Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to get LAN access, can only ping myself

    OpenVPN
    6
    28
    10.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ace_ventura
      last edited by

      I am trying to setup an OpenVPN connection so I can have LAN access from a remote location.  I am trying to get away from the easy but insecure PPTP VPN.
      I am using release 2.0.1 (i386)

      I have attempted to follow steps I have found online and YouTube and while I was successful in getting it to connect back to home and it gets an IP of 192.168.2.6, I can not access my internal LAN.  On the client I can ping myself at the DHCP IP that the OpenVPN server gives me (192.168.2.6.) but I can not ping the pfsense box and OpenVPN server itself at 10.0.0.1. Nor can I seem to ping any other IP in the 192 range like 192.168.2.1 or 192.168.2.5. I have turned off the client windows firewall just in case.  I have attempted to put in push "route 10.0.0.0 255.255.255.0"; but this does not work.

      The client has OpenVPN v1.0.3 installed and exported settings from the OpenVPN gui on the PFsense box.

      What more information would you like me to provide in order to be of better help?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        Obfuscating private IP addressees and particularly netmasks is pointless and makes helping difficult.

        1 Reply Last reply Reply Quote 0
        • A
          ace_ventura
          last edited by

          Sorry, fixed.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your using 192.168.2.0/24 as your tunnel network?  Thats prob not very good idea since thats a very common network.  What if your remove is on a 192.168.2.0/24 ?

            what boxes would you ping pinging at 192.168.2.5? or 2.1?

            So 10.0.0.0/24 is your pfsense lan network?  What OS are you running the client on?  If windows 7 for example you need to run the client as admin to get the pushed route.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              ace_ventura
              last edited by

              Yes I am using 192.168.2.0/24 as my tunnel network, we use the 172 network here at work and I use the 10 network at home.  Should I change my tunnel network to 10.0.1.0/24?

              I thought I would try to ping 192.168.2.5 or 2.1 as a DGW since I received an IP of 192.168.2.6 but I knew it probably wouldn't work, just thought I would put that information out as well even if I didn't need to, more a quick here lets try this thought that went through my head.

              Yes I use 10.0.0.0/24 as my pfsense lan network.

              Client OS is Windows 8, Yes I have run the client as admin.

              1 Reply Last reply Reply Quote 0
              • A
                ace_ventura
                last edited by

                anyone?

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by

                  Post client config, server settings, firewall rules from openvpn tab, routing table from PFsense and routing table from client when connected.

                  1 Reply Last reply Reply Quote 0
                  • M
                    myke
                    last edited by

                    Hi,
                    I've got the same issue , i just can ping my pfsense box but i cannot ping my Wifi Box.

                    I use remote access 1.0.3 SSL/TLS + User Auth

                    in my firewall's rules nothing is blocked.

                    my config is :
                    dev tun
                    persist-tun
                    persist-key
                    proto udp
                    cipher BF-CBC
                    tls-client
                    client
                    resolv-retry infinite
                    remote myipaddress 1194
                    tls-remote Proxiel Server Cert
                    auth-user-pass
                    pkcs12 doberman-udp-1194.p12
                    tls-auth doberman-udp-1194-tls.key 1
                    comp-lzo

                    My lan on my pfsense box is 172.16 and openvpn give me 10.0.8.0

                    to the openvpn server i route the network 172.16.0.0

                    so i don't know where do i search…..

                    if you have any idea  ;)

                    Thanks.
                    Myke.

                    1 Reply Last reply Reply Quote 0
                    • A
                      ace_ventura
                      last edited by

                      @marvosa:

                      Post client config, server settings, firewall rules from openvpn tab, routing table from PFsense and routing table from client when connected.

