(solved) OpenVPN Client connects sucessfully but has no access to local LAN



  • Hi together,

    I have a double pfsense setup, as perimeter-checkpoint configuration, here.

    Perimeter:
    WAN: public address space
    LAN: 10.10.10.11/24

    Checkpoint:
    WAN: 10.10.10.21/24
    LAN: 192.168.5.2/24

    From the perimeter box I'm redirecting the ovpn port 1194 to the checkpoint box.


    I configured the OpenVPN service through the wizzard on the checkpoint box as follows:

    so the firewall rule for ovpn is also present

    Connecting from WinXP client via OpenVPN GUI seems fine:

    Tue Oct 18 11:41:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
    Tue Oct 18 11:41:12 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Oct 18 11:41:12 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Tue Oct 18 11:41:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Oct 18 11:41:12 2011 Control Channel Authentication: using 'checkpoint-udp-1194-tls.key' as a OpenVPN static key file
    Tue Oct 18 11:41:12 2011 LZO compression initialized
    Tue Oct 18 11:41:12 2011 UDPv4 link local (bound): [undef]:1194
    Tue Oct 18 11:41:12 2011 UDPv4 link remote: 87.234.62.244:1194
    Tue Oct 18 11:41:12 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Oct 18 11:41:12 2011 [IFE_SYSTEMS_Server_Certificate] Peer Connection Initiated with ***.***.***.***:1194
    Tue Oct 18 11:41:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Oct 18 11:41:15 2011 open_tun, tt->ipv6=0
    Tue Oct 18 11:41:15 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{C6DEDE73-98AE-439B-8FBD-D38C0866420C}.tap
    Tue Oct 18 11:41:16 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address LAN-Verbindung 2 dhcp
    Tue Oct 18 11:41:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C6DEDE73-98AE-439B-8FBD-D38C0866420C} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
    Tue Oct 18 11:41:19 2011 Successful ARP Flush on interface [65540] {C6DEDE73-98AE-439B-8FBD-D38C0866420C}
    Tue Oct 18 11:41:33 2011 Initialization Sequence Completed
    

    Client IP 10.0.8.6 and gateway 10.0.8.5 on clientside is successfully set.

    10.0.8.1 -> pingable
    10.0.8.5 -> not pingable

    192.168.5.2 -> pingable
    any different PC from 192.168.5.0/24 -> not pingable

    Can anyone pointing me out, what I'm doing wrong?

    Thx in Advance,

    Lorus



  • Does these pc's allow icmp echo-reply situation from different network?



  • Yeah, I figured out that the local pc recieved the echo-requests, but wasn't able to reply it, cause his default gateway doesn't know a route to the vpn tunnel network. (currently replacing our router infrastructure with pfsense step-by-step)

    So adding a static route with 192.168.5.2 as gateway to the local pc is my temp solution until I have all configured and tested with pfsense and so can finally replace the old routers with it.

    Thx for pushing me in the right direction :)

    cheerz,

    lorus



  • need write ADVANCED

    push "route 192.168.0.0 255.255.0.0";  - where    192.168.0.0 255.255.0.0  you local network….

    good luck...


Log in to reply