120: icmp_seq=2 ttl=64 time=0.552 ms
      

      Did I miss something?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @maar
        last edited by

        @maar said in The OVPN client can't reach the local network after successfully establishing:

        Custom options: push "route 192.168.10.0 255.255.255.0"

        This should be set by "Local Networks" in the server settings. But it should also work this way.

        Is pfSense the default gateway in the local network?

        M 1 Reply Last reply Reply Quote 1
        • M Offline
          maar @viragomann
          last edited by maar

          @viragomann Wow, thanks! The default gateway was set to none. After I added the PFSense address it started working.

          But, I have an IPSec connection to another network and I want to give OpenVPN clients acces to that network as well.

          The site-2-site connection is working, PFSense and all servers can reach the second network and vice versa, but the client can only reach PFSense and the 192.168.10.0/24 network.

          • Under VPN / OpenVPN / Servers / myVPNserver I added:
            • General Information:
              • IPv4 Local network(s): 192.168.10.0/24, 10.0.0.0/16
            • Advanced configuration:
              • Custom options:
                push "route 192.168.10.0 255.255.255.0";
                push "route 10.0.0.0 255.255.0.0";
          • Under System / Routing / Static Routes I added:
            • 10.0.0.0/16 via 192.168.10.10/32 (PFSense addr) - thanks to that PFSense server can connect to the 10.0.0.0/16/ network.

          IPSec tunnel overview:
          3.png

          In the PFSense firewall all traffic for IPSec is allowed (rule added by default).

          I'm not good in drawings, but I tried to draw what I want to achieve. :D
          4.png

          Some outputs:

          [from ovpn client]
          
          ~$ ping 10.0.10.10
          PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data.
          ^C
          --- 10.0.10.10 ping statistics ---
          4 packets transmitted, 0 received, 100% packet loss, time 3053ms
          
          ~$ traceroute 10.0.10.10
          traceroute to 10.0.10.10 (10.0.10.10), 30 hops max, 60 byte packets
           1  172.16.0.1 (172.16.0.1)  47.519 ms  47.084 ms  46.867 ms
           2  * * *
           3  * * *
           4  * * *
           5  * * *
          (...)
          28  * * *
          29  * * *
          30  * * *
          
          
          [from pfsense server]
          
          [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: ping 10.0.10.10
          PING 10.0.10.10 (10.0.10.10): 56 data bytes
          64 bytes from 10.0.10.10: icmp_seq=0 ttl=62 time=11.312 ms
          64 bytes from 10.0.10.10: icmp_seq=1 ttl=62 time=10.328 ms
          64 bytes from 10.0.10.10: icmp_seq=2 ttl=62 time=10.255 ms
          64 bytes from 10.0.10.10: icmp_seq=3 ttl=62 time=10.332 ms
          ^C
          --- 10.0.10.10 ping statistics ---
          4 packets transmitted, 4 packets received, 0.0% packet loss
          round-trip min/avg/max/stddev = 10.255/10.557/11.312/0.437 ms
          
          [2.5.2-RELEASE][admin@pfSense.home.arpa]/root: traceroute 10.0.10.10
          traceroute to 10.0.10.10 (10.0.10.10), 64 hops max, 40 byte packets
           1  pfSense (192.168.10.10)  0.307 ms  0.189 ms  0.120 ms
           2  pfSense (192.168.10.10)  0.107 ms  0.124 ms  0.120 ms
           3  * * *
           4  * * *
           5  * * *
          (...)
          61  * * *
          62  * * *
          63  * * *
          64  * * *
          

          How to make it work?

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            @maar said in The OVPN client can't reach the local network after successfully establishing:

            Under VPN / OpenVPN / Servers / myVPNserver I added:

            General Information:

            IPv4 Local network(s): 192.168.10.0/24, 10.0.0.0/16

            Advanced configuration:

            Custom options:
            push "route 192.168.10.0 255.255.255.0";
            push "route 10.0.0.0 255.255.0.0";

            These options do the same things. You should keep the Local Networks and remove it from the advanced options.

            Under System / Routing / Static Routes I added:

            10.0.0.0/16 via 192.168.10.10/32 (PFSense addr) - thanks to that PFSense server can connect to the 10.0.0.0/16/ network.

            You added a static route on pfSense with its own LAN IP as gateway??
            That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.

            Did you add the phase 2 for 172.16.0.0/24 <> 10.0.0.0/16 on as well in AWS?
            If you check Status > IPSec are all tunnels marked as connected?

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              maar @viragomann
              last edited by maar

              @viragomann said in The OVPN client can't reach the local network after successfully establishing:

              These options do the same things. You should keep the Local Networks and remove it from the advanced options.

              Ok, I deleted from the advanced options.

              You added a static route on pfSense with its own LAN IP as gateway??
              That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.

              Without that static route, traceroute to some-server under 10.0.10.10 (AWS) leads to nothing and I can't ping it from PFSense server at all. After adding it's working.

              Did you add the phase 2 for 172.16.0.0/24 <> 10.0.0.0/16 on as well in AWS?

              Yes and I added the firewall rules.

              If you check Status > IPSec are all tunnels marked as connected?

              Tunnels are marked as established without errors. Some workers from AWS kubernetes are working with OVH databases through this tunnel from yesterday without interruptions.

              OpenVPN client have access only to the OVH network.

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @maar
                last edited by

                @maar said in The OVPN client can't reach the local network after successfully establishing:

                You added a static route on pfSense with its own LAN IP as gateway??
                That makes no sense at all. Moreover there should be set static routes for remote networks which are reachable via VPN.

                Without that static route, traceroute to some-server under 10.0.10.10 (AWS) leads to nothing and I can't ping it from PFSense server at all.

                But it should work from the OVH network, I assume.

                That static route can bring some miss-routing into your network at all. Maybe the access from OpenVPN clients to AWS works if you remove it.

                Some workers from AWS kubernetes are working with OVH databases through this tunnel from yesterday without interruptions.

                This doesn't say anything about the tunnel 172.16.0.0/24 <> 10.0.0.0/16. You have three tunnels, each connects one local subnets with one on the remote site. All three have to be established for full function.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.