Setting up OpenVPN to access NAS on LAN
-
I've been trying to setup OpenVPN so that I can access files on my NAS from on the road. I followed this tutorial http://www.youtube.com/watch?v=VdAHVSTl1ys that I found.
The tunnel network is 192.168.10.0/24 and the local network is 192.168.1.0/24 The client is installed on a 64bit Win8.1 Pro machine. When starting OpenVPN the connection is established successfully but I can't access anything on the LAN.
Any help is much appreciated.
-
I haven't watched the video but here are a few common tricks:
a) Is "on the road" actually on a WiFi hotspot that also has subnet 192.168.1.0/24? A conflict like this will not route. Change your home subnet to some obscure private subnet - 172.16.42.0/24 or…
b) Do you have firewall rule/s on OpenVPN tab allowing traffic from source any to destination LANnet (or even to "any" for testing...)?Give more detail of your rules etc if you are stuck.
-
The setup I'm trying from is this:
NAS 192.168.1.110 –-- pfSense 192.168.1.1 ---- (Internet) VPN Tunnel 192.168.10.0/24 ---- Router 192.168.0.1 --- VPN Client 192.168.0.10
The firewall rules are the ones created by the Wizard:
Under WAN there is a rule allowing all UDP traffic with Destination Port: 1194 and Destination Address: Wan Address
Under OpenVPN there is a rule to allow everything.
-
I watched the video - it looks good and should work like that on 2.1 also.
Look in Diagnostics->Routes and see what routes the system knows about.
Can the client ping 192.168.10.1 (OpenVPN server end) and 192.168.1.1 (pfSense LAN)?
Does the NAS have a default gateway set to be the pfSense LAN IP? (It will need to know how to route back to you outside of LAN) -
This is what it in routes. I don't know how to make sense of it though.
| IPv4 | | | | | | | |
| Destination | Gateway | Flags | Refs | Use | Mtu | Netif | Expire |
| default | 82.181.24.1 | UGS | 0 | 1246543 | 1500 | re1 | |
| 62.241.198.245 | a0:98:05:01:b7:a6 | UHS | 0 | 951 | 1500 | re1 | |
| 62.241.198.246 | a0:98:05:01:b7:a6 | UHS | 0 | 944 | 1500 | re1 | |
| 82.181.24.0/21 | link#2 | U | 0 | 14770 | 1500 | re1 | |
| 82.181.27.123 | link#2 | UHS | 0 | 0 | 16384 | lo0 | |
| 127.0.0.1 | link#7 | UH | 0 | 133 | 16384 | lo0 | |
| 192.168.1.0/24 | link#3 | U | 0 | 73922557 | 1500 | re2 | |
| 192.168.1.1 | link#3 | UHS | 0 | 0 | 16384 | lo0 | |
| 192.168.10.1 | link#8 | UHS | 0 | 0 | 16384 | lo0 | => |
| 192.168.10.1/32 | link#8 | U | 0 | 0 | 1500 | ovpns1 | |Both ping 192.168.10.1 and ping 192.168.1.1 time out.
The Default Gateway for the NAS is 192.168.1.1.
-
The last line, 192.168.10.1/32, is not what I expect. For example, I am VPN'd in right now to my office and get lines like this:
10.50.32.0/24 10.50.32.2 UGS 0 12392 1500 ovpns5 10.50.32.1 link#13 UHS 0 0 16384 lo0 10.50.32.2 link#13 UH 0 0 1500 ovpns5The tunnel network is 10.50.32.0/24 and it knows my server end is ".1" (the "lo0" line) and my client is ".2" on ovpns5.
Check your server settings and make sure the tunnel network really is "/24". Post the server settings, just obscure the TLS key stuff. Something is set that is stopping the normal range of addresses existing in the tunnel. -
Here are the Server settings. There are no advanced settings.
-
The only difference from my working Road Warrior server is that you have checked "Allow connected clients to retain their connections if their IP address changes." - I can't imagine how that would break things.
I do a Client Export of the 32-bit version of OpenVPN client, and check "Management Interface OpenVPNManager" so I get the OpenVPN Manager toolbox thing for users. It is working for me at home on a Windows8.1 laptop, but it is only 32-bit. Again, I don't see how this would make a real difference to your problem.Post a "route print" from the Windows8.1 system - it will be interesting to see what it thinks about its routes.
