Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients no longer accessible from LAN after upgrade to pfSense 2.7

    OpenVPN
    8
    49
    6.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reberhar @lifeboy
      last edited by reberhar

      @lifeboy Gee a total rebuild wow ...

      If you are using "any" in your rule as the source, what you are describing will happen. You must use the address of the computer or object or objects your want sent to the default gateway. Then only that device or those devices will go there.

      It does work.

      Post your firewall rules and I will look at them.

      Roy

      lifeboyL 1 Reply Last reply Reply Quote 1
      • lifeboyL
        lifeboy @reberhar
        last edited by lifeboy

        @reberhar I deleted the OpenVPN server, CSO, client, Certificates, CA, the lot.

        Then I started over, created a new CA, added certs (using ECDSA, which we prefer), exported the necessary files, created a new OpenVPN server, CSO and a new client. I added the "allow all rules" into the OpenVPN tabs on the server and the client (actually they were there already), allowed traffic to come in on the WAN (master, since we're using CARP failover) on port 1194 to 1198 (for the different OpenVPN servers) on UDP and (infuriatingly so) it just worked to a point! I can now ping the LAN address of the client from the server (192.168.111.254), but the addresses on other machines I still can't ping.

        I know that all the settings where identical to what I had set the previous two times, yet somehow this time it worked better, whereas previously it didn't.

        Since I can ping the client LAN address on the firewall, and on the client firewall I can ping the other LAN addresses, why can't I ping the rest of the LAN addresses?
        The routes on the server show:
        d4c1db73-4272-4dcc-b4d0-6687e6f65e4e-image.png

        So traffic to 192.168.111.0 goes via 10.0.20.2, which allows me to ping 192.168.111.254 (the LAN addressof the client pfSense)
        If I can get there, surely it can't be a routing issue, since the subnet is being routed and I have proven to myself that it's being used.

        A packet capture on the client of the ovpn network port shows:

        16:24:35.084815 IP 10.0.20.1 > 192.168.111.1: ICMP echo request, id 44900, seq 0, length 64
16:24:36.096403 IP 10.0.20.1 > 192.168.111.1: ICMP echo request, id 44900, seq 1, length 64
16:24:37.109070 IP 10.0.20.1 > 192.168.111.1: ICMP echo request, id 44900, seq 2, length 64

        It doesn't seem to be able to get back though like .254 does.

        16:26:57.664447 IP 10.0.20.1 > 192.168.111.254: ICMP echo request, id 41430, seq 0, length 64
16:26:57.664537 IP 192.168.111.254 > 10.0.20.1: ICMP echo reply, id 41430, seq 0, length 64
16:26:58.665650 IP 10.0.20.1 > 192.168.111.254: ICMP echo request, id 41430, seq 1, length 64
16:26:58.665664 IP 192.168.111.254 > 10.0.20.1: ICMP echo reply, id 41430, seq 1, length 64
16:26:59.667163 IP 10.0.20.1 > 192.168.111.254: ICMP echo request, id 41430, seq 2, length 64
16:26:59.667212 IP 192.168.111.254 > 10.0.20.1: ICMP echo reply, id 41430, seq 2, length 64

        I'm almost there... any thoughts on why not?

        lifeboyL 1 Reply Last reply Reply Quote 1
        • lifeboyL
          lifeboy @lifeboy
          last edited by

          Just to add to my reply, the client routing table

          4573dcf8-5ce6-4793-865a-dd159d20d763-image.png

          Here, the traffic for 192.168.131.0/24 must go to 10.0.20.1, which it does, since I can ping any valid address on the server LAN from the client,

          R 1 Reply Last reply Reply Quote 1
          • R
            reberhar @lifeboy
            last edited by

            @lifeboy Hi Lifeboy,

            Try a trace route and see where your queries are going.

            If your queries are not reaching the system routing table then it cannot work.

            Michael had a similar problem. The trace route revealed it.

            Roy

            lifeboyL 1 Reply Last reply Reply Quote 1
            • lifeboyL
              lifeboy @reberhar
              last edited by

              @reberhar I found the problem, and it was not in pfSense!

              The LAN client address I was testing with, 192.168.111.1, didn't have a default gateway set yet! I set that and now it's reachable!

              Case closed.

              The part that I'm still frustrated about is that I'm pretty sure that my setup was correct in the GUI the second time round too, but the problem was not revealed in what was visible. Redoing it fixed the problem, but I didn't learn much in the process.

              Thanks for all you effort and input as well!

              R 1 Reply Last reply Reply Quote 1
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Nice that you finally were able to track that down!

                We have a nice checklist-style connectivity troubleshooting reference in the docs that may be helpful to keep in mind for the future (and for others finding this thread) which includes that as one of the items to check:

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

                More specifically:
                https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html#client-tests

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                R lifeboyL 2 Replies Last reply Reply Quote 1
                • R
                  reberhar @jimp
                  last edited by

                  @jimp Thanks Jimp,

                  Of course as a simple outside forum user, I don't always think of the great checklists you all have in the Netgate pfSense documentation. Those have certainly helped me.

                  1 Reply Last reply Reply Quote 0
                  • R
                    reberhar @lifeboy
                    last edited by

                    @lifeboy Hi Lifeboy,

                    I am so glad you fixed your problem. You are a persistent patient person. The world needs more folks like you.

                    1 Reply Last reply Reply Quote 0
                    • lifeboyL
                      lifeboy @jimp
                      last edited by

                      @jimp Indeed that is a great resource to use for troubleshooting, thanks for sharing it!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.