Access to LAN behind pF OpenVPN CLIENT

dbadovsky

Hi. I need access to my home LAN but my ISP doesn't provide public IP so I installed OpenVPN server on a VPS. On the server conf, following option added:
server 10.9.0.0 255.255.255.0
route 192.168.11.0 255.255.255.0 10.9.0.4
push "route 192.168.11.0 255.255.255.0"
Where 192.168.11.0/24 is my LAN and 10.9.0.4 is pFsense.
OpenVPN clients are pinging each other (including pFsense) but there is no access to LAN.
Rules on OpenVPN and VPN interface have been added.
Tried to traceroute to LANnet but the last hop is server and no way further.
Now I suppose to add to a pF's client config "iroute 192.168.11.0 255.255.255.0" but get daemon's error "option 'iroute' cannot be used in this context "
No doubts anymore, please help.

viragomann

@dbadovsky said in Access to LAN behind pF OpenVPN CLIENT:

I installed OpenVPN server on a VPS.

Which OS? Also pfSense?

dbadovsky

@viragomann No, debian. Installed with angrystan script

viragomann

@dbadovsky
This installs only an OpenVPN server on the machine. But you need a P2P to your home.
Either install a separate OpenVPN instance for this or you have to add a client specific override (client config dir/file) with the iroute command.

The iroute on the home pfSense is pretty useless. This command is meant to be used on a server.

dbadovsky

@viragomann Does the server read client config after created? Added iroute in pF's client config on the server, nothing changed.
This OpenVPN server is just for this purpose. I've installed with script to simplify installation process and changed config after that.

viragomann

@dbadovsky said in Access to LAN behind pF OpenVPN CLIENT:

Does the server read client config after created?

If you state it with the client-config-dir directive, it does.

Added iroute in pF's client config on the server, nothing changed.

iroute is not supposed to use it in the server config. The server need to know the proper client to assign it.

Look into the OpenVPN docs for help and details. I'm not as familiar with that stuff.

dbadovsky

@viragomann I added client config with "iroute" line to server's ccd dir but nothing changed.
Of course I read OpenVPN docs, that's because I supposed to add "iroute" line to pF's ovpn config

viragomann

@dbadovsky
In the server config replace

route 192.168.11.0 255.255.255.0 10.9.0.4

with

route 192.168.11.0 255.255.255.0

And check the server log for hint that the client file is applied.

dbadovsky

@viragomann

@viragomann said in Access to LAN behind pF OpenVPN CLIENT:

hint that the client file is applied

How can I check it? I only see client connected, IP and port, timers...

I see client's name, seems like nowhere to know it from than from client's config file on the server. Right?

viragomann

@dbadovsky
In the OpenVPN log in /var/log/openvpn.log or wherever.

dbadovsky

@viragomann exactly there. status.log. How can I check hint that the client file is applied?

Now I tried to delete client config from ccd and it connects. So it seems like server doesnt care about ccd.

viragomann

@dbadovsky
The client file is not required for connecting, it's just for the routing.

In the openvpn.log you should see if the iroute is applied, when the client connects.

dbadovsky

@viragomann Well, it seems like iroute is not applied, can't see something specific to that.
Tried to ping server from the LAN, it does. So the problem is in openvpn routing exactly. Server doesn't know where to find 11.0/24 in spite of route in OS.

dbadovsky

@viragomann SOLVED!!!
"iroute" line should be NOT in .ovpn file. I created same-name extensionless file and now I hale route in log and I can see LAN. Thank you!

viragomann

@dbadovsky
Yeah, it has to be in the client specific file, mentioned above.

Nice that you got it sorted.