-
This is what route print says:
=========================================================================== Interface List 8...00 ff 00 3a ea 09 ......TAP-Windows Adapter V9 7...bc ee 7b 8c 6e d9 ......Realtek PCIe GBE Family Controller #2 6...00 00 07 fd 52 78 ......Evolve Virtual Ethernet Adapter 1...........................Software Loopback Interface 1 9...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 4...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 5...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.10 266 192.168.0.10 255.255.255.255 On-link 192.168.0.10 266 192.168.0.255 255.255.255.255 On-link 192.168.0.10 266 192.168.10.4 255.255.255.252 On-link 192.168.10.6 286 192.168.10.6 255.255.255.255 On-link 192.168.10.6 286 192.168.10.7 255.255.255.255 On-link 192.168.10.6 286 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.10 266 224.0.0.0 240.0.0.0 On-link 192.168.10.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.10 266 255.255.255.255 255.255.255.255 On-link 192.168.10.6 286 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 255.255.255.255 255.255.255.255 On-link 1 224.0.0.0 240.0.0.0 On-link 1 =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 7 266 fe80::/64 On-link 8 286 fe80::/64 On-link 8 286 fe80::1cd4:f06d:beb1:2cfe/128 On-link 7 266 fe80::c11c:afd1:c3c7:9fee/128 On-link 1 306 ff00::/8 On-link 7 266 ff00::/8 On-link 8 286 ff00::/8 On-link =========================================================================== Persistent Routes: None -
There is no route to 192.168.1.0/24. My Win8.1 system IPv4 routes look like this:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 On-link 10.240.184.128 31 10.49.0.0 255.255.0.0 10.50.32.5 10.50.32.6 4256 10.50.32.1 255.255.255.255 10.50.32.5 10.50.32.6 4256 10.50.32.4 255.255.255.252 On-link 10.50.32.6 4511 10.50.32.6 255.255.255.255 On-link 10.50.32.6 4511 10.50.32.7 255.255.255.255 On-link 10.50.32.6 4511 10.51.0.0 255.255.0.0 10.50.32.5 10.50.32.6 4256 10.240.184.128 255.255.255.255 On-link 10.240.184.128 286 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531 224.0.0.0 240.0.0.0 On-link 10.50.32.6 4511 224.0.0.0 240.0.0.0 On-link 10.240.184.128 31 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 255.255.255.255 255.255.255.255 On-link 10.50.32.6 4511 255.255.255.255 255.255.255.255 On-link 10.240.184.128 286 =========================================================================== Persistent Routes: NoneIt has the 10.50.32.n stuff (in the tunnel network), and also has the route to 10.49.0.0/16 across the tunnel (the LAN/s available at the other end.
Make sure to run all the OpenVPN client stuff from an Administrator account on Win8.1 to make sure it works. I suspect that OpenVPN client does not have enough priv to add the route. Once you can get the route to appear and work, then try other less priv ways to do it. I select OpenVPN Manager when exporting the client config. -
Ok, so starting OpenVPN in admin mode does let it add a route to the table:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.10 266 192.168.0.10 255.255.255.255 On-link 192.168.0.10 266 192.168.0.255 255.255.255.255 On-link 192.168.0.10 266 192.168.1.0 255.255.255.0 192.168.10.5 192.168.10.6 30 192.168.10.1 255.255.255.255 192.168.10.5 192.168.10.6 30 192.168.10.4 255.255.255.252 On-link 192.168.10.6 286 192.168.10.6 255.255.255.255 On-link 192.168.10.6 286 192.168.10.7 255.255.255.255 On-link 192.168.10.6 286 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.10 266 224.0.0.0 240.0.0.0 On-link 192.168.10.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.10 266 255.255.255.255 255.255.255.255 On-link 192.168.10.6 286 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 255.255.255.255 255.255.255.255 On-link 1 224.0.0.0 240.0.0.0 On-link 1 ===========================================================================Pinging 192.168.10.1 or 192.168.1.1 both still time out.