Cannot reach LAN network via OpenVPN tun



  • Hey guys…

    So I'm trying to set up an OpenVPN instance. I've done this before, but this particular one is giving me trouble.

    I have the instance set up for tun not tap

    I have the tunnel network set to 172.16.1.0/27
    I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)

    When I connect, I do get fully connected, no errors, I can see the connection in the status page on my PfSense box.

    In my status it shows my IP as 172.16.1.6/30 and the server is 172.16.1.5/30

    I am NOT able to ping 172.16.1.5, I am NOT able to ping anything in the 10.0.0.0/24 range

    Can someone help me do a little troubleshooting on this? I feel like it should be something really simple. Maybe a firewall rule or something?

    EDIT:

    On the local machine this is my routing table. I DO have a route as you can see

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0        10.10.1.1      10.10.3.196    266
            10.0.0.0    255.255.255.0      172.16.1.5      172.16.1.6    30
            10.10.0.0      255.255.0.0        On-link      10.10.3.196    266
          10.10.3.196  255.255.255.255        On-link      10.10.3.196    266
        10.10.255.255  255.255.255.255        On-link      10.10.3.196    266
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          172.16.1.1  255.255.255.255      172.16.1.5      172.16.1.6    30
          172.16.1.4  255.255.255.252        On-link        172.16.1.6    286
          172.16.1.6  255.255.255.255        On-link        172.16.1.6    286
          172.16.1.7  255.255.255.255        On-link        172.16.1.6    286
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      10.10.3.196    266
            224.0.0.0        240.0.0.0        On-link        172.16.1.6    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      10.10.3.196    266
      255.255.255.255  255.255.255.255        On-link        172.16.1.6    286

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0        10.10.1.1  Default



  • here is the config on the server






  • I hope you have some firewall rules on OpenVPN to pass the traffic. Can you post those also?



  • @phil.davis:

    I hope you have some firewall rules on OpenVPN to pass the traffic. Can you post those also?

    I do have a rule in there. The description is wrong as it says TAP. I was just messing around with some settings seeing is TAP works, and I always change descriptions when I do anything.






  • The rule you show is on WAN to let the VPN client connect in - a good thing.
    You also need rule/s on the OpenVPN tab to pass traffic flowing inside the tunnel from clients to the LAN…
    You have also assigned an interface to one of your VPNs - called OPENVPNTAP. In the config we are discussing, I don't think that is necessary. If you have a reason to need it, then it is the thing that will need rule/s to pass traffic arriving inside the tunnel.



  • This could also EASILY be a problem with your client.  Is the client freshly installed on either win8 or win7?



  • Something's not adding up… you said:

    I have the tunnel network set to 172.16.1.0/27
    I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)

    and your config shows you're not routing all traffic down the tunnel, but the routing table from your PC shows your default gateway is 10.10.1.1 and the IP of your PC is 10.10.3.196.  So, your local network is NOT 10.0.0.0/24, but looks like it's probably 10.10.0.0/16.

    • You need to re-verify what your LAN subnet is and edit your config accordingly.

    • check the OpenVPN tab under Firewall -> Rules and make sure there's an any/any rule in place.

    • You do not have a Peer Certificate Revocation List listed.  That will need to be configured as well.



  • @marvosa:

    Something's not adding up… you said:

    I have the tunnel network set to 172.16.1.0/27
    I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)

    and your config shows you're not routing all traffic down the tunnel, but the routing table from your PC shows your default gateway is 10.10.1.1 and the IP of your PC is 10.10.3.196.  So, your local network is NOT 10.0.0.0/24, but looks like it's probably 10.10.0.0/16.

    • You need to re-verify what your LAN subnet is and edit your config accordingly.

    • check the OpenVPN tab under Firewall -> Rules and make sure there's an any/any rule in place.

    • You do not have a Peer Certificate Revocation List listed.  That will need to be configured as well.

    LAN on the REMOTE PC is 10.10.0.0/16. I can see where that would be confusing.



  • @kejianshi:

    This could also EASILY be a problem with your client.  Is the client freshly installed on either win8 or win7?

    yes.



  • Win8 requires special treatment to get it to work correctly - google for windows 8 openvpn client.  You will see.

    It can also happen with windows 7 that a connection seems to be established and looks green on both ends but the connection isn't used for routing traffic.  This usually happens when you didn't right click the client install file and run as admin.

    The remedy for that is uninstall it, then reinstall it as admin (run as admin).

