Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Access to LAN Question

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 14.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pr0ject
      last edited by

      I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.

      OpenVPN Clients: 192.168.200/0/24
      DMZ: 192.168.1.0/24
      LAN: 10.10.10.0/24

      The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:

      Destination      Mask                  Gateway            Interface
      10.10.10.0      255.255.255.0      192.168.200.5    192.168.200.6
      192.168.1.0    255.255.255.0      192.168.200.5    192.168.200.6
      192.168.200.1  255.255.255.255    192.168.200.5    192.168.200.6

      I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)

      Oddly enough, I can access the pfsense firewall on 10.10.10.1, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)

      Am I missing something here?

      1 Reply Last reply Reply Quote 0
      • D
        dannyb78
        last edited by

        can you ping any 10.10.10.x host via vpn?

        1 Reply Last reply Reply Quote 0
        • P
          pr0ject
          last edited by

          Nope. Just the gateway.

          1 Reply Last reply Reply Quote 0
          • D
            dannyb78
            last edited by

            so you have set 192.168.1.0/24 (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.

            I have a similar configuration working.

            LAN 192.168.100.x
            other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..

            Using openVPN I can successfully connect with all this lan.

            I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config 192.168.100.0/24 as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.

            
            push "route 192.168.3.0 255.255.255.0";
            
            

            I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.

            hope this can help you.

            1 Reply Last reply Reply Quote 0
            • P
              pr0ject
              last edited by

              Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the 10.10.10.0/24 network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.

              1 Reply Last reply Reply Quote 0
              • D
                dannyb78
                last edited by

                may the 1.2.3 requires a firewall rule?

                1 Reply Last reply Reply Quote 0
                • P
                  pr0ject
                  last edited by

                  If so, what would that rule look like?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dannyb78
                    last edited by

                    you shoul permit connections from your vpn to your dmz.

                    if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from 192.168.200.0/24

                    1 Reply Last reply Reply Quote 0
                    • P
                      pr0ject
                      last edited by

                      That's what I thought, too. I added a rule on the LAN interface to allow any any from 192.168.200.0/24 but to no avail. As the DMZ network is reachable as-is (192.168.200.0/24 (vpn) has access to 192.168.1.0/24 (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dannyb78
                        last edited by

                        I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.