OpenVPN works but Local network unreachable
-
Is your client running on Vista or Windows 7? If so, make sure the client software is running as Administrator. If it isn't run as Administrator, it doesn't have the permissions it needs to add the routes which will let it contact the rest of the network.
-
Hi,
i tried the client using Windows 7, but as i used Administrator privileges, the openvpn log shows me that all routes has been set successful, same does windows by using route in a command prompt.
As i said, i can reach the Pfsense system and it's virtual gateway ip.. I added the rules everbody said, like wan to openvpn port and lan to any.. but it still doesn't work..
-
Are you running captive portal on the LAN?
-
No i don't, i read the most posts regarding to this point but didnt find a solution up to now..
Could it be possible that my second pfsense system, a carp'ed one for failover is in the same network? -
Only if that system is the default gateway for items on the LAN.
-
No it is not. The default gateway is a virtualip, for the carp featureat the mein pfsense system.
So, any other suggestions? -
That would explain why, then. You can work around it if you add a static route on the CARP pair that points your OpenVPN tunnel network subnet to the LAN IP of this other pfSense box.
Or use the CARP pair for OpenVPN instead of this one. Is there any particular reason you are running OpenVPN on a separate unit?
-
Well, actually i don't.
Maybe there is a misunderstanding.Its gateway1 (active)–--------gateway2 (passiv)
--- carp ---
--- OPENVPN---And the OPENVPN users can only reach gateway1, not the second passiv one, nor any other network member.
Could it be a problem of the switches? (D-Link)
Maybe they decline to transfer anything fomr another subnet :/ -
Ah, OK. I misread. I thought you had a box apart from the cluster that did OpenVPN.
That should still work then, subnets don't matter to switches as long as the clients know where to send the traffic.
You may not be able to reach the secondary pfSense unit in that way, but you should be able to hit anything on LAN provided it is not filtering traffic at the client level.
-
Hey,
i will output the routes set in the pfsense system, it looked to me that they are not right at all.. i will post them tomorrow (can't touch the system now).
til than!
-
hey,
here the picture fo the routes set in pfsense.
Can't see a route between lan and tun0 :/any ideas?
p.s. the blacked ips are the wan ips!
cheers,
john -
Can you try some packet captures to see if the traffic makes it across the tunnel on tun0 and actually leaves (and re-enters) your LAN interface?