OpenVPN: Server ping to VPN client, but LAN host don't
-
I'm using pfSense 2.0.1-RELEASE (amd64)
The LAN IP of pfSense box is 10.1.0.1/16.
My OpenVPN server has 5 VPN clients with IPs:
10.2.0.1/16
10.3.0.1/16
:
10.6.0.1/16
Each VPN client is a Linux (Fedora) server.I can ping from a VPN client to a LAN host (10.1.x.y), but I can't ping from LAN host to a VPN client.
The pfSense box can ping to any LAN (of course) and VPN client without problem.When I try ping from a LAN host I got the following error:
ping 10.4.0.1 <==== one of VPN clients
PING 10.4.0.1 (10.4.0.1) 56(84) bytes of data.
From 200.xxx.89.24 icmp_seq=1 Destination Net Unreachable
From 200.xxx.89.24 icmp_seq=2 Destination Net UnreachableSeems like a route problem, but the route to 10.4.0.0/16 network exists in pfSense route table!
It was pushed by VPN server configuration.pfSense route table (first lines)
Destination Gateway Flags Refs Use Mtu Netif Expire
default 192.168.1.254 UGS 0 472 1500 em0_vlan11
10.0.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
10.0.1.0/24 10.0.1.2 UGS 0 0 1500 ovpns1
10.0.1.1 link#11 UHS 0 0 16384 lo0
10.0.1.2 link#11 UH 0 0 1500 ovpns1
10.1.0.0/16 link#1 U 0 8341 1500 bge0
10.1.0.1 link#1 UHS 0 0 16384 lo0
10.2.0.0/16 10.0.1.2 UGS 0 140 1500 ovpns1
10.3.0.0/16 10.0.1.2 UGS 0 108 1500 ovpns1
10.4.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
10.5.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
10.6.0.0/16 10.0.1.2 UGS 0 0 1500 ovpns1
:
:My OpenVPN Server advanced configuration:
route 10.0.0.0 255.255.0.0;route 10.2.0.0 255.255.0.0;route 10.3.0.0 255.255.0.0;route 10.4.0.0 255.255.0.0;route 10.5.0.0 255.255.0.0;route 10.6.0.0 255.255.0.0;One of Client Specific Override (client 10.4.0.1) advanced configuration:
ifconfig-push 10.0.4.1 10.0.4.2;iroute 10.4.0.0 255.255.0.0;push "route 10.2.0.0 255.255.0.0";push "route 10.3.0.0 255.255.0.0";push "route 10.5.0.0 255.255.0.0";push "route 10.6.0.0 255.255.0.0";Another problem is I can't ping between VPN clients. I turned on option "Inter-client communication" at server configuration, but won't works.
Any ideas? Any help will be welcome!
Eyder RIos
-
you might need a firewall rule in your lan tab to allow traffic to destination
-
Thanks for your reply heper.
I did it already! Please check it below:
Proto Source Port Destination Port Gateway Queue
* LAN net * net_vpn * DSL1 noneWhere net_vpn is an alias to all VPN clients networks: 10.2.0.0/16, 10.3.0.0/16, …, 10.6.0.0/16
However, while I was writing this reply I realised what was the problem. The rule above changes the default gateway of packages destinated to VPN clients! That way the packages were not routed through VPN interface, but through WAN1 (via DSL1) interface.
I just kept default gateway in rule above and everything worked fine. I was blind!Proto Source Port Destination Port Gateway Queue
* LAN net * net_vpn * * noneThanks anyway.
Eyder