Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (solved) OpenVPN Client connects sucessfully but has no access to local LAN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lorus
      last edited by

      Hi together,

      I have a double pfsense setup, as perimeter-checkpoint configuration, here.

      Perimeter:
      WAN: public address space
      LAN: 10.10.10.11/24

      Checkpoint:
      WAN: 10.10.10.21/24
      LAN: 192.168.5.2/24

      From the perimeter box I'm redirecting the ovpn port 1194 to the checkpoint box.


      I configured the OpenVPN service through the wizzard on the checkpoint box as follows:

      so the firewall rule for ovpn is also present

      Connecting from WinXP client via OpenVPN GUI seems fine:

      Tue Oct 18 11:41:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
      Tue Oct 18 11:41:12 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Tue Oct 18 11:41:12 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
      Tue Oct 18 11:41:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
      Tue Oct 18 11:41:12 2011 Control Channel Authentication: using 'checkpoint-udp-1194-tls.key' as a OpenVPN static key file
      Tue Oct 18 11:41:12 2011 LZO compression initialized
      Tue Oct 18 11:41:12 2011 UDPv4 link local (bound): [undef]:1194
      Tue Oct 18 11:41:12 2011 UDPv4 link remote: 87.234.62.244:1194
      Tue Oct 18 11:41:12 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Tue Oct 18 11:41:12 2011 [IFE_SYSTEMS_Server_Certificate] Peer Connection Initiated with ***.***.***.***:1194
      Tue Oct 18 11:41:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Tue Oct 18 11:41:15 2011 open_tun, tt->ipv6=0
      Tue Oct 18 11:41:15 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{C6DEDE73-98AE-439B-8FBD-D38C0866420C}.tap
      Tue Oct 18 11:41:16 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address LAN-Verbindung 2 dhcp
      Tue Oct 18 11:41:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C6DEDE73-98AE-439B-8FBD-D38C0866420C} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
      Tue Oct 18 11:41:19 2011 Successful ARP Flush on interface [65540] {C6DEDE73-98AE-439B-8FBD-D38C0866420C}
      Tue Oct 18 11:41:33 2011 Initialization Sequence Completed
      

      Client IP 10.0.8.6 and gateway 10.0.8.5 on clientside is successfully set.

      10.0.8.1 -> pingable
      10.0.8.5 -> not pingable

      192.168.5.2 -> pingable
      any different PC from 192.168.5.0/24 -> not pingable

      Can anyone pointing me out, what I'm doing wrong?

      Thx in Advance,

      Lorus

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        Does these pc's allow icmp echo-reply situation from different network?

        1 Reply Last reply Reply Quote 0
        • L
          lorus
          last edited by

          Yeah, I figured out that the local pc recieved the echo-requests, but wasn't able to reply it, cause his default gateway doesn't know a route to the vpn tunnel network. (currently replacing our router infrastructure with pfsense step-by-step)

          So adding a static route with 192.168.5.2 as gateway to the local pc is my temp solution until I have all configured and tested with pfsense and so can finally replace the old routers with it.

          Thx for pushing me in the right direction :)

          cheerz,

          lorus

          1 Reply Last reply Reply Quote 0
          • F
            fox
            last edited by

            need write ADVANCED

            push "route 192.168.0.0 255.255.0.0";  - where    192.168.0.0 255.255.0.0  you local network….

            good luck...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.