(solved) OpenVPN Client connects sucessfully but has no access to local LAN

  • Hi together,

    I have a double pfsense setup, as perimeter-checkpoint configuration, here.

    WAN: public address space


    From the perimeter box I'm redirecting the ovpn port 1194 to the checkpoint box.

    I configured the OpenVPN service through the wizzard on the checkpoint box as follows:

    so the firewall rule for ovpn is also present

    Connecting from WinXP client via OpenVPN GUI seems fine:

    Tue Oct 18 11:41:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
    Tue Oct 18 11:41:12 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Oct 18 11:41:12 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Tue Oct 18 11:41:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Oct 18 11:41:12 2011 Control Channel Authentication: using 'checkpoint-udp-1194-tls.key' as a OpenVPN static key file
    Tue Oct 18 11:41:12 2011 LZO compression initialized
    Tue Oct 18 11:41:12 2011 UDPv4 link local (bound): [undef]:1194
    Tue Oct 18 11:41:12 2011 UDPv4 link remote:
    Tue Oct 18 11:41:12 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Oct 18 11:41:12 2011 [IFE_SYSTEMS_Server_Certificate] Peer Connection Initiated with ***.***.***.***:1194
    Tue Oct 18 11:41:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Oct 18 11:41:15 2011 open_tun, tt->ipv6=0
    Tue Oct 18 11:41:15 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{C6DEDE73-98AE-439B-8FBD-D38C0866420C}.tap
    Tue Oct 18 11:41:16 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address LAN-Verbindung 2 dhcp
    Tue Oct 18 11:41:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of on interface {C6DEDE73-98AE-439B-8FBD-D38C0866420C} [DHCP-serv:, lease-time: 31536000]
    Tue Oct 18 11:41:19 2011 Successful ARP Flush on interface [65540] {C6DEDE73-98AE-439B-8FBD-D38C0866420C}
    Tue Oct 18 11:41:33 2011 Initialization Sequence Completed

    Client IP and gateway on clientside is successfully set. -> pingable -> not pingable -> pingable
    any different PC from -> not pingable

    Can anyone pointing me out, what I'm doing wrong?

    Thx in Advance,


  • Does these pc's allow icmp echo-reply situation from different network?

  • Yeah, I figured out that the local pc recieved the echo-requests, but wasn't able to reply it, cause his default gateway doesn't know a route to the vpn tunnel network. (currently replacing our router infrastructure with pfsense step-by-step)

    So adding a static route with as gateway to the local pc is my temp solution until I have all configured and tested with pfsense and so can finally replace the old routers with it.

    Thx for pushing me in the right direction :)



  • need write ADVANCED

    push "route";  - where  you local network….

    good luck...

Log in to reply