OpenVPN Access to LAN Question

pr0ject

I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.

OpenVPN Clients: 192.168.200/0/24
DMZ: 192.168.1.0/24
LAN: 10.10.10.0/24

The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:

Destination      Mask                  Gateway            Interface
10.10.10.0      255.255.255.0      192.168.200.5    192.168.200.6
192.168.1.0    255.255.255.0      192.168.200.5    192.168.200.6
192.168.200.1  255.255.255.255    192.168.200.5    192.168.200.6

I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)

Oddly enough, I can access the pfsense firewall on 10.10.10.1, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)

Am I missing something here?

dannyb78

can you ping any 10.10.10.x host via vpn?

pr0ject

Nope. Just the gateway.

dannyb78

so you have set 192.168.1.0/24 (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.

I have a similar configuration working.

LAN 192.168.100.x
other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..

Using openVPN I can successfully connect with all this lan.

I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config 192.168.100.0/24 as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.

push "route 192.168.3.0 255.255.255.0";

I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.

hope this can help you.

pr0ject

Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the 10.10.10.0/24 network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.

dannyb78

may the 1.2.3 requires a firewall rule?

pr0ject

If so, what would that rule look like?

dannyb78

you shoul permit connections from your vpn to your dmz.

if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from 192.168.200.0/24

pr0ject

That's what I thought, too. I added a rule on the LAN interface to allow any any from 192.168.200.0/24 but to no avail. As the DMZ network is reachable as-is (192.168.200.0/24 (vpn) has access to 192.168.1.0/24 (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.

dannyb78

I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.