Another "can't access my LAN" situation.



  • Hi,
    situation: I need to access some webcams and Samba shared folders at my near-the-sea house.

    I don't trust to put the webcams directly visible on the Internet, so I'm trying to setup an OpenVPN to my internal LAN behind the pfSense firewall.

    example of real situation:

    LAN (behind pfSense) : 192.168.1.0/24
    WAN: PPPoE

    setup: I created my CA, a server Certificate and a standard webcam user named "fra" with its own Certificate.

    Then i setup an OpenVPN server as this screenshot (tunnel is 192.168.20.0/24)

    I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?).

    I connect successfully, but I can't neither see any shared directory nor ping any LAN remote client.

    here's server config

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local [WAN ADDRESS, public IP]
    tls-server
    server 192.168.20.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float

    as you can see, for privacy reasons, I omitted the [WAN ADDRESS, public IP]

    client conf

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 82.57.23.246 1194 udp
    lport 0
    verify-x509-name "www.MyCompany.com" name
    auth-user-pass
    pkcs12 pfsense-udp-1194-fra.p12
    tls-auth pfsense-udp-1194-fra-tls.key 1
    ns-cert-type server


  • LAYER 8 Global Moderator

    "LAN (behind pfSense) : 192.168.1.0/24"
    "I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?)."

    Bingo - you win a cookie ;)



  • As johnpoz suggested, your problem is two of the same subnets trying to connect across the VPN tunnel.  The simplest solution is to change one of them to something other than 192.168.1.x.

    Personally I would change both of them to something other than 192.168.0.x or 192.168.1.x, those two just get used by too many devices as defaults and eventually cause grief.  Just make sure they're different from one another.



  • I changed the iPad’s LAN to 192.168.3.0/24 and still can't browse the LAN behind the pfSense OpenVPN server. I can only access and ping the pFSense box and use pFSense web interface, but I can't ping any IP address of the LAN.



  • What do your Firewall rules look like on the OpenVPN tab?



  • The OpenVPN Tab under Firewall –> Rules was created at the end of the OpenVPN wizard, so is reporting an allow any rule.


  • LAYER 8 Global Moderator

    What do the firewalls on the HOSTs your trying to ping look like..  This is such a common issue!!  Out of the box windows for example is not going to answer ping from different network.  What firewall profile are you in, private public?  Same goes for linux running local firewall.

    edit:  Would show you a picture of the windows default icmp rule - but seems attachments not working

    here I will link to it

    When pinging other type devices like camera's do they even have a gateway setup..  Can not ping something from a remote segment if doesn't know the gateway to get off its segment.



  • I found the solution!  ;D

    Here is my new server.conf. I simply added

    route 192.168.20.0 255.255.255.0
    

    in the Advanced configuration box of the OpenVPN configuration.

    Then I enabled in System: Advanced: Firewall and NAT

    NAT Reflection mode for port forwards –> Enable pure NAT

    and (in System: Advanced: Firewall and NAT too)

    Enable automatic outbound NAT for Reflection –> Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.

    dev ovpns1
    dev-type tunable
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local [WAN ADDRESS HERE]
    tls-server
    server 192.168.20.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    topology subnet
    route 192.168.20.0 255.255.255.0



  • Glad to hear you're up and running  :)

    Interesting note about needing to set NAT reflection, that's not something I would normally have suggested with OpenVPN.  The "route 192.168.20.0 255.255.255.0" option also doesn't look like a typical req't.

    My experience has been that the OpenVPN "Road Warrior" type installs are pretty easy.  Normally the biggest issues are with getting the certificates setup correctly.

    How did you install the client on the iPad?  I usually install the OpenVPN client export package to make sure things get setup on the clients properly.

    Anyway, I'm not one to argue with success!



  • I followed this excellent tutorial

    http://www.derman.com/blogs/OpenVPN-Server-Setup


  • LAYER 8 Global Moderator

    You clearly do not need to route your tunnel network.. So that is not fixing your issue of no ping..

    You do not need nat reflection - so while you think you fixed something with those setting..  They have nothing to do with what your original issue was - its more likely the restart of the openvpn service fixed the problem vs those settings.  They have nothing to do with using vpn – they are not in your guide you linked too that is for sure ;)

    I don't have them setup and I access and ping resources via a vpn connection pretty much every single day.

    Just Saying ;)



  • I've just disabled

    route 192.168.20.0 255.255.255.0

    restarted the VPN and… it doesn't work anymore. Put it back in and... it works.



  • Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

    I wonder what that would do?



  • @kejianshi:

    Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

    I wonder what that would do?

    Sorry, would you mind to elaborate? Thanks! :)


Log in to reply