[solved] OpenVPN connects but I can't talk to LAN subnet

dlogan · Oct 16, 2011, 6:35 PM

Sorry for starting a new thread, I found another thread about this but reply was locked out.

I just upgraded to pfsense 2.0 this morning, and decided I wanted to try setting up a VPN. I found a couple of turorials about it and followed the instructions.

I set up an OpenVPN server, creating the required certs and a user, and let pfsense do most of the configuring via the new wizard. After completing the setup, my OpenVPN client connects, but I can't get traffic across. The LAN PCs can't ping my client, and my client can't ping anything on the LAN, including the Pfsense box itself.

My setup is fairly straighforward. I have 2 interfaces in the Pfsense box, 1 LAN on subnet 192.168.151.0/24 and WAN which is DHCP from cable provider.

In the VPN setup, I specified the tunnel network to be 192.168.152.0/24 and to allow access to my local network 192.168.151.0/24.

After my OpenVPN client connects, I checked ipconfig. I got issued 192.168.152.6, which appears to be in the tunnel I specified, except that the subnet is 255.255.255.252. There is also no Gateway listed for that interface.

Any insight?

Nachtfalke · Oct 16, 2011, 7:53 PM

OpenVPN is using a /30 subnet.
First address is network address
second is openvpn server
third openvpn client
fourth broadcast address

Thats the way OpenVPN is working.

After creating the OpenVPN server there comes up an additional tab in your firewall rules. You have to allow traffic from your OpenVPN network (192.168.152.0/24) to your remote Network (192.168.151.0/24). Without firewall rules there is no access.

dlogan · Oct 16, 2011, 8:34 PM

Thanks for the reply.

There is already a rule in the OpenVPN tab under Firewall Rules that says
Proto *, Source *, Port *, Destination *, Port *, Gateway *, Queue none, Schedule blank

Just for the hell of it I tried adding another rule specifically allowing anything from the OpenVPN interface to 192.168.151.0/24 and I also have a firewall allowing all LAN traffic to * under the LAN tab, but just for the hell of it I added one specifically allowing to 192.168.152.4/30 (I am getting issued 192.168.152.6/255.255.255.252, so the network address should be 192.168.151.4/30, right?)

Nothing changed, however. I am still unable to get any traffic to my LAN subnet or even to the Pfsense box itself…although port 1194 from the WAN is obviously reaching the Pfsense box from the net (I authenticate).

It doesn't seem like a firewall access problem. Maybe it's a routing issue? Do I need to somehow add a route somewhere telling the packets where to go?

Nachtfalke · Oct 17, 2011, 8:31 AM

@dlogan:

Please post screenshots of your:

OpenVPN Server config
Firewall rules on OpenVPN and WAN

Metu69salemi · Oct 17, 2011, 12:02 PM

If you're running windows vista/7 you have to run openvpn client as administrator, so it has rights to add that route to your vpn

dlogan · Oct 17, 2011, 12:16 PM

@Metu69salemi:

If you're running windows vista/7 you have to run openvpn client as administrator, so it has rights to add that route to your vpn

This was exactly my problem. Ran the client as admin, now VPN is fully working. Thank you very much, sir!

Metu69salemi · Oct 17, 2011, 4:54 PM

np, once in a while i share the same boat