Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: Server ping to VPN client, but LAN host don't

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eyder
      last edited by

      I'm using pfSense 2.0.1-RELEASE (amd64)

      The LAN IP of pfSense box is 10.1.0.1/16.

      My OpenVPN server has 5 VPN clients with IPs:
      10.2.0.1/16
      10.3.0.1/16
      :
      10.6.0.1/16
      Each VPN client is a Linux (Fedora) server.

      I can ping from a VPN client to a LAN host (10.1.x.y), but I can't ping from LAN host to a VPN client.
      The pfSense box can ping to any LAN (of course) and VPN client without problem.

      When I try ping from a LAN host I got the following error:

      ping 10.4.0.1  <==== one of VPN clients

      PING 10.4.0.1 (10.4.0.1) 56(84) bytes of data.
      From 200.xxx.89.24 icmp_seq=1 Destination Net Unreachable
      From 200.xxx.89.24 icmp_seq=2 Destination Net Unreachable

      Seems like a route problem, but the route to 10.4.0.0/16 network exists in pfSense route table!
      It was pushed by VPN server configuration.

      pfSense route table (first lines)

      Destination Gateway Flags Refs Use Mtu Netif Expire
      default 192.168.1.254 UGS 0 472 1500 em0_vlan11
      10.0.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
      10.0.1.0/24 10.0.1.2 UGS 0 0 1500 ovpns1
      10.0.1.1 link#11 UHS 0 0 16384 lo0
      10.0.1.2 link#11 UH 0 0 1500 ovpns1
      10.1.0.0/16 link#1 U 0 8341 1500 bge0
      10.1.0.1 link#1 UHS 0 0 16384 lo0
      10.2.0.0/16 10.0.1.2 UGS 0 140 1500 ovpns1
      10.3.0.0/16 10.0.1.2 UGS 0 108 1500 ovpns1
      10.4.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
      10.5.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
      10.6.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
      :
      :

      My OpenVPN Server advanced configuration:
      route 10.0.0.0 255.255.0.0;route 10.2.0.0 255.255.0.0;route 10.3.0.0 255.255.0.0;route 10.4.0.0 255.255.0.0;route 10.5.0.0 255.255.0.0;route  10.6.0.0 255.255.0.0;

      One of Client Specific Override (client 10.4.0.1) advanced configuration:
      ifconfig-push 10.0.4.1 10.0.4.2;iroute 10.4.0.0 255.255.0.0;push "route 10.2.0.0 255.255.0.0";push "route 10.3.0.0 255.255.0.0";push "route 10.5.0.0 255.255.0.0";push "route 10.6.0.0 255.255.0.0";

      Another problem is I can't ping between VPN clients. I turned on option "Inter-client communication" at server configuration, but won't works.

      Any ideas? Any help will be welcome!

      Eyder RIos

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        you might need a firewall rule in your lan tab to allow traffic to destination

        1 Reply Last reply Reply Quote 0
        • E
          eyder
          last edited by

          Thanks for your reply heper.

          I did it already! Please check it below:

          Proto Source Port Destination Port Gateway Queue
            * LAN net * net_vpn *   DSL1 none

          Where net_vpn is an alias to all VPN clients networks: 10.2.0.0/16, 10.3.0.0/16, …, 10.6.0.0/16

          However, while I was writing this reply I realised what was the problem. The rule above changes the default gateway of packages destinated to VPN clients! That way the packages were not routed through VPN interface, but through WAN1 (via DSL1) interface.
          I just kept default gateway in rule above and everything worked fine. I was blind!

          Proto Source Port Destination Port Gateway Queue
            * LAN net * net_vpn *     *         none

          Thanks anyway.

          Eyder

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.