OpenVPN works but Local network unreachable



  • Hello,

    i just set up an openvpn server using pki authentification. Since everything is working fine, there is a major problem.
    After a successfull authentication, i cant reach the pfsense system (ip: 192.170.170.1) but that's it.
    I cant contact the rest of the subnet, not even another carp'ed pfsense system in the network..

    Address pool is 10.0.8.0/24
    Local Network is 192.170.170.0/24

    I even tried to push "route…" manually but this didnt work either.

    Any ideas why i only can reach the OpenVPN-Server host (and the Gateway indeed)  but no other network?

    Further, i have another unimportant question. As i am using Carp to have failover, i'm missing the possibility to sync the openvpns.. any ideas how to do that? isn't that nice to add everthing twice, nor three times..

    p.s.:  1.2.3-RELEASE
    built on Sun Dec 6 23:21:36 EST 2009

    Thank,
    John


  • Rebel Alliance Developer Netgate

    Is your client running on Vista or Windows 7? If so, make sure the client software is running as Administrator. If it isn't run as Administrator, it doesn't have the permissions it needs to add the routes which will let it contact the rest of the network.



  • Hi,

    i tried the client using Windows 7, but as i used Administrator privileges, the openvpn log shows me that all routes has been set successful, same does windows by using route in a command prompt.

    As i said, i can reach the Pfsense system and it's virtual gateway ip.. I added the rules everbody said, like wan to openvpn port and lan to any.. but it still doesn't work..


  • Rebel Alliance Developer Netgate

    Are you running captive portal on the LAN?



  • No i don't, i read the most posts regarding to this point but didnt find a solution up to now..
    Could it be possible that my second pfsense system, a carp'ed one for failover is in the same network?


  • Rebel Alliance Developer Netgate

    Only if that system is the default gateway for items on the LAN.



  • No it is not. The default gateway is a virtualip, for the carp featureat the mein pfsense system.
    So, any other suggestions?


  • Rebel Alliance Developer Netgate

    That would explain why, then. You can work around it if you add a static route on the CARP pair that points your OpenVPN tunnel network subnet to the LAN IP of this other pfSense box.

    Or use the CARP pair for OpenVPN instead of this one. Is there any particular reason you are running OpenVPN on a separate unit?



  • Well, actually i don't.
    Maybe there is a misunderstanding.

    Its gateway1 (active)–--------gateway2 (passiv)
                          ---      carp    ---
        --- OPENVPN---

    And the OPENVPN users can only reach gateway1, not the second passiv one, nor any other network member.
    Could it be a problem of the switches? (D-Link)
    Maybe they decline to transfer anything fomr another subnet :/


  • Rebel Alliance Developer Netgate

    Ah, OK. I misread. I thought you had a box apart from the cluster that did OpenVPN.

    That should still work then, subnets don't matter to switches as long as the clients know where to send the traffic.

    You may not be able to reach the secondary pfSense unit in that way, but you should be able to hit anything on LAN provided it is not filtering traffic at the client level.



  • Hey,

    i will output the routes set in the pfsense system, it looked to me that they are not right at all.. i will post them tomorrow (can't touch the system now).

    til than!



  • hey,

    here the picture fo the routes set in pfsense.
    Can't see a route between lan and tun0 :/

    any ideas?

    p.s. the blacked ips are the wan ips!
    cheers,
    john


  • Rebel Alliance Developer Netgate

    Can you try some packet captures to see if the traffic makes it across the tunnel on tun0 and actually leaves (and re-enters) your LAN interface?


Log in to reply