OpenVPN No LAN Access using PIA
-
Hello all.
I have recently setup pfsense to use the OpenVPN client with Private Internet Access as the provider. My goal is to be able to connect to the VPN remotely so that I have access to my LAN at home and also internet access through the VPN. The problem I have is I just cannot seem to access any PCs on my LAN while connected to the VPN remotely. I do have internet access while I am on the VPN. If I try to even ping my LAN's default gateway, I receive destination unreachable.Default Gateway - 192.168.2.1
LAN - 192.168.2.0Cable Modem - PfSense - Switch - LAN PCs
-
Bump, anyone have any ideas? I can post more info of my network if needed. I have a feeling its a simple firewall rule issue, but just can't figure it out.
-
In your OpenVPN config, what do you have for "IPv4 Tunnel Network" and "IPv4 Local Network/s"?
-
@KOM:
In your OpenVPN config, what do you have for "IPv4 Tunnel Network" and "IPv4 Local Network/s"?
Currently those fields are blank.
-
I believe that you must put your local LAN in the IPv4 Local Network/s so that pfSense knows which networks to allow your OpenVPN users to access, so yours would be 192.168.2.0/24. For IPv4 Tunnel Network, this is the subnet that your clients will be given an IP address from, and I think I remember reading that it should be different than your LAN subnet. Try 10.10.0.1/24. Test it and see if you get any satisfaction.
-
@KOM:
I believe that you must put your local LAN in the IPv4 Local Network/s so that pfSense knows which networks to allow your OpenVPN users to access, so yours would be 192.168.2.0/24. For IPv4 Tunnel Network, this is the subnet that your clients will be given an IP address from, and I think I remember reading that it should be different than your LAN subnet. Try 10.10.0.1/24. Test it and see if you get any satisfaction.
I tried inputting those settings but still no luck. When I check the routing table on the OpenVPN client side, I did not see any routes to my gateway or LAN. Also I did restart the OpenVPN service just to make sure.
-
I've found that sometimes it's easier to blow it away and recreate it than try to figure out a bad install. I've had success with OpenVPN and pfSense by following this tutorial:
https://www.youtube.com/watch?v=VdAHVSTl1ys
-
@KOM:
I've found that sometimes it's easier to blow it away and recreate it than try to figure out a bad install. I've had success with OpenVPN and pfSense by following this tutorial:
https://www.youtube.com/watch?v=VdAHVSTl1ys
I actually deleted the VPN connection last night and started from scratch. I have done this a couple times, always with the same result. Also the video you posted is for a VPN server setup, I am only using the client. There must be something I am doing wrong, but at this point I am not sure what it is.
-
I'm sorry, I don't think I understand. You have an instance of pfSense on your LAN, but you want to use it to generate OpenVPN clients that connect to some other VPN service?
-
@KOM:
I'm sorry, I don't think I understand. You have an instance of pfSense on your LAN, but you want to use it to generate OpenVPN clients that connect to some other VPN service?
No, I want to be able to route all my internet traffic through the VPN and also access my home LAN computers remotely while I am on the VPN.
So currently my PFsense instance is acting as my home router/firewall and I would like to use the OpenVPN client feature in PFsense to connect to my VPN provider, which in this case is Private Internet Access. Once I am connected I want to have access to my home network, basically as if I am there.
-
OK, so you want to tunnel in to your PIA provider, and then tunnel inside that tunnel to your home VPN? Sorry, I got nothing. Never did that before and have no idea how.
-
@KOM:
OK, so you want to tunnel in to your PIA provider, and then tunnel inside that tunnel to your home VPN? Sorry, I got nothing. Never did that before and have no idea how.
So basically your saying that using a VPN provider there is no way to access your home LAN? So I would need to setup my own openvpn server in order to do this?
-
I didn't say anything of the sort. I said I have no idea how to do that. I'm fairly new to pfSense and am still feeling my way around. I was trying to help you in any way I could, but I lack the knowledge to solve your problem. For all I know, what you are trying to do is very simple, but I have no idea myself as to how to do it. Perhaps it's impossible.
