Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn client connects but can only see 3 clients out of 50

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moh10ly
      last edited by

      I managed to configure openvpn on Pfsense and was able to connect but I can only see (ping) 3 clients out of 50 in the office network! also I'm unable to connect to the internet ?

      Here's my config file.

      dev tun
      persist-tun
      persist-key
      proto udp
      cipher BF-CBC
      tls-client
      client
      resolv-retry infinite
      remote 95.0.x.x 1194
      tls-remote vpnnew.mydomain.com
      pkcs12 pfsens-udp-1194.p12
      tls-auth pfsens-udp-1194-tls.key 1
      comp-lzo

      any help is much appreciated.

      Power is Knowledge.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        probably the other 47 have windows firewall enabled ;)

        1 Reply Last reply Reply Quote 0
        • M
          moh10ly
          last edited by

          @heper:

          probably the other 47 have windows firewall enabled ;)

          Not really, I have all their firewalls disabled. Just one thing I would like to mention is that I also have openvpn on Untangle firewall and the same issue happens but the 3 IPs that I have access to are different from the ones with Pfsense. the config file is different as well.

          #AUTOGENERATED BY UNTANGLE DO NOT MODIFY

          OpenVPN(v2.0) configuration script

          client
          proto udp
          resolv-retry 20
          keepalive 10 120
          cipher AES-128-CBC
          nobind
          mute-replay-warnings
          ns-cert-type server
          comp-lzo
          verb 2
          persist-key
          persist-tun
          verb 1
          tls-exit
          dev tun0
          cert untangle-vpn/mycert.crt
          key untangle-vpn/mykey.key
          ca untangle-vpn/myca.crt
          remote 212.x.x.x 1194

          The remote network and my network subnet are the same but after I connected with 3G i also had the same issue! so it has to do with something else ?

          I tried connecting using Guizmo Openvpn on iPhone and ping IPs on the network using the app "Net Master" but also had the same results!

          This is very frustrating! anyone has any idea why is this happening ?

          thanx

          Power is Knowledge.

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            it can not work if remote and local network are the same unless you go for a bridge setup.
            most people just try to change the subnets.

            1 Reply Last reply Reply Quote 0
            • M
              moh10ly
              last edited by

              @heper:

              it can not work if remote and local network are the same unless you go for a bridge setup.
              most people just try to change the subnets.

              what about 3G, I also mentioned that I tried it on 3G network which has a different subnet and the exact same issue happens so it must be something else ?

              Power is Knowledge.

              1 Reply Last reply Reply Quote 0
              • N
                Nachtfalke
                last edited by

                Did you set the correct firewall rules on OpenVPN tab so that all clients have access from their own "subnet" to the other clients ?
                Did you enable on OpenVPN server that the clients are allowed to communicate with each other ?
                Did you setup enough IP address space for all clients to connect to the server ? 50 clients mean at least 200 IP addresses if all should be able to connect at the same time.
                can you ping all OpenVPN clients from pfsense router GUI ?
                Can all clients ping pfsense router ?
                Did you run OpenVPN client as administrator on Windows Vista/7 machines so they can set the routes ?

                1 Reply Last reply Reply Quote 0
                • M
                  moh10ly
                  last edited by

                  @Nachtfalke:

                  1- Did you set the correct firewall rules on OpenVPN tab so that all clients have access from their own "subnet" to the other clients ?
                  What are the correct rules needs to be set there? I have just enabled one rule to allow all traffic from source to destination in Openvpn.

                  2- Did you enable on OpenVPN server that the clients are allowed to communicate with each other ?
                  Yes I did, Same result

                  3- Did you setup enough IP address space for all clients to connect to the server ? 50 clients mean at least 200 IP addresses if all should be able to connect at the same time.
                  I'm assuming you're speaking about this option "Specify the maximum number of clients allowed to concurrently connect to this server" I setup 200 concurrent connections at the moment !

                  4- can you ping all OpenVPN clients from pfsense router GUI ?
                  I didn't catch you? What do you mean all openvpn clients ? this is an office network that I'm trying to connect to! It's not openvpn clients. please could you explain more ?

                  5- Can all clients ping pfsense router ?
                  Yes, all of them can ping.

                  6- Did you run OpenVPN client as administrator on Windows Vista/7 machines so they can set the routes ?

                  Yes it's run as Administrator, and btw it's just one openvpn client that i'm using at the moment but I'm unable to connect tall computers in my office's LAN. only 3 as I mentioned.

                  Hi Nachtfalke.

                  Power is Knowledge.

