OpenVPN: Server ping to VPN client, but LAN host don't



  • I'm using pfSense 2.0.1-RELEASE (amd64)

    The LAN IP of pfSense box is 10.1.0.1/16.

    My OpenVPN server has 5 VPN clients with IPs:
    10.2.0.1/16
    10.3.0.1/16
    :
    10.6.0.1/16
    Each VPN client is a Linux (Fedora) server.

    I can ping from a VPN client to a LAN host (10.1.x.y), but I can't ping from LAN host to a VPN client.
    The pfSense box can ping to any LAN (of course) and VPN client without problem.

    When I try ping from a LAN host I got the following error:

    ping 10.4.0.1  <==== one of VPN clients

    PING 10.4.0.1 (10.4.0.1) 56(84) bytes of data.
    From 200.xxx.89.24 icmp_seq=1 Destination Net Unreachable
    From 200.xxx.89.24 icmp_seq=2 Destination Net Unreachable

    Seems like a route problem, but the route to 10.4.0.0/16 network exists in pfSense route table!
    It was pushed by VPN server configuration.

    pfSense route table (first lines)

    Destination Gateway Flags Refs Use Mtu Netif Expire
    default 192.168.1.254 UGS 0 472 1500 em0_vlan11
    10.0.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
    10.0.1.0/24 10.0.1.2 UGS 0 0 1500 ovpns1
    10.0.1.1 link#11 UHS 0 0 16384 lo0
    10.0.1.2 link#11 UH 0 0 1500 ovpns1
    10.1.0.0/16 link#1 U 0 8341 1500 bge0
    10.1.0.1 link#1 UHS 0 0 16384 lo0
    10.2.0.0/16 10.0.1.2 UGS 0 140 1500 ovpns1
    10.3.0.0/16 10.0.1.2 UGS 0 108 1500 ovpns1
    10.4.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
    10.5.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
    10.6.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
    :
    :

    My OpenVPN Server advanced configuration:
    route 10.0.0.0 255.255.0.0;route 10.2.0.0 255.255.0.0;route 10.3.0.0 255.255.0.0;route 10.4.0.0 255.255.0.0;route 10.5.0.0 255.255.0.0;route  10.6.0.0 255.255.0.0;

    One of Client Specific Override (client 10.4.0.1) advanced configuration:
    ifconfig-push 10.0.4.1 10.0.4.2;iroute 10.4.0.0 255.255.0.0;push "route 10.2.0.0 255.255.0.0";push "route 10.3.0.0 255.255.0.0";push "route 10.5.0.0 255.255.0.0";push "route 10.6.0.0 255.255.0.0";

    Another problem is I can't ping between VPN clients. I turned on option "Inter-client communication" at server configuration, but won't works.

    Any ideas? Any help will be welcome!

    Eyder RIos



  • you might need a firewall rule in your lan tab to allow traffic to destination



  • Thanks for your reply heper.

    I did it already! Please check it below:

    Proto Source Port Destination Port Gateway Queue
      * LAN net * net_vpn *   DSL1 none

    Where net_vpn is an alias to all VPN clients networks: 10.2.0.0/16, 10.3.0.0/16, …, 10.6.0.0/16

    However, while I was writing this reply I realised what was the problem. The rule above changes the default gateway of packages destinated to VPN clients! That way the packages were not routed through VPN interface, but through WAN1 (via DSL1) interface.
    I just kept default gateway in rule above and everything worked fine. I was blind!

    Proto Source Port Destination Port Gateway Queue
      * LAN net * net_vpn *     *         none

    Thanks anyway.

    Eyder


Log in to reply