                      Client Config:
                      dev tun
                      persist-tun
                      persist-key
                      proto udp
                      cipher AES-256-CBC
                      tls-client
                      client
                      resolv-retry infinite
                      remote 173.16.39.88 1194
                      tls-remote vpnuser
                      auth-user-pass
                      pkcs12 pfsense-udp-1194.p12
                      tls-auth pfsense-udp-1194-tls.key 1
                      comp-lzo

                      Server Settings:
                      servermode: remote access (ssl/tls + user auth)
                      proto: udp
                      device mode: tun
                      interface: wan
                      localport: 1194

                      Peer CA: VPN Server CA
                      Peer Cert Rev: None Created
                      Server Cert: my user cert (CA:VPN Server CA) * In Use
                      DH Parameters Length 2048
                      Shared: Auto generate
                      Encryption Alg: AES-256-CBC
                      No hardware crypto
                      cert depth: one (client+server)

                      tunnel network: 192.168.2.0/24
                      bridge dhcp: checked
                      bridge interface: lan

                      local network: 10.0.0.0/24

                      conncurrent connections: 10
                      compression: checked

                      dynamic ip: checked
                      address pool: checked

                      advanced config:
                      push "route 10.0.0.0 255.255.255.0";

                      firewall rules openvpn tab:
                      Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
                      action:pass
                      interface: openvpn

                      See attached for routing table from pfsense

                      Local Client Routes:

                      Interface List
                      19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
                      12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
                        1...........................Software Loopback Interface 1
                      14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                      15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                      17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

                      IPv4 Route Table

                      Active Routes:
                      Network Destination        Netmask          Gateway      Interface  Metric
                                0.0.0.0          0.0.0.0    192.168.186.2  192.168.186.129    10
                              127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                              127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                        127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                            192.168.2.4  255.255.255.252        On-link      192.168.2.6    286
                            192.168.2.6  255.255.255.255        On-link      192.168.2.6    286
                            192.168.2.7  255.255.255.255        On-link      192.168.2.6    286
                          192.168.186.0    255.255.255.0        On-link  192.168.186.129    266
                        192.168.186.129  255.255.255.255        On-link  192.168.186.129    266
                        192.168.186.255  255.255.255.255        On-link  192.168.186.129    266
                              224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                              224.0.0.0        240.0.0.0        On-link      192.168.2.6    286
                              224.0.0.0        240.0.0.0        On-link  192.168.186.129    266
                        255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                        255.255.255.255  255.255.255.255        On-link      192.168.2.6    286
                        255.255.255.255  255.255.255.255        On-link  192.168.186.129    266

                      Persistent Routes:
                        None

                      IPv6 Route Table

                      Active Routes:
                      If Metric Network Destination      Gateway
                        1    306 ::1/128                  On-link
                      19    286 fe80::/64                On-link
                      12    266 fe80::/64                On-link
                      12    266 fe80::81b1:8393:5628:5a3c/128
                                                          On-link
                      19    286 fe80::a472:6f0a:696a:46ff/128
                                                          On-link
                        1    306 ff00::/8                On-link
                      19    286 ff00::/8                On-link
                      12    266 ff00::/8                On-link

                      Persistent Routes:
                        None

                      Hope this helps, let me know if I forgot something or if you need anything else.

                      Thanks!

                      ![routing table.PNG](/public/imported_attachments/1/routing table.PNG)
                      ![routing table.PNG_thumb](/public/imported_attachments/1/routing table.PNG_thumb)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?

                        What client are you on?  Windows 7 unless you run openvpn as admin it won't create the route.

                        So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.

                        What remote network are you on?  So you run 172.16 /??  /16?? on your pfsense lan?  That could easy be in conflict with what your remote network is.

                        Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.

                        Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense?  What is in your openvpn tab?  Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • A
                          ace_ventura
                          last edited by

                          pfsense 2.0.1-release
                          client is windows 8 VM  I have run it as admin.  Here is its connection log:

                          I just realized you were replying to the other guy.

                          Wed Oct 03 12:31:46 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
                          Wed Oct 03 12:31:52 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
                          Wed Oct 03 12:31:52 2012 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
                          Wed Oct 03 12:31:52 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
                          Wed Oct 03 12:31:52 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
                          Wed Oct 03 12:31:52 2012 LZO compression initialized
                          Wed Oct 03 12:31:52 2012 UDPv4 link local (bound): [undef]:1194
                          Wed Oct 03 12:31:52 2012 UDPv4 link remote: 173.16.39.88:1194
                          Wed Oct 03 12:31:52 2012 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
                          Wed Oct 03 12:31:54 2012 [userid] Peer Connection Initiated with 173.16.39.88:1194
                          Wed Oct 03 12:31:56 2012 TAP-WIN32 device [Local Area Connection] opened: \.\Global{D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}.tap
                          Wed Oct 03 12:31:56 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
                          Wed Oct 03 12:31:56 2012 Successful ARP Flush on interface [19] {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}
                          Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.  [status=5010 if_index=19]
                          The route addition failed: The object already exists.
                          Wed Oct 03 12:32:02 2012 Initialization Sequence Completed

                          1 Reply Last reply Reply Quote 0
                          • M
                            myke
                            last edited by

                            @johnpoz:

                            Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?

