How to access local IPs



  • I have set up OpenVPN as per https://www.youtube.com/watch?v=VdAHVSTl1ys

    I can connect to the VPN and browse but  I can't access any IPs on the internal network.

    How do I set things up so that  I can be routed from my VPN 192.168.5.0 to my normal internal ip range 192.168.10.1?



  • The OpenVPN server is handled as an additional interface in pfSense. So you have to go to Firewall > Rules > OpenVPN in GUI and add appropriate rules to allow access you want.



  • The firewall is fully open .. it looks like a routing issue to me.




  • Post your server1.conf.



  • Maybe have a look at "Firewall" -> "NAT" -> "outbound" tab, if there is an autocreated rule for the openVPN server?



  • No NAT rules

    Server1.conf

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.1.10
    tls-server
    server 192.168.5.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 192.168.10.0 255.255.255.0"
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float



  • In your Outbound Nat rule list, has it selected "Automatic" at the top, or manual?



  • Automatic….



  • A couple things:

    1.  You are double NATing. Have you checked the settings on the edge device?
    1a. Personally, I'd move away from double NATing, it's just one more link in the chain that you need to troubleshoot.  Or at least get off the 192.168.1.x subnet,  it's just going to cause issues down the road.

    2.  It appears you do not have a "Peer Certificate Authority" configured.  You will want to add that.

    3.  Add an any/any rule to the openvpn tab.  This appears to be done.

    4.  Turn off the software firewall on your internal resources while testing, so we can rule that piece out.  At this point, do pings still fail?  How does a traceroute look?

    5.  What subnet is the client on when testing?



  • Oh, wait, I just thought of something.. Just to check, when you are running your VPN client are you running it as Administrator? This kind of sounds like the actual routes are being set on the client pc. If you are running it as an admin, would you mind posting a traceroute output going from the client to a machine on the other side of your vpn?