Nat & routing on OPENVPN



  • Hey NG,

    i don't know if here the best NG for my problem,
    I am new at PFsense. I am planning my Remote Access to office by OPENVPN.
    The tunnel comes up. i can ping local interface of PFSENSE firewall but i can't routing LAN server.
    This is my situation

    LAPTOPS(192.168.19.0/24)–WAN -- ROUTER -- PFSENSE (STATIC NAT with public IP) --  SERVERS LANS (192.168.126.0/24)

    i added routing rules on servers lans but i don't route  :(
    I tested with tcpdump on Pfsense and packets arrive but don't routing
    Can you hint me where is the problem ?

    With IPSEC VPN all works....
    Thanks to all
    Stefano



  • Hello,
    I kind of have the same problem but with a spin:

    • pfSense at one office (office 1) with OpenVPN server and one at another office (office 2) with OpenVPN client set (OVPN from site to site)
      I can ping the office 2 pfSense but I cannot access the LAN behind it but the other way around works, so from the office 2 LAN i can access the office 1 LAN

    Does anyone has an idea about it.
    I'm also kind of new to pfSense so I mite have made a silly mistake in the configuration but I cannot see what.

    Thank you in advance.



  • Can you guys post your configuration on both server and client side?



  • Hi, yes i will but i'll need a bit of time to get all the infos from the configuration.
    Thank you very much for your interest in our problem.

    OK the information on the 2 firewalls and the network:
    ** They are linked with a Site-to-Site VPN, and a MS Domain is working through it (not sure if this is important)

    1. The main Firewall:
         - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.3.100/24, Disable the userland FTP-Proxy application)
         - Firewall: only configured rules as:
             LAN: pass (there was a second network but it is no longer so this is kind of useless)

    | * | LAN net | * | 192.168.1.0/24 | * | * | | to 192.168.1.x |
    | * | 192.168.1.0/24 | * | * | * | * | | 192.168.1.x subnet |
    | * | LAN net | * | * | * | * | | Default LAN -> any   |

    WAN: pass

    | * | * | * | * | * | * | | pass in all test rule |
    | TCP/UDP | * | * | * | 443 (HTTPS) | * | | Allow TCP/UDP to OpenVPN Server Port |
    | TCP/UDP | * | * | * | 1191 | * | | Allow TCP/UDP to OpenVPN Server Port |

    PPTP VPN: pass

    | * | PPTP clients | * | * | * | * | | allows incoming PPTP   |

    IPSEC: pass

    | * | * | * | * | * | * | | Permit IPSEC |

    • Services: default
      Enable DHCP server on LAN interface: FALSE
      Subnet 192.168.3.0
      Subnet mask 255.255.255.0
      Available range: (192.168.3.0 - 192.168.3.255 ) - default readonly

    • VPN:

    • IPsec
      Tunnels: Enabled IPsec
      Mobile clients: Allow mobile clients:FALSE (basic config)
    • PPTP: Enabled PPTP server
      Server address : xx.xx.xx.xx
      Remote address range: 192.168.50.x/28
      ….
      WINS server: 192.168.3.128
    • OpenVPN : Server
      1. No TCP 192.168.10.0/24 ovpn
      ** For external connections via OpenVPN client application
      Protocol: TCP
      Dymanic IP : true
      Local port: 443
      Address pool: 192.168.10.0/24
      Local network: 192.168.3.0/24

    Cryptography: BF-CBC(128bit)
    Authentication method: PKI

    DHCP-Opt.: DNS-Server: 192.168.3.128

    Custom options:push "dhcp-option DNS 192.168.3.128";push "dhcp-option DNS 192.168.3.129";push "dhcp-option WINS 192.168.3.128"; push "route 192.168.9.0 255.255.255.0";

    2. No TCP 192.168.11.0/24 Office 2 Server
    Protocol: TCP
    Dymanic IP : true
    Local port: 1191
    Address pool: 192.168.11.0/24
    Remote network: 192.168.9.0/24

    Cryptography: BF-CBC(128bit)
    Authentication method: Shared key

    DHCP-Opt.: NetBIOS node type: none

    LZO compression: true

    Description: Office 2

    ALL THE REST THAT ARE NOT DISPLAYED EITHER ARE NOT SET OR DISABLED

    1. The client, office 2, Firewall:
    • System: there are 4 static routes, like 160.58.134.x, which point to the office 1 firewall 192.168.3.100
         - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.9.100/24, Disable the userland FTP-Proxy application)
         - Firewall: only configured rules as:
             LAN: nothing
      WAN: pass

    | TCP/UDP | * | * | * | 1191 | * | | Tunnel |

    • Services: default
      Enable DHCP server on LAN interface: TRUE
      Subnet 192.168.9.0
      Subnet mask 255.255.255.0
      Available range 192.168.9.0 - 192.168.9.255

    • VPN:

    • IPsec
      Tunnels: Enabled IPsec: FALSE (not enabled)
    • PPTP: Off
    • OpenVPN : Client
      No Firewall_1_WAN_IP TCP  Tunnel Connection 2 Office 1
      Protocol: TCP
      Server address : Firewall_1_WAN_IP (xx.xx.xx.xx)
      Server port: 1191
      Interface IP: 192.168.11.0/24
      Remote network: 192.168.3.0/24

    Proxy port: 3128

    Cryptography: BF-CBC(128bit)
    Authentication method: Shared key

    LZO compression: true

    Description: Tunnel 2 Office 1

    The rest is common configuration, default.
    So there is the office 1 network and the office 2 network, and then there are the ones for Site-to-Site VPN (192.168.11.x) and the one for the exterior VPN connection (192.168.10.x) - in which the clients can see each other even if they are in Office 1 or Office 2, what and where should I add a routing for the Office 1 to see the Office 2 clients?

    Note: No client from the office 1 can access the network at office 2 and no client from the office 2 can access its network mates if they have activated the OpenVPN Client App (which connects to the Office 1 VPN 1)

    Thank you very much


Log in to reply