Pfsense as OpenVPN client - routing from LAN to other OpenVPN clients [SOLVED]



  • I have pfsense 1.2.3 setup as an OpenVPN client that connects to a remote OpenVPN server (to which other OpenVPN clients are also connected).  I can't figure out how to get machines on the LAN (behind pfsense) to reach any of the other OpenVPN clients.  In other words, I can access the other OpenVPN clients from the pfSense machine, but not from any machines on the LAN behind pfsense.  I've tried everything I could find on this board, but nothing has worked.

    How do I get my LAN to route connections to the OpenVPN subnet over the OpenVPN tunnel?



  • Is the pfSense server the default gateway for the LAN machines?  Do the LAN machines have a static route for those subnets via another gateway?



  • Also did you push the route for the LAN to the clients?



  • @Cry:

    Is the pfSense server the default gateway for the LAN machines?  Do the LAN machines have a static route for those subnets via another gateway?

    The pfSense server is the default gateway for the LAN.  There is no static route for the OpenVPN subnet, so the pfSense server should be handling all traffic from the LAN machines to the OpenVPN subnet.



  • And as GruensFroeschli said, what about on the VPN - do the clients on the VPN know how to reach the LAN?



  • @Cry:

    And as GruensFroeschli said, what about on the VPN - do the clients on the VPN know how to reach the LAN?

    I followed the steps in the section "Including multiple machines on the client side when using a routed VPN (dev tun)" of
    http://openvpn.net/index.php/open-source/documentation/howto.html#scope

    I can now access (ping) from other OpenVPN clients to machines in the LAN subnet, but I still can't access other OpenVPN clients (using their OpenVPN IPs) from LAN machines.  I tried setting up a static route and and firewall rules in pfSense, but nothing seems to work.



  • If you can ping from the OpenVPN client to the LAN then routing is working.  Anything else comes down to firewall rules, either on the clients or on the pfSense host.

    Do you have rules on the LAN interface allowing communication to the OpenVPN subnet (remember, the default is block)?  Do the OpenVPN clients have any software firewalls?  Is the unspecified service you're trying to access bound to the OpenVPN interface on the client?



  • @Cry:

    If you can ping from the OpenVPN client to the LAN then routing is working.  Anything else comes down to firewall rules, either on the clients or on the pfSense host.

    **Do you have rules on the LAN interface allowing communication to the OpenVPN subnet (remember, the default is block)? ** Do the OpenVPN clients have any software firewalls?  Is the unspecified service you're trying to access bound to the OpenVPN interface on the client?

    I had to add the rules to the LAN interface to allow traffic from the LAN net to the OpenVPN subnet.  Now it works. Thanks!

    So to summarize, getting this to work required me to do the following:
      1. I followed the steps in the section "Including multiple machines on the client side when using a routed VPN (dev tun)" of http://openvpn.net/index.php/open-source/documentation/howto.html#scope
      2. Add a rule to the LAN interface to allow all traffic from the LAN net to the OpenVPN subnet.


Log in to reply