Cannot reach LAN network via OpenVPN tun
-
Hey guys…
So I'm trying to set up an OpenVPN instance. I've done this before, but this particular one is giving me trouble.
I have the instance set up for tun not tap
I have the tunnel network set to 172.16.1.0/27
I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)When I connect, I do get fully connected, no errors, I can see the connection in the status page on my PfSense box.
In my status it shows my IP as 172.16.1.6/30 and the server is 172.16.1.5/30
I am NOT able to ping 172.16.1.5, I am NOT able to ping anything in the 10.0.0.0/24 range
Can someone help me do a little troubleshooting on this? I feel like it should be something really simple. Maybe a firewall rule or something?
EDIT:
On the local machine this is my routing table. I DO have a route as you can see
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.1.1 10.10.3.196 266
10.0.0.0 255.255.255.0 172.16.1.5 172.16.1.6 30
10.10.0.0 255.255.0.0 On-link 10.10.3.196 266
10.10.3.196 255.255.255.255 On-link 10.10.3.196 266
10.10.255.255 255.255.255.255 On-link 10.10.3.196 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.1.1 255.255.255.255 172.16.1.5 172.16.1.6 30
172.16.1.4 255.255.255.252 On-link 172.16.1.6 286
172.16.1.6 255.255.255.255 On-link 172.16.1.6 286
172.16.1.7 255.255.255.255 On-link 172.16.1.6 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.10.3.196 266
224.0.0.0 240.0.0.0 On-link 172.16.1.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.10.3.196 266
255.255.255.255 255.255.255.255 On-link 172.16.1.6 286Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.10.1.1 Default -
here is the config on the server
-
I hope you have some firewall rules on OpenVPN to pass the traffic. Can you post those also?
-
I hope you have some firewall rules on OpenVPN to pass the traffic. Can you post those also?
I do have a rule in there. The description is wrong as it says TAP. I was just messing around with some settings seeing is TAP works, and I always change descriptions when I do anything.
-
The rule you show is on WAN to let the VPN client connect in - a good thing.
You also need rule/s on the OpenVPN tab to pass traffic flowing inside the tunnel from clients to the LAN…
You have also assigned an interface to one of your VPNs - called OPENVPNTAP. In the config we are discussing, I don't think that is necessary. If you have a reason to need it, then it is the thing that will need rule/s to pass traffic arriving inside the tunnel. -
This could also EASILY be a problem with your client. Is the client freshly installed on either win8 or win7?
-
Something's not adding up… you said:
I have the tunnel network set to 172.16.1.0/27
I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)and your config shows you're not routing all traffic down the tunnel, but the routing table from your PC shows your default gateway is 10.10.1.1 and the IP of your PC is 10.10.3.196. So, your local network is NOT 10.0.0.0/24, but looks like it's probably 10.10.0.0/16.
-
You need to re-verify what your LAN subnet is and edit your config accordingly.
-
check the OpenVPN tab under Firewall -> Rules and make sure there's an any/any rule in place.
-
You do not have a Peer Certificate Revocation List listed. That will need to be configured as well.
-
-
Something's not adding up… you said:
I have the tunnel network set to 172.16.1.0/27
I have the IPv4 local network set to 10.0.0.0/24 (network address of my LAN)and your config shows you're not routing all traffic down the tunnel, but the routing table from your PC shows your default gateway is 10.10.1.1 and the IP of your PC is 10.10.3.196. So, your local network is NOT 10.0.0.0/24, but looks like it's probably 10.10.0.0/16.
-
You need to re-verify what your LAN subnet is and edit your config accordingly.
-
check the OpenVPN tab under Firewall -> Rules and make sure there's an any/any rule in place.
-
You do not have a Peer Certificate Revocation List listed. That will need to be configured as well.
LAN on the REMOTE PC is 10.10.0.0/16. I can see where that would be confusing.
-
-
This could also EASILY be a problem with your client. Is the client freshly installed on either win8 or win7?
yes.
-
Win8 requires special treatment to get it to work correctly - google for windows 8 openvpn client. You will see.
It can also happen with windows 7 that a connection seems to be established and looks green on both ends but the connection isn't used for routing traffic. This usually happens when you didn't right click the client install file and run as admin.
The remedy for that is uninstall it, then reinstall it as admin (run as admin).
Depends on which openvpn client you used. I think its always best to use the pfsense client export tool.
-
Win8 requires special treatment to get it to work correctly - google for windows 8 openvpn client. You will see.
It can also happen with windows 7 that a connection seems to be established and looks green on both ends but the connection isn't used for routing traffic. This usually happens when you didn't right click the client install file and run as admin.
The remedy for that is uninstall it, then reinstall it as admin (run as admin).
Depends on which openvpn client you used. I think its always best to use the pfsense client export tool.
This happened to me earlier. I figured that one out pretty easily. When I didn't install as admin it wouldn't set up the virtual interface correctly. I have already uninstalled and installed again running as admin.
-
Yeah - But for windows8 there is an extra hitch sometimes:
Look at very bottom of this page.
http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/
-
The rule you show is on WAN to let the VPN client connect in - a good thing.
You also need rule/s on the OpenVPN tab to pass traffic flowing inside the tunnel from clients to the LAN…
You have also assigned an interface to one of your VPNs - called OPENVPNTAP. In the config we are discussing, I don't think that is necessary. If you have a reason to need it, then it is the thing that will need rule/s to pass traffic arriving inside the tunnel.I just added an Any/Any rule to the OpenVPN tab, as well as the openvpntap tab. I think you're right though. This is NOT being used as a TAP Bridge, so this isn't necessary.
Either way with the any any rules added, nothing changed. I just uninstalled the client and reinstalled with admin rights and then ran the GUI with admin rights to be sure.
I feel like I'm missing something stupid simple.
Yeah - But for windows8 there is an extra hitch sometimes:
Look at very bottom of this page.
http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/
I followed that tutorial to the T. The only think I didn't do is the route-method.exe on my config file. but only because I don't have an OpenVPN config file. I used the PfSense client export.
-
strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?
-
Tick the Topology checkbox, disconnect, reconnect and try again.
P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.
-
What I always try to do is reach a windows share by IP - if that works pretty much anything will.
But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.
-
strange - Is this an issue where you can reach your LAN by IP directly or is it only when relying of DNS?
I can't reach it at all. I'm not even allowing DNS over the vpn. this is all IP based trouble shooting. I cannot reach the LAN gateway, and I also cannot ping the IP addr the firewall should have in the VPN tunnel
Tick the Topology checkbox, disconnect, reconnect and try again.
P.S. Ping is NOT a good test with Windows boxes. At all. Mostly blocked.
I know windows firewall and all, but I can't even ping the gateway on the LAN interface
-
What I always try to do is reach a windows share by IP - if that works pretty much anything will.
But that doesn't mean DNS will resolve correctly if there is something wrong elsewhere on the windows box.
can't reach any shares.
-
Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.
-
Let me state again: Tick the Topology checkbox, disconnect, reconnect and try again.
I already did. It didn't work