(solved) OpenVPN Client connects sucessfully but has no access to local LAN
-
Hi together,
I have a double pfsense setup, as perimeter-checkpoint configuration, here.
Perimeter:
WAN: public address space
LAN: 10.10.10.11/24Checkpoint:
WAN: 10.10.10.21/24
LAN: 192.168.5.2/24From the perimeter box I'm redirecting the ovpn port 1194 to the checkpoint box.
I configured the OpenVPN service through the wizzard on the checkpoint box as follows:
so the firewall rule for ovpn is also present
Connecting from WinXP client via OpenVPN GUI seems fine:
Tue Oct 18 11:41:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011 Tue Oct 18 11:41:12 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Oct 18 11:41:12 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Tue Oct 18 11:41:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Oct 18 11:41:12 2011 Control Channel Authentication: using 'checkpoint-udp-1194-tls.key' as a OpenVPN static key file Tue Oct 18 11:41:12 2011 LZO compression initialized Tue Oct 18 11:41:12 2011 UDPv4 link local (bound): [undef]:1194 Tue Oct 18 11:41:12 2011 UDPv4 link remote: 87.234.62.244:1194 Tue Oct 18 11:41:12 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Oct 18 11:41:12 2011 [IFE_SYSTEMS_Server_Certificate] Peer Connection Initiated with ***.***.***.***:1194 Tue Oct 18 11:41:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Oct 18 11:41:15 2011 open_tun, tt->ipv6=0 Tue Oct 18 11:41:15 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{C6DEDE73-98AE-439B-8FBD-D38C0866420C}.tap Tue Oct 18 11:41:16 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address LAN-Verbindung 2 dhcp Tue Oct 18 11:41:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C6DEDE73-98AE-439B-8FBD-D38C0866420C} [DHCP-serv: 10.0.8.5, lease-time: 31536000] Tue Oct 18 11:41:19 2011 Successful ARP Flush on interface [65540] {C6DEDE73-98AE-439B-8FBD-D38C0866420C} Tue Oct 18 11:41:33 2011 Initialization Sequence Completed
Client IP 10.0.8.6 and gateway 10.0.8.5 on clientside is successfully set.
10.0.8.1 -> pingable
10.0.8.5 -> not pingable192.168.5.2 -> pingable
any different PC from 192.168.5.0/24 -> not pingableCan anyone pointing me out, what I'm doing wrong?
Thx in Advance,
Lorus
-
Does these pc's allow icmp echo-reply situation from different network?
-
Yeah, I figured out that the local pc recieved the echo-requests, but wasn't able to reply it, cause his default gateway doesn't know a route to the vpn tunnel network. (currently replacing our router infrastructure with pfsense step-by-step)
So adding a static route with 192.168.5.2 as gateway to the local pc is my temp solution until I have all configured and tested with pfsense and so can finally replace the old routers with it.
Thx for pushing me in the right direction :)
cheerz,
lorus
-
need write ADVANCED
push "route 192.168.0.0 255.255.0.0"; - where 192.168.0.0 255.255.0.0 you local network….
good luck...