                            What client are you on?  Windows 7 unless you run openvpn as admin it won't create the route.

                            So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.

                            What remote network are you on?  So you run 172.16 /??  /16?? on your pfsense lan?  That could easy be in conflict with what your remote network is.

                            Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.

                            Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense?  What is in your openvpn tab?  Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?

                            Thanks Johnpoz for your answer.

                            My version of pfsense is 2.0.1 and my remote network openvpn is 2.2.2. i'am administrator of my computer ( window 7 ).

                            My pfsense lan is 172.16.0.0/21 and my network in the office is 192.168.0.0/24.

                            In my firewalls logs i see my ping is ok but no responding.

                            I can just access to my pfsense and i don't have internet.

                            I will post full server config tomorow.

                            Thanks for the help  :)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              ace where is your route table - this shows that addition failed

                              Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=19]

                              edit:  ok you posted it before, notice there is no route to your 10.0.0.0/24 on there - see mine.

                              My pfsense lan is 192.168.1.0/24 and in my route table and my connection info

                              
                              Wed Oct 03 12:26:23 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.0.200.5
                              Wed Oct 03 12:26:23 2012 Route addition via IPAPI succeeded [adaptive]
                              
                              
                              
                              ===========================================================================
                              Active Routes:
                              Network Destination        Netmask          Gateway       Interface  Metric
                                        0.0.0.0          0.0.0.0       10.56.41.1    10.56.41.136       10
                                     10.0.200.1  255.255.255.255       10.0.200.5      10.0.200.6       1
                                     10.0.200.4  255.255.255.252       10.0.200.6      10.0.200.6       30
                                     10.0.200.6  255.255.255.255        127.0.0.1       127.0.0.1       30
                                     10.56.41.0    255.255.255.0     10.56.41.136    10.56.41.136       10
                                   10.56.41.136  255.255.255.255        127.0.0.1       127.0.0.1       10
                                 10.255.255.255  255.255.255.255       10.0.200.6      10.0.200.6       30
                                 10.255.255.255  255.255.255.255     10.56.41.136    10.56.41.136       10
                                      127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
                                    192.168.1.0    255.255.255.0       10.0.200.5      10.0.200.6       1
                                      224.0.0.0        240.0.0.0       10.0.200.6      10.0.200.6       30
                                      224.0.0.0        240.0.0.0     10.56.41.136    10.56.41.136       10
                                255.255.255.255  255.255.255.255       10.0.200.6               3       1
                                255.255.255.255  255.255.255.255       10.0.200.6               9       1
                                255.255.255.255  255.255.255.255       10.0.200.6               6       1
                                255.255.255.255  255.255.255.255       10.0.200.6               7       1
                                255.255.255.255  255.255.255.255       10.0.200.6               5       1
                                255.255.255.255  255.255.255.255       10.0.200.6      10.0.200.6       1
                                255.255.255.255  255.255.255.255       10.0.200.6               2       1
                                255.255.255.255  255.255.255.255     10.56.41.136    10.56.41.136       1
                              Default Gateway:        10.56.41.1
                              ===========================================================================
                              
                              

                              192.168.1.0    255.255.255.0      10.0.200.5      10.0.200.6      1

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • A
                                ace_ventura
                                last edited by

                                Is that not the output of "route print" that i pasted above?

                                I will paste again in case its different this time.