    Depends on which openvpn client you used.  I think its always best to use the pfsense client export tool.



  • @kejianshi:

    Win8 requires special treatment to get it to work correctly - google for windows 8 openvpn client.  You will see.

    It can also happen with windows 7 that a connection seems to be established and looks green on both ends but the connection isn't used for routing traffic.  This usually happens when you didn't right click the client install file and run as admin.

    The remedy for that is uninstall it, then reinstall it as admin (run as admin).

    Depends on which openvpn client you used.  I think its always best to use the pfsense client export tool.

    This happened to me earlier. I figured that one out pretty easily. When I didn't install as admin it wouldn't set up the virtual interface correctly. I have already uninstalled and installed again running as admin.



  • Yeah - But for windows8 there is an extra hitch sometimes:

    Look at very bottom of this page.

    http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/



  • @phil.davis:

    The rule you show is on WAN to let the VPN client connect in - a good thing.
    You also need rule/s on the OpenVPN tab to pass traffic flowing inside the tunnel from clients to the LAN…
    You have also assigned an interface to one of your VPNs - called OPENVPNTAP. In the config we are discussing, I don't think that is necessary. If you have a reason to need it, then it is the thing that will need rule/s to pass traffic arriving inside the tunnel.

    I just added an Any/Any rule to the OpenVPN tab, as well as the openvpntap tab. I think you're right though. This is NOT being used as a TAP Bridge, so this isn't necessary.

    Either way with the any any rules added, nothing changed. I just uninstalled the client and reinstalled with admin rights and then ran the GUI with admin rights to be sure.

    I feel like I'm missing something stupid simple.

    @kejianshi:

    Yeah - But for windows8 there is an extra hitch sometimes:

    Look at very bottom of this page.

    http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

    I followed that tutorial to the T. The only think I didn't do is the route-method.exe on my config file. but only because I don't have an OpenVPN config file. I used the PfSense client export.



  • strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?


  • Banned

    Tick the Topology checkbox, disconnect, reconnect and try again.

    P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.



  • What I always try to do is reach a windows share by IP - if that works pretty much anything will.

    But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.



  • @kejianshi:

    strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?

    I can't reach it at all. I'm not even allowing DNS over the vpn. this is all IP based trouble shooting. I cannot reach the LAN gateway, and I also cannot ping the IP addr the firewall should have in the VPN tunnel

    @doktornotor:

    Tick the Topology checkbox, disconnect, reconnect and try again.

    P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.

    I know windows firewall and all, but I can't even ping the gateway on the LAN interface



  • @kejianshi:

    What I always try to do is reach a windows share by IP - if that works pretty much anything will.

    But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.

    can't reach any shares.


  • Banned

    Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.



  • @doktornotor:

    Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.

    I already did. It didn't work


  • Banned

    @esink:

    I already did. It didn't work

    On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.



  • @doktornotor:

    @esink:

    I already did. It didn't work

    On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.

    okay, but this doesn't solve that I can't PING THE GATEWAY.

    My tests include

    1. attempt to reach a windows share by IP - Server 2012 definitely has this and hosts on the LAN are definitely able to reach it
    2. RDP to the machines - RDP is DEFINITELY allowed. if I port forward over WAN I can RDP to the machines
    3. ping the LAN gateway - hosts on the LAN are able to do this.
    4. ping the machines - hosts on LAN are able to do this.


  • And you are re-exporting and reinstalling the client config after you make changes to openvpn server?


  • Banned

    As said above. And in addition:

    Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)



  • @doktornotor:

    As said above. And in addition:

    Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)

    I feel like I should really worry about being able to ping the LAN gateway before worrying about anything else, but fine firewalls are off.

    I have a win 7 client too. same deal.



  • I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.4950.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
    I can ping 10.50.80.1 but NOT 10.50.80.5
    So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.



  • @phil.davis:

    I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.49.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
    I can ping 10.50.80.1 but NOT 10.50.80.5
    So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.

    I cannot ping 172.16.1.1



  • I cannot ping 172.16.1.1

    It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
    If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
    Post some actual screenshots of rules when you are feeling really stuck.



  • @phil.davis:

    I cannot ping 172.16.1.1

    It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
    If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
    Post some actual screenshots of rules when you are feeling really stuck.

    I already have posted my firewall rules. The openvpn tab of rules just has 1 any any rule.



  • Well there has to be a firewall rule messed up somewhere. I just tried to ping my LAN network from the PfSense box's OpenVPN interface and it can only hit the gateway, not any other host on the LAN.