                  1 Reply Last reply Reply Quote 0
                  • M
                    moh10ly
                    last edited by

                    Ok I noticed something now! The 3 IPs which I can connect two 2 machines that have 1:1 static NAT rule and the third IP is the local IP of the Pfsense Firewall in my office network..

                    What would that mean ? Do I have to add all the IPs in my office network to the 1:1 list ?

                    Power is Knowledge.

                    1 Reply Last reply Reply Quote 0
                    • H
                      heper
                      last edited by

                      you don't need any 1:1  … something is probably really wrong somewhere
                      nobody can find out without screenshots of firewall rules on relevant interface, routing tables, traceroutes, ....

                      the more info you supply, the easier it is for the other forum members to find out what's going wrong

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nachtfalke
                        last edited by

                        @moh10ly
                        Perhaps I misunderstood something.

                        Do you have a site-to-site VPN between two pfsense routers and behind both pfsense routers there is a different subnet with many clients which should talk to each other ?
                        Or do you only have one pfsense router with OpenVPN Server running and many clients want to connect to this one OpenVPN server ?

                        What I mean with ping from pfsense GUI is:
                        Go to pfsense GUI Diagnostics and then ping your clients.

                        The option "Specify the maximum number of clients allowed to concurrently connect to this server" is just important if you have many clients which should be able to connect to the OpenVPN server but is not important if you have a site-to-site VPN. Site-to-site needs just a value of "1".

                        But what I talked about is the IP address space for all the OpenVPN clients. For site-to-site VPN the tunnel network justr needs a subnet with /30 but if many clients connect to the server every client needs a subnet of /30.
                        A /30 subnet contains 4 IP addresses so assuming you have 50 clients which should connect to the server you need 50*4 IP addresses so that every client can connect.

                        So best thing would be you explain exactly what you want to realize and then post a screenshot of your OpenVPN server config (GUI), your firewall rules on OpenVPN tab. :)

                        1 Reply Last reply Reply Quote 0
                        • M
                          moh10ly
                          last edited by

                          @Nachtfalke. :d
                          I figured it out, basically I have one Pfsense at work with OPENVPN setup and in the office network there are 50 virtual servers! I wanna be able to connect to these servers as if I'm there in the office. so it's client to VPN not site to site.

                          After I changed one of the Virtual server's gateway to Pfsene's local IP, the VPN client could see that virtual server and ping it and connect to it..

                          I would like to know if I have to change all the other virtual servers Gateway IP to point to pfsense in order for Openvpn client to see those virtual servers ?

                          Please Advise?
                          Thanks

                          Power is Knowledge.

                          1 Reply Last reply Reply Quote 0
                          • M
                            moh10ly
                            last edited by

                            Second update on the issue, I have added to those machines the following route command and it seems to solve the issue! I don't need to change the gateway of the machine for the openvpn client to see it anymore..

                            netsh interface ipv4 add route 192.168.0.0/24 "Local Area Connection" 192.168.1.40
                            netsh interface ipv4 add route 172.16.0.0/16 "Local Area Connection" 192.168.1.40

                            Still I have only this one particular IP "Device" that I need which is actually a VoIP gateway but it wouldn't work! I have added a static route to this GW but still wouldn't be able to connect to it.

                            Power is Knowledge.

                            1 Reply Last reply Reply Quote 0
                            • H
                              heper
                              last edited by

                              for normal operation it is customary to set it as gateway on you lan clients (unless you have a good reason not to)
                              the problem you experienced is because there was no route out for them lan-clients. adding a static route does work, but you might get other similar problems in the future with other subnets.

                              1 Reply Last reply Reply Quote 0
                              • M
                                moh10ly
                                last edited by

                                Yes Heper, you're right however some servers have different routers for certain purpose. but anyway now I got this working but the only and main purpose which I wanted to have VPN for is to register SIP clients on iPhone using (Bria) app to our VoIP gateway (UX1000).

                                Now after setting an IP routing on the gateway, I can ping and connect to it and browse to the web configuration page but SIP registering is not working not even on VPN client machine using X-Lite or 3CX application.

                                I tried to telnet the port 5060 (SIP register port) and I was able to connect to it. so i'm not sure why wouldn't not connect?

                                Please could any one advise where to look ?
                                Thanks

                                Power is Knowledge.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  moh10ly
                                  last edited by

                                  I found it… the problem is with the iphone app "Bria" it has an option for using with VPN and by default this was disabled. After enabling it .. everything works like magic :D

                                  Power is Knowledge.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.