                                ===========================================================================
                                Interface List
                                19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
                                12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
                                  1...........................Software Loopback Interface 1
                                14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                                15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                                17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

                                IPv4 Route Table

                                Active Routes:
                                Network Destination        Netmask          Gateway      Interface  Metric
                                          0.0.0.0          0.0.0.0    192.168.186.2  192.168.186.129    10
                                        10.0.0.0    255.255.255.0      192.168.2.5      192.168.2.6    30
                                        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                                        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                                  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                                      192.168.2.1  255.255.255.255      192.168.2.5      192.168.2.6    30
                                      192.168.2.4  255.255.255.252        On-link      192.168.2.6    286
                                      192.168.2.6  255.255.255.255        On-link      192.168.2.6    286
                                      192.168.2.7  255.255.255.255        On-link      192.168.2.6    286
                                    192.168.186.0    255.255.255.0        On-link  192.168.186.129    266
                                  192.168.186.129  255.255.255.255        On-link  192.168.186.129    266
                                  192.168.186.255  255.255.255.255        On-link  192.168.186.129    266
                                        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                                        224.0.0.0        240.0.0.0        On-link      192.168.2.6    286
                                        224.0.0.0        240.0.0.0        On-link  192.168.186.129    266
                                  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                                  255.255.255.255  255.255.255.255        On-link      192.168.2.6    286
                                  255.255.255.255  255.255.255.255        On-link  192.168.186.129    266

                                Persistent Routes:
                                  None

                                IPv6 Route Table

                                Active Routes:
                                If Metric Network Destination      Gateway
                                  1    306 ::1/128                  On-link
                                19    286 fe80::/64                On-link
                                12    266 fe80::/64                On-link
                                12    266 fe80::81b1:8393:5628:5a3c/128
                                                                    On-link
                                19    286 fe80::a472:6f0a:696a:46ff/128
                                                                    On-link
                                  1    306 ff00::/8                On-link
                                19    286 ff00::/8                On-link
                                12    266 ff00::/8                On-link

                                Persistent Routes:
                                  None

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  now it shows

                                  10.0.0.0    255.255.255.0      192.168.2.5      192.168.2.6    30

                                  so should be working - you sure your host is just not answering?  Do a traceroute

                                  D:>tracert -d 192.168.1.100

                                  Tracing route to 192.168.1.100 over a maximum of 30 hops

                                  1  189 ms  218 ms  249 ms  10.0.200.1
                                    2  168 ms  130 ms  266 ms  192.168.1.100

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    ace_ventura
                                    last edited by

                                    seems to be working now, i'm not sure what changed. before I couldn't ping anything.

                                    C:\Users\Mitch>tracert -d 192.168.1.100

                                    Tracing route to 192.168.1.100 over a maximum of 30 hops

                                    1    <1 ms    <1 ms    <1 ms  192.168.186.2
                                      2    *        *        *    Request timed out.
                                      3    *        *        *    Request timed out.
                                      4    *        *        *    Request timed out.
                                      5    *        *        *    Request timed out.
                                      6    *        *        *    Request timed out.
                                      7    *        *        *    Request timed out.
                                      8    *        *        *    Request timed out.
                                      9    *        *        *    Request timed out.
                                    10    *        *        *    Request timed out.
                                    11    *        *        *    Request timed out.
                                    12    *        *        *    Request timed out.
                                    13    *        *        *    Request timed out.
                                    14    *        *        *    Request timed out.
                                    15    *        *        *    Request timed out.
                                    16

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      well in your first post you had no route - so no your not going to be able to get to anything on the other side of the tunnel.

                                      In your second post you did, so that makes sense why its working now, and was not before.

                                      Why would you trace to my 192.168.1.100 address??? Did I really have to spell out to use an IP on your pfsense lan vs my example ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        ace_ventura
                                        last edited by

                                        haha because i was on call at the time and not really paying attention to what i was doing, lol i'm sorry I feel like an idiot.

                                        I'm guessing its because the client wasn't run as administrator, which is odd since I explicitly told it to the first time.

                                        just for giggles ill prove myself now LOL

                                        C:\Users\Mitch>tracert -d 10.0.0.11

                                        Tracing route to 10.0.0.11 over a maximum of 30 hops

                                        1    14 ms    10 ms    10 ms  192.168.2.1
                                          2    11 ms    10 ms    10 ms  10.0.0.11

                                        Trace complete.

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          ace_ventura
                                          last edited by

                                          Thanks for your help though, much appreciated.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            yeah windows 7 needs to run as admin to add the route, but it seems the new beta version of openvpn client has gotten around that?  You could try the new beta 2.3_beta1

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.