Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot reach LAN network via OpenVPN tun

    Scheduled Pinned Locked Moved OpenVPN
    38 Posts 7 Posters 15.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esink
      last edited by

      @kejianshi:

      Win8 requires special treatment to get it to work correctly - google for windows 8 openvpn client.  You will see.

      It can also happen with windows 7 that a connection seems to be established and looks green on both ends but the connection isn't used for routing traffic.  This usually happens when you didn't right click the client install file and run as admin.

      The remedy for that is uninstall it, then reinstall it as admin (run as admin).

      Depends on which openvpn client you used.  I think its always best to use the pfsense client export tool.

      This happened to me earlier. I figured that one out pretty easily. When I didn't install as admin it wouldn't set up the virtual interface correctly. I have already uninstalled and installed again running as admin.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Yeah - But for windows8 there is an extra hitch sometimes:

        Look at very bottom of this page.

        http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

        1 Reply Last reply Reply Quote 0
        • E
          esink
          last edited by

          @phil.davis:

          The rule you show is on WAN to let the VPN client connect in - a good thing.
          You also need rule/s on the OpenVPN tab to pass traffic flowing inside the tunnel from clients to the LAN…
          You have also assigned an interface to one of your VPNs - called OPENVPNTAP. In the config we are discussing, I don't think that is necessary. If you have a reason to need it, then it is the thing that will need rule/s to pass traffic arriving inside the tunnel.

          I just added an Any/Any rule to the OpenVPN tab, as well as the openvpntap tab. I think you're right though. This is NOT being used as a TAP Bridge, so this isn't necessary.

          Either way with the any any rules added, nothing changed. I just uninstalled the client and reinstalled with admin rights and then ran the GUI with admin rights to be sure.

          I feel like I'm missing something stupid simple.

          @kejianshi:

          Yeah - But for windows8 there is an extra hitch sometimes:

          Look at very bottom of this page.

          http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

          I followed that tutorial to the T. The only think I didn't do is the route-method.exe on my config file. but only because I don't have an OpenVPN config file. I used the PfSense client export.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Tick the Topology checkbox, disconnect, reconnect and try again.

              P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                What I always try to do is reach a windows share by IP - if that works pretty much anything will.

                But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.

                1 Reply Last reply Reply Quote 0
                • E
                  esink
                  last edited by

                  @kejianshi:

                  strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?

                  I can't reach it at all. I'm not even allowing DNS over the vpn. this is all IP based trouble shooting. I cannot reach the LAN gateway, and I also cannot ping the IP addr the firewall should have in the VPN tunnel

                  @doktornotor:

                  Tick the Topology checkbox, disconnect, reconnect and try again.

                  P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.

                  I know windows firewall and all, but I can't even ping the gateway on the LAN interface

                  1 Reply Last reply Reply Quote 0
                  • E
                    esink
                    last edited by

                    @kejianshi:

                    What I always try to do is reach a windows share by IP - if that works pretty much anything will.

                    But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.

                    can't reach any shares.

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.

                      1 Reply Last reply Reply Quote 0
                      • E
                        esink
                        last edited by

                        @doktornotor:

                        Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.

                        I already did. It didn't work

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          @esink:

                          I already did. It didn't work

                          On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.

                          1 Reply Last reply Reply Quote 0
                          • E
                            esink
                            last edited by

                            @doktornotor:

                            @esink:

                            I already did. It didn't work

                            On another note, NetBIOS is disabled by default as well (yet another checkbox). And on yet another note, turn off the Windows firewall before doing any of these tests.

                            okay, but this doesn't solve that I can't PING THE GATEWAY.

                            My tests include

                            1. attempt to reach a windows share by IP - Server 2012 definitely has this and hosts on the LAN are definitely able to reach it
                            2. RDP to the machines - RDP is DEFINITELY allowed. if I port forward over WAN I can RDP to the machines
                            3. ping the LAN gateway - hosts on the LAN are able to do this.
                            4. ping the machines - hosts on LAN are able to do this.
                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              And you are re-exporting and reinstalling the client config after you make changes to openvpn server?

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                As said above. And in addition:

                                Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)

                                1 Reply Last reply Reply Quote 0
                                • E
                                  esink
                                  last edited by

                                  @doktornotor:

                                  As said above. And in addition:

                                  Simplify the thing for basic testing so that stupid things like "I'm not even allowing DNS over the vpn" are out of the way! Get the crappy Windows firewalls out of way as well. Make the things wide open UNTIL you can get basic things working. You can tighten things up AFTER that. Noone's interested in debugging something for days only to turn out that the issue is totally unrelated to pfSense. (And on that note, getting a sane OVPN client for testing would help as well. No, W8 is not one.)

                                  I feel like I should really worry about being able to ping the LAN gateway before worrying about anything else, but fine firewalls are off.

                                  I have a win 7 client too. same deal.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    phil.davis
                                    last edited by

                                    I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.4950.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
                                    I can ping 10.50.80.1 but NOT 10.50.80.5
                                    So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.

                                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      esink
                                      last edited by

                                      @phil.davis:

                                      I just got a road warrior OpenVPN going on my Win8 laptop again. It uses tunnel 10.50.80.0/24 and I get allocated 10.49.80.4/30 (server .5 client .6) OpenVPN manages these IP addresses inside the tunnel.
                                      I can ping 10.50.80.1 but NOT 10.50.80.5
                                      So I suggest you try ping 172.16.1.1 - that should work, not the .5 IP.

                                      I cannot ping 172.16.1.1

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        phil.davis
                                        last edited by

                                        I cannot ping 172.16.1.1

                                        It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
                                        If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
                                        Post some actual screenshots of rules when you are feeling really stuck.

                                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          esink
                                          last edited by

                                          @phil.davis:

                                          I cannot ping 172.16.1.1

                                          It really does sound like a firewall rule somewhere is not allowing this. Look in the firewall log when you try to ping, is anything being logged? Do you have any floating rules that would match this ping?
                                          If you are not using the OPENVPNTAP interface assignment for anything you intended, then I would remove it and go back to having just the generic OpenVPN tab - that will remove one complication.
                                          Post some actual screenshots of rules when you are feeling really stuck.

                                          I already have posted my firewall rules. The openvpn tab of rules just has 1 any any rule.

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            esink
                                            last edited by

                                            Well there has to be a firewall rule messed up somewhere. I just tried to ping my LAN network from the PfSense box's OpenVPN interface and it can only hit the gateway, not any other host on the LAN.

                                            What firewall rules are necessary for this to work? I already ahve a rule on the OpenVPN tab that says allow allow anything to LAN

                                            ![9-20-2013 7-41-29 AM.png_thumb](/public/imported_attachments/1/9-20-2013 7-41-29 AM.png_thumb)
                                            ![9-20-2013 7-41-29 AM.png](/public/imported_attachments/1/9-20-2013 7-41-29 AM.png)
                                            Openvpnrule.png
                                            Openvpnrule.png_thumb
                                            lanping.png
                                            lanping.png_thumb
                                            vpnping.png
                                            vpnping.png_thumb

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.