OpenVPN Access to LAN Question

  • I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.

    OpenVPN Clients: 192.168.200/0/24

    The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:

    Destination      Mask                  Gateway            Interface

    I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)

    Oddly enough, I can access the pfsense firewall on, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)

    Am I missing something here?

  • can you ping any 10.10.10.x host via vpn?

  • Nope. Just the gateway.

  • so you have set (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.

    I have a similar configuration working.

    LAN 192.168.100.x
    other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..

    Using openVPN I can successfully connect with all this lan.

    I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.

    push "route";

    I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.

    hope this can help you.

  • Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.

  • may the 1.2.3 requires a firewall rule?

  • If so, what would that rule look like?

  • you shoul permit connections from your vpn to your dmz.

    if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from

  • That's what I thought, too. I added a rule on the LAN interface to allow any any from but to no avail. As the DMZ network is reachable as-is ( (vpn) has access to (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.

  • I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.

Log in to reply