<![CDATA[Windows 7 OpenVPN client can't reach the LAN]]>Hi,

I've been reading around this issue all day long, but finally I have to admit I'm stumped.

The VPN client is correctly configured by DHCP - e.g. client IP 10.12.43.2; gateway IP 10.12.43.1.

   IPv4 Address. . . . . . . . . . . : 10.12.43.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

The default gateway is being configured (correctly, I think) as 10.12.43.1, for 10.12.0.0/16:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.254.254  192.168.254.241     20
          0.0.0.0        128.0.0.0       10.12.43.1       10.12.43.2     31
        10.12.0.0      255.255.0.0       10.12.43.1       10.12.43.2     31
       10.12.43.0    255.255.255.0         On-link        10.12.43.2    286
       10.12.43.2  255.255.255.255         On-link        10.12.43.2    286
     10.12.43.255  255.255.255.255         On-link        10.12.43.2    286

(192.x is obviously the client's normal LAN prior to the VPN connection)

pfSense and the client can ping each other on the 10.12.43.1/10.12.43.2 addresses.  The firewall rules look okay on pfSense (very permissive OpenVPN and LAN networks).

I've stuffed everything I can find in the client config:  ;)

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote vpn.mycompany.co.uk 1194 udp
verify-x509-name "My Gateway" name
auth-user-pass
ca my-gateway-udp-1194-ca.crt
tls-auth my-gateway-udp-1194-tls.key 1
ns-cert-type server
comp-lzo
redirect-gateway
pull
verb 3

# dont terminate service process on wrong password, ask again
auth-retry interact
# open management channel
management 127.0.0.1 166
# wait for management to explicitly start connection
management-hold
# query management channel for user/pass
management-query-passwords
# disconnect VPN when managment program connection is closed
management-signal
# forget password when management disconnects
management-forget-disconnect

route-method exe
route-delay 2

I cannot ping anything else on the LAN from the OpenVPN client.  There's a bit in the server log, but I'm not sure whether it's relevant:

Nov 19 16:51:12	openvpn[12663]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.12.43.1 255.255.255.0 init
Nov 19 16:51:13	openvpn[12663]: SIGTERM[hard,] received, process exiting
Nov 19 16:51:13	openvpn[34950]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Nov 19 16:51:13	openvpn[34950]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Nov 19 16:51:13	openvpn[34950]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 19 16:51:13	openvpn[34950]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Nov 19 16:51:13	openvpn[34950]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Nov 19 16:51:13	openvpn[34950]: TUN/TAP device ovpns1 exists previously, keep at program end
Nov 19 16:51:13	openvpn[34950]: TUN/TAP device /dev/tun1 opened
Nov 19 16:51:13	openvpn[34950]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Nov 19 16:51:13	openvpn[34950]: /sbin/ifconfig ovpns1 10.12.43.1 10.12.43.1 mtu 1500 netmask 255.255.255.0 up
Nov 19 16:51:13	openvpn[34950]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.12.43.1 255.255.255.0 init
Nov 19 16:51:14	openvpn[36283]: UDPv4 link local (bound): [AF_INET]a.b.c.d:1194
Nov 19 16:51:14	openvpn[36283]: UDPv4 link remote: [undef]
Nov 19 16:51:14	openvpn[36283]: Initialization Sequence Completed
Nov 19 16:52:08	openvpn: user 'rob.pomeroy' authenticated
Nov 19 16:52:08	openvpn[36283]: e.f.g.h:49386 [rob.pomeroy] Peer Connection Initiated with [AF_INET]e.f.g.h:49386
Nov 19 16:52:08	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 MULTI_sva: pool returned IPv4=10.12.43.2, IPv6=(Not enabled)
Nov 19 16:52:11	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 send_push_reply(): safe_cap=940

Clients are authenticating against Active Directory.

Sorry this is such a mammoth first post - but any ideas?

Thanks,

Rob

]]>https://forum.netgate.com/topic/62959/windows-7-openvpn-client-can-t-reach-the-lanRSS for NodeTue, 19 May 2026 22:52:02 GMTTue, 19 Nov 2013 17:12:53 GMT60<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Tue, 26 Nov 2013 14:18:38 GMT]]>Completely reinstalled pfSense and what do you know?  It's working.

Hypotheses:

  • Corruption of original installation and/or

  • Using older version of OpenVPN Client Export pacakge and/or

  • Some other installed package caused a problem (have installed this fairly lean on this occasion).

Thanks to all for your help.  I'm going to snapshot this virtual machine while it's working!!!

]]>https://forum.netgate.com/post/431532https://forum.netgate.com/post/431532Tue, 26 Nov 2013 14:18:38 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Tue, 26 Nov 2013 10:57:17 GMT]]>Thanks for your input.

