How to access local IPs
I have set up OpenVPN as per https://www.youtube.com/watch?v=VdAHVSTl1ys
I can connect to the VPN and browse but I can't access any IPs on the internal network.
How do I set things up so that I can be routed from my VPN 192.168.5.0 to my normal internal ip range 192.168.10.1?
The OpenVPN server is handled as an additional interface in pfSense. So you have to go to Firewall > Rules > OpenVPN in GUI and add appropriate rules to allow access you want.
The firewall is fully open .. it looks like a routing issue to me.
Post your server1.conf.
Maybe have a look at "Firewall" -> "NAT" -> "outbound" tab, if there is an autocreated rule for the openVPN server?
No NAT rules
keepalive 10 60
server 192.168.5.0 255.255.255.0
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
management /var/etc/openvpn/server1.sock unix
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 22.214.171.124"
push "dhcp-option DNS 126.96.36.199"
push "redirect-gateway def1"
tls-auth /var/etc/openvpn/server1.tls-auth 0
In your Outbound Nat rule list, has it selected "Automatic" at the top, or manual?
A couple things:
1. You are double NATing. Have you checked the settings on the edge device?
1a. Personally, I'd move away from double NATing, it's just one more link in the chain that you need to troubleshoot. Or at least get off the 192.168.1.x subnet, it's just going to cause issues down the road.
2. It appears you do not have a "Peer Certificate Authority" configured. You will want to add that.
3. Add an any/any rule to the openvpn tab. This appears to be done.
4. Turn off the software firewall on your internal resources while testing, so we can rule that piece out. At this point, do pings still fail? How does a traceroute look?
5. What subnet is the client on when testing?
Oh, wait, I just thought of something.. Just to check, when you are running your VPN client are you running it as Administrator? This kind of sounds like the actual routes are being set on the client pc. If you are running it as an admin, would you mind posting a traceroute output going from the client to a machine on the other side of your vpn?