OpenVPN, No Lan, Wan Fine



  • Hi Guys,

    First of all sorry if this has been asked; I had a look but to be honest I'm not 100% sure what I'm looking for and all I found referred to Win7.

    Some definitions-

    dev-laptop is the client for OpenVPN, and the box I'd like to connect via VPN
    pfsense is an instance installed on a virtual machine on my esxi box in a datacenter; static WAN address and lan set to the range below
    internal is the ip range 10.0.0.0/8 for the lan and on which my servers sit (I have a public /29 but most of my stuff is nat'ed)
    external refers to websites and servers on the scary wide web

    So usually when I've set these things up in the past I have access to the internal network but nothing external- I can access servers on the lan but can't get out via the gateway. This time everything is opposite; I can get out to the world perfectly fine but there seems to be no access to internal servers.

    My VPN range is on 10.0.4.0/24, the vpn gateway is 10.0.3.1 and the lan gateway on pfsense is 10.0.3.0.  Following this I would assume, then, that the VPN range should have access to the other hosts as it is a part of 10.0.0.0/8 but it seemingly doesn't. It can only get to the outside world.

    The firewall is setup to allow all requests on all ports and protocols on the internal range but I can't access them.

    As you can probably guess for a dev machine this is a bit annoying- whatever I've done would work perfectly were this setup to allow me to, say, avoid all the tedious GEO IP stuff regional websites put up but nothing else.

    Could anybody point me in the right direction?

    The ovpn bundle generated (Not sure it helps):

    
    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x 1195
    tls-remote Zero Internet
    auth-user-pass
    pkcs12 duck-udp-1195.p12
    comp-lzo
    
    


  • Would you be trying to VPN out of a local network that is also in the 10.0.0.0/8 range?

    I avoided the 10. and 192.168. addresses for my tunnel network because it seemed to cause a lot of hassle if I was tunneling out of someone's home network.  I decided to use 172.23.23.0/24 as this seemed unlikely to be used as an out-of-the-box home network.

    Biggsy



  • @jspc

    You should make clear first, which host is the OpenVPN SERVER and which is the OpenVPN CLIENT and which Networks you want to rech. The network(s) behind the SERVER or behind the CLIENT.

    If the networks behind the SERVER:
    then you have to push the routes from the networks behind the server to your client. Pushing routes will be configured on the SERVER.
    If you do not like to push the routes you can add them at the CLIENT config.
    Both is working but I think the better solution is to push the from the SERVER to the client.
    the command on SERVER is:

    
    push "route 192.168.100.0 255.255.255.0";
    
    

    If you like to connect to the network(s) behind the CLIENT:
    then you have to add the route  of the network behind the CLIENT on the SERVER:

    
    route 192.168.200.0 255.255.255.0;
    
    

    AND you have to add an "iroute" command on the CLIENT for the network behind the client.
    But at the irout command I am not 100% sure.

    
    iroute 192.168.200.0 255.255.255.0;
    
    

Locked