Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Access to LAN using OpenVPN Client Specific Overrides

    OpenVPN
    2
    3
    835
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alpine34
      last edited by

      Here's a very common Remote Access use case involving pfSense OpenVPN and its Client Specific Overrides. This controls user2 client access to the LAN, blocking access to some LAN subnets. Yet it has proven far more challenging to get working than expected.

      Please find the essentials below:
      Tunnel IP: 10.31.180.0/24
      User1 connects via OpenVPN windows client and can see all my internal network. This user settings have no Overrides. User1 can ping tunnel 10.31.180.1, and also machines at each LAN subnet without a problem.

      User2 connects via OpenVPN windows client, but does use Client Specific Overrides yet cannot ping anything.
      The Client Specific Overrides is set to network: 10.31.180.230/30
      Each LAN subnet is listed in the Overrides setup page.
      However, user2 cannot ping any LAN address or even the tunnel at 10.31.180.1.

      The route table on the windows user2 client contains entries for 10.31.180.230/30 and the LAN subnets.
      The firewall rules are fully permissive.

      Client: User2 IPv4 Route Table

      Active Routes:
      Network Destination Netmask Gateway Interface Metric
      0.0.0.0 0.0.0.0 172.20.20.1 172.20.20.20 30
      0.0.0.0 128.0.0.0 10.31.180.1 10.31.180.240 257
      10.31.51.0 255.255.255.0 10.31.180.1 10.31.180.240 257
      10.31.68.0 255.255.255.0 10.31.180.1 10.31.180.240 257
      10.31.180.240 255.255.255.252 On-link 10.31.180.240 257
      10.31.180.240 255.255.255.255 On-link 10.31.180.240 257
      10.31.180.243 255.255.255.255 On-link 10.31.180.240 257

      I am not seeing any errors anywhere, and it works fine for user1, yet it doesn't work for user2. Can anyone throw any light on this user2 Overrides problem? If any further info is needed, I will post it.

      Many thanks in advance

      A 1 Reply Last reply Reply Quote 0
      • A
        Alpine34 @Alpine34
        last edited by

        Table.png

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @Alpine34
          last edited by

          @Alpine34
          Your virtual IP seems odd. How did you configure the OpenVPN server and the CSO?
          Which topology does the server use? If subnet, which is default, you have to state a single IP with the proper tunnel mask in the CSO, e.g. 10.31.180.230/24.

          And generally it would be wise to limit the access for the whole tunnel subnet (for any users) and give more privileges to certain CSO users.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.