    What firewall rules are necessary for this to work? I already ahve a rule on the OpenVPN tab that says allow allow anything to LAN

    ![9-20-2013 7-41-29 AM.png_thumb](/public/imported_attachments/1/9-20-2013 7-41-29 AM.png_thumb)
    ![9-20-2013 7-41-29 AM.png](/public/imported_attachments/1/9-20-2013 7-41-29 AM.png)







  • so this is really starting to piss me off. I just said fuck it and deleted the VON server and all the certs and firewall rules that were associated with it, and went through the wizard to set up the new OpenVPN instance, and I followed a youtube vid to the T.

    http://www.youtube.com/watch?v=VdAHVSTl1ys

    the wizard created the firewall rules for me so I KNOW they're right….

    STILL I cannot ping the other end of the tunnel, nor the LAN gateway, nor anything on the LAN. I am now testing on a different PC (win 7) on a completely different network than the original PC (to rule out anything inbetween me and the PfSense box.)


  • Banned

    Maybe you should just try different test than "ping". Seriously, this whole thing works out of the box in five minutes, no need to waste days. If you screwed so much that it's not fixable, go reinstall from scratch, incl. all you rules.



  • @doktornotor:

    Maybe you should just try different test than "ping". Seriously, this whole thing works out of the box in five minutes, no need to waste days. If you screwed so much that it's not fixable, go reinstall from scratch, incl. all you rules.

    yeah I agree. I have spare NetGate boxes here at work. I'm going to make one from scratch with all the rules I need, and import the xml to my box at home after a factory reset. I will report back with results.


  • Netgate

    I am having exactly this same problem trying to replace an ipsec site to site with OpenVPN (PKI) site to site.  The tunnel comes up as expected but traffic is not passing between LANs.

    (Sort of solved - see bottom of post)

    I am following the "Site to Site Example Configuration (SSL/TLS)" section in the 2.1 book draft.

    The routing tables look like the proper routes are being pushed.

    Interestingly, I would expect to be able to ping the remote tunnel addresses but I can't.

    Home (192.168.223.0/24) <–-> pfSense 2.1 (client) <---> Internet <---> pfSense 2.1 (server) <---> 172.22.81.0/24 (Work)

    Tunnel network on server set to 172.22.83.0/24

    I've tried to find firewall block log entries and have come up empty.

    In the server config I have the following:

    IPv4 Tunnel Network: 172.22.83.0/24

    IPv4 Local Network(s): 172.22.81.0/24

    Advanced:
    route 192.168.223.0 255.255.255.0;
    push "route 192.168.223.0 255.255.255.0";

    I have the following routes in the server's route table:
    172.22.83.0/24    172.22.83.2        UGS        0        5 ovpns2
    172.22.83.1        link#15            UHS        0        0    lo0
    172.22.83.2        link#15            UH          0        0 ovpns2
    192.168.223.0/24  172.22.83.2        UGS        0      66 ovpns2

    In the client-specific overrides for the client CN I have:
    iroute 192.168.223.0 255.255.255.0;

    I have the following routes in the client's route table:
    172.22.81.0/24    172.22.83.5        UGS        0      19 ovpnc1
    172.22.83.1/32    172.22.83.5        UGS        0        8 ovpnc1
    172.22.83.5        link#13            UH          0        0 ovpnc1

    I have any any firewall rules in both sites' OpenVPN firewall rules.

    WAIT HOLD EVERYTHING:

    I had a custom Multi-WAN WANGROUP gateway (since I have Cable and DSL modems at home) that redirected all traffic from the client's LAN to Gateway WANGROUP.  I changed that to the default gateway and traffic started passing.  Posting everything since it might help someone else.

    Any pointers to the proper config for this instance?



  • @kejianshi:

    Yeah - But for windows8 there is an extra hitch sometimes:

    Look at very bottom of this page.

    http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

    I am having similar issue, even though CMAK is on and the route method exe added to the config file but unable to get IP from Server.

    did anyone have any luck on this? maybe can their config example. thanks



  • I don't know what to say except that openvpn works and is REALLY easy to set up.  I can't guarantee how it will interact with existing firewall rules (meaning you can easily have firewall rule errors).


  • Netgate

    Wow.  That post is really n00b.  Thanks for bumping this necrothread. :/



  • haha - Don't mention it.  Anything for you buddy (-;

    (No seriously - Don't mention it…  To anyone)