The quantity of issues I'm having with pfSense is rising,  Now I'm getting failures on attempting to log in:

Warning: session_start(): open(/var/tmp//sess_1e36ef0d17d9b13cdeb3d59c25e8e0ab, O_RDWR) failed: No space left on device (28) in /etc/inc/auth.inc on line 1357

There's plenty of space, so I'm going to guess there's some filesystem-level corruption of some kind, in which case all bets are off.  sigh  Time to reinstall.

]]>https://forum.netgate.com/post/431504https://forum.netgate.com/post/431504Tue, 26 Nov 2013 10:57:17 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 21:12:02 GMT]]>Export a new config and install it on the client-side.

Post new exported client config.

Post Pfsense routing table.

Post client routing table once connected with new config.

]]>https://forum.netgate.com/post/430667https://forum.netgate.com/post/430667Wed, 20 Nov 2013 21:12:02 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 21:01:22 GMT]]>Do the clients on the LAN allow pings from the OpenVPN network? Try to turn off firewall on the clients temporarily.

]]>https://forum.netgate.com/post/430665https://forum.netgate.com/post/430665Wed, 20 Nov 2013 21:01:22 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 16:53:23 GMT]]>Okay:

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local a.b.c.d
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
client-cert-not-required
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 50
push "route 10.12.0.0 255.255.0.0"
push "route 192.168.3.0 255.255.255.0"
push "dhcp-option DOMAIN mycompany.local"
push "dhcp-option DNS 10.12.20.6"
push "dhcp-option DNS 10.12.20.7"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option NTP 10.12.20.6"
push "dhcp-option NTP 10.12.20.7"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet
]]>https://forum.netgate.com/post/430626https://forum.netgate.com/post/430626Wed, 20 Nov 2013 16:53:23 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 16:49:48 GMT]]>Post your server1.conf.

]]>https://forum.netgate.com/post/430623https://forum.netgate.com/post/430623Wed, 20 Nov 2013 16:49:48 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 11:49:06 GMT]]>Does this entry in the log shed any light on the problem?

Nov 20 10:30:08	openvpn[36283]: rob.pomeroy/e.f.g.h:49386 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #95045 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
]]>https://forum.netgate.com/post/430568https://forum.netgate.com/post/430568Wed, 20 Nov 2013 11:49:06 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 10:38:29 GMT]]>@Rob:

Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

Switched the VPN tunnel net to 192.168.20.0/24.  Still nothing travels into the LAN.  :-\  I've temporarily disabled the firewall on the client.  Doesn't help though.

]]>https://forum.netgate.com/post/430562https://forum.netgate.com/post/430562Wed, 20 Nov 2013 10:38:29 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 09:46:41 GMT]]>Is it possibly an issue that my VPN tunnel network (10.12.43.0/24) is within my LAN (10.12.0.0/16)?

And is this firewall rule on the OpenVPN interface sufficient?

Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule	Description	
IPv4   *       *     *            *     *        *      none      OpenVPN My company VPN wizard
]]>https://forum.netgate.com/post/430557https://forum.netgate.com/post/430557Wed, 20 Nov 2013 09:46:41 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Wed, 20 Nov 2013 09:39:41 GMT]]>@georgeman:

All you posted looks fine for me.

Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface

Automatic outbound NAT is switched on. No other mappings.

]]>https://forum.netgate.com/post/430556https://forum.netgate.com/post/430556Wed, 20 Nov 2013 09:39:41 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Tue, 19 Nov 2013 20:35:16 GMT]]>All you posted looks fine for me.

Check also your Outbound NAT settings (I have just read a topic where that was the problem). There shouldn't be any rules for the OpenVPN interface

]]>https://forum.netgate.com/post/430481https://forum.netgate.com/post/430481Tue, 19 Nov 2013 20:35:16 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Tue, 19 Nov 2013 20:30:24 GMT]]>@georgeman:

Did you run the OpenVPN client as administrator on Windows 7?

I sure did.

]]>https://forum.netgate.com/post/430480https://forum.netgate.com/post/430480Tue, 19 Nov 2013 20:30:24 GMT<![CDATA[Reply to Windows 7 OpenVPN client can't reach the LAN on Tue, 19 Nov 2013 20:19:12 GMT]]>Did you run the OpenVPN client as administrator on Windows 7? (right-click, run as administrator). Otherwise the route won't get added properly (although on the screenshot it looks fine)

]]>https://forum.netgate.com/post/430476https://forum.netgate.com/post/430476Tue, 19 Nov 2013 20:19:12 GMT