Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN works but Local network unreachable

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      john-dev
      last edited by

      Hello,

      i just set up an openvpn server using pki authentification. Since everything is working fine, there is a major problem.
      After a successfull authentication, i cant reach the pfsense system (ip: 192.170.170.1) but that's it.
      I cant contact the rest of the subnet, not even another carp'ed pfsense system in the network..

      Address pool is 10.0.8.0/24
      Local Network is 192.170.170.0/24

      I even tried to push "route…" manually but this didnt work either.

      Any ideas why i only can reach the OpenVPN-Server host (and the Gateway indeed)  but no other network?

      Further, i have another unimportant question. As i am using Carp to have failover, i'm missing the possibility to sync the openvpns.. any ideas how to do that? isn't that nice to add everthing twice, nor three times..

      p.s.:  1.2.3-RELEASE
      built on Sun Dec 6 23:21:36 EST 2009

      Thank,
      John

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Is your client running on Vista or Windows 7? If so, make sure the client software is running as Administrator. If it isn't run as Administrator, it doesn't have the permissions it needs to add the routes which will let it contact the rest of the network.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          john-dev
          last edited by

          Hi,

          i tried the client using Windows 7, but as i used Administrator privileges, the openvpn log shows me that all routes has been set successful, same does windows by using route in a command prompt.

          As i said, i can reach the Pfsense system and it's virtual gateway ip.. I added the rules everbody said, like wan to openvpn port and lan to any.. but it still doesn't work..

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Are you running captive portal on the LAN?

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              john-dev
              last edited by

              No i don't, i read the most posts regarding to this point but didnt find a solution up to now..
              Could it be possible that my second pfsense system, a carp'ed one for failover is in the same network?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Only if that system is the default gateway for items on the LAN.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  john-dev
                  last edited by

                  No it is not. The default gateway is a virtualip, for the carp featureat the mein pfsense system.
                  So, any other suggestions?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That would explain why, then. You can work around it if you add a static route on the CARP pair that points your OpenVPN tunnel network subnet to the LAN IP of this other pfSense box.

                    Or use the CARP pair for OpenVPN instead of this one. Is there any particular reason you are running OpenVPN on a separate unit?

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      john-dev
                      last edited by

                      Well, actually i don't.
                      Maybe there is a misunderstanding.

                      Its gateway1 (active)–--------gateway2 (passiv)
                                            ---      carp    ---
                          --- OPENVPN---

                      And the OPENVPN users can only reach gateway1, not the second passiv one, nor any other network member.
                      Could it be a problem of the switches? (D-Link)
                      Maybe they decline to transfer anything fomr another subnet :/

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Ah, OK. I misread. I thought you had a box apart from the cluster that did OpenVPN.

                        That should still work then, subnets don't matter to switches as long as the clients know where to send the traffic.

                        You may not be able to reach the secondary pfSense unit in that way, but you should be able to hit anything on LAN provided it is not filtering traffic at the client level.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • J
                          john-dev
                          last edited by

                          Hey,

                          i will output the routes set in the pfsense system, it looked to me that they are not right at all.. i will post them tomorrow (can't touch the system now).

                          til than!

                          1 Reply Last reply Reply Quote 0
                          • J
                            john-dev
                            last edited by

                            hey,

                            here the picture fo the routes set in pfsense.
                            Can't see a route between lan and tun0 :/

                            any ideas?

                            p.s. the blacked ips are the wan ips!
                            cheers,
                            john

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Can you try some packet captures to see if the traffic makes it across the tunnel on tun0 and actually leaves (and re-enters) your LAN interface?

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.