(solved) OpenVPN Client connects sucessfully but has no access to local LAN

lorus

Hi together,

I have a double pfsense setup, as perimeter-checkpoint configuration, here.

Perimeter:
WAN: public address space
LAN: 10.10.10.11/24

Checkpoint:
WAN: 10.10.10.21/24
LAN: 192.168.5.2/24

From the perimeter box I'm redirecting the ovpn port 1194 to the checkpoint box.

I configured the OpenVPN service through the wizzard on the checkpoint box as follows:

so the firewall rule for ovpn is also present

Connecting from WinXP client via OpenVPN GUI seems fine:

Tue Oct 18 11:41:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
Tue Oct 18 11:41:12 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Oct 18 11:41:12 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Tue Oct 18 11:41:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Oct 18 11:41:12 2011 Control Channel Authentication: using 'checkpoint-udp-1194-tls.key' as a OpenVPN static key file
Tue Oct 18 11:41:12 2011 LZO compression initialized
Tue Oct 18 11:41:12 2011 UDPv4 link local (bound): [undef]:1194
Tue Oct 18 11:41:12 2011 UDPv4 link remote: 87.234.62.244:1194
Tue Oct 18 11:41:12 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 18 11:41:12 2011 [IFE_SYSTEMS_Server_Certificate] Peer Connection Initiated with ***.***.***.***:1194
Tue Oct 18 11:41:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Oct 18 11:41:15 2011 open_tun, tt->ipv6=0
Tue Oct 18 11:41:15 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{C6DEDE73-98AE-439B-8FBD-D38C0866420C}.tap
Tue Oct 18 11:41:16 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address LAN-Verbindung 2 dhcp
Tue Oct 18 11:41:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C6DEDE73-98AE-439B-8FBD-D38C0866420C} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
Tue Oct 18 11:41:19 2011 Successful ARP Flush on interface [65540] {C6DEDE73-98AE-439B-8FBD-D38C0866420C}
Tue Oct 18 11:41:33 2011 Initialization Sequence Completed

Client IP 10.0.8.6 and gateway 10.0.8.5 on clientside is successfully set.

10.0.8.1 -> pingable
10.0.8.5 -> not pingable

192.168.5.2 -> pingable
any different PC from 192.168.5.0/24 -> not pingable

Can anyone pointing me out, what I'm doing wrong?

Thx in Advance,

Lorus

Metu69salemi

Does these pc's allow icmp echo-reply situation from different network?

lorus

Yeah, I figured out that the local pc recieved the echo-requests, but wasn't able to reply it, cause his default gateway doesn't know a route to the vpn tunnel network. (currently replacing our router infrastructure with pfsense step-by-step)

So adding a static route with 192.168.5.2 as gateway to the local pc is my temp solution until I have all configured and tested with pfsense and so can finally replace the old routers with it.

Thx for pushing me in the right direction :)

cheerz,

lorus

fox

need write ADVANCED

push "route 192.168.0.0 255.255.0.0";  - where    192.168.0.0 255.255.0.0  you local network….

good luck...