OpenVPN Access to LAN Question



  • I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.

    OpenVPN Clients: 192.168.200/0/24
    DMZ: 192.168.1.0/24
    LAN: 10.10.10.0/24

    The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:

    Destination      Mask                  Gateway            Interface
    10.10.10.0      255.255.255.0      192.168.200.5    192.168.200.6
    192.168.1.0    255.255.255.0      192.168.200.5    192.168.200.6
    192.168.200.1  255.255.255.255    192.168.200.5    192.168.200.6

    I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)

    Oddly enough, I can access the pfsense firewall on 10.10.10.1, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)

    Am I missing something here?



  • can you ping any 10.10.10.x host via vpn?



  • Nope. Just the gateway.



  • so you have set 192.168.1.0/24 (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.

    I have a similar configuration working.

    LAN 192.168.100.x
    other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..

    Using openVPN I can successfully connect with all this lan.

    I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config 192.168.100.0/24 as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.

    
    push "route 192.168.3.0 255.255.255.0";
    
    

    I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.

    hope this can help you.



  • Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the 10.10.10.0/24 network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.



  • may the 1.2.3 requires a firewall rule?



  • If so, what would that rule look like?



  • you shoul permit connections from your vpn to your dmz.

    if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from 192.168.200.0/24



  • That's what I thought, too. I added a rule on the LAN interface to allow any any from 192.168.200.0/24 but to no avail. As the DMZ network is reachable as-is (192.168.200.0/24 (vpn) has access to 192.168.1.0/24 (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.



  • I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.


Locked