-
@KOM:
I didn't say anything of the sort. I said I have no idea how to do that. I'm fairly new to pfSense and am still feeling my way around. I was trying to help you in any way I could, but I lack the knowledge to solve your problem. For all I know, what you are trying to do is very simple, but I have no idea myself as to how to do it. Perhaps it's impossible.
I understand and appreciate the help, I am also new to PFSense. It may be that it is not possible, I tried searching this forum and online but could not find a definitive answer. It seems as if other people are able to access their LAN, but this may just be because they are using the openvpn server feature in PFsense and not the client option. Hopefully I can figure this out before Monday because I only have 7 days to get a refund with PIA. If I cannot access my LAN with the VPN service then, for my purposes its pointless.
-
Yes, from what I have seen here, most people use OpenVPN to allow external access to their LAN from a standard Internet connection via OpenVPN client.
The fact that you're connected through some ISP's VPN doesn't mean you have some magic universal VPN connectivity. If you want to get into your LAN, I believe that you will have to run the OpenVPN client that has been specially-configured to connect to your LAN through the OpenVPN server that you set up. I'm not sure it's possible to run multiple VPN clients on top of one another, as I believe each installs itself as a virtual NIC and changes the routing table when enabled & connected. WHat you are trying to do may well be impossible, or require an end-to-end solution.
-
@KOM:
Yes, from what I have seen here, most people use OpenVPN to allow external access to their LAN from a standard Internet connection via OpenVPN client.
The fact that you're connected through some ISP's VPN doesn't mean you have some magic universal VPN connectivity. If you want to get into your LAN, I believe that you will have to run the OpenVPN client that has been specially-configured to connect to your LAN through the OpenVPN server that you set up. I'm not sure it's possible to run multiple VPN clients on top of one another, as I believe each installs itself as a virtual NIC and changes the routing table when enabled & connected. WHat you are trying to do may well be impossible, or require an end-to-end solution.
I wonder if I could setup a OpenVPN server on my PFsense instance and then connect my client to that server. Then create a firewall rule to allow all traffic to move freely between my own VPN server, the LAN and the PIA service.
-
Like I said earlier, I don't know if it's possible to run multiple VPN clients concurrently but I doubt it. You might try contacting your VPN ISP and see if they can help in any way.
-
@KOM:
Like I said earlier, I don't know if it's possible to run multiple VPN clients concurrently but I doubt it. You might try contacting your VPN ISP and see if they can help in any way.
Well it wouldn't be multiple VPN client's technically. The PFsense instance would be running a server and also a client.
-
Set up an OpenVPN server on your pfSense and you can connect in to it from a "road warrior" client on your laptop wherever you happen to be. If you have only a dynamic IP from your ISP, then you will also need to register with a dynamic DNS provider so you can have a name that always translates to your current public IP.
Then if you want anonymity, to be seen as the PIA-allocated public IP, whatever… then you can send traffic from your road warrior laptop through the OpenVPN tunnel to your pfSense. Then pfSense can send it on through the tunnel to PIA and PIA can put it back on the real internet.
If you actually do not care about tunneling outgoing traffic to a VPN provider, then do not bother with PIA.
If you want to access from LAN to an OpenVPN "Road Warrior" server+clients you will need to put a rule on LAN before your policy-routing "all to PIA gateway" rule, that passes traffic for the OpenVPN road warrior subnet to the ordinary routing table (i.e. with no gateway specified in the rule) -
Set up an OpenVPN server on your pfSense and you can connect in to it from a "road warrior" client on your laptop wherever you happen to be. If you have only a dynamic IP from your ISP, then you will also need to register with a dynamic DNS provider so you can have a name that always translates to your current public IP.
Then if you want anonymity, to be seen as the PIA-allocated public IP, whatever… then you can send traffic from your road warrior laptop through the OpenVPN tunnel to your pfSense. Then pfSense can send it on through the tunnel to PIA and PIA can put it back on the real internet.
If you actually do not care about tunneling outgoing traffic to a VPN provider, then do not bother with PIA.
If you want to access from LAN to an OpenVPN "Road Warrior" server+clients you will need to put a rule on LAN before your policy-routing "all to PIA gateway" rule, that passes traffic for the OpenVPN road warrior subnet to the ordinary routing table (i.e. with no gateway specified in the rule)But in order to setup pfsense this way I would still need two public IP addresses, correct?
