Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another "can't access my LAN" situation.

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      Hi,
      situation: I need to access some webcams and Samba shared folders at my near-the-sea house.

      I don't trust to put the webcams directly visible on the Internet, so I'm trying to setup an OpenVPN to my internal LAN behind the pfSense firewall.

      example of real situation:

      LAN (behind pfSense) : 192.168.1.0/24
      WAN: PPPoE

      setup: I created my CA, a server Certificate and a standard webcam user named "fra" with its own Certificate.

      Then i setup an OpenVPN server as this screenshot (tunnel is 192.168.20.0/24)

      I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?).

      I connect successfully, but I can't neither see any shared directory nor ping any LAN remote client.

      here's server config

      dev ovpns1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local [WAN ADDRESS, public IP]
      tls-server
      server 192.168.20.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      username-as-common-name
      auth-user-pass-verify /var/etc/openvpn/server1.php via-env
      tls-verify /var/etc/openvpn/server1.tls-verify.php
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      push "route 192.168.1.0 255.255.255.0"
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.4096
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      persist-remote-ip
      float

      as you can see, for privacy reasons, I omitted the [WAN ADDRESS, public IP]

      client conf

      dev tun
      persist-tun
      persist-key
      cipher AES-128-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote 82.57.23.246 1194 udp
      lport 0
      verify-x509-name "www.MyCompany.com" name
      auth-user-pass
      pkcs12 pfsense-udp-1194-fra.p12
      tls-auth pfsense-udp-1194-fra-tls.key 1
      ns-cert-type server

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "LAN (behind pfSense) : 192.168.1.0/24"
        "I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?)."

        Bingo - you win a cookie ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          divsys
          last edited by

          As johnpoz suggested, your problem is two of the same subnets trying to connect across the VPN tunnel.  The simplest solution is to change one of them to something other than 192.168.1.x.

          Personally I would change both of them to something other than 192.168.0.x or 192.168.1.x, those two just get used by too many devices as defaults and eventually cause grief.  Just make sure they're different from one another.

          -jfp

          1 Reply Last reply Reply Quote 0
          • panzP
            panz
            last edited by

            I changed the iPad’s LAN to 192.168.3.0/24 and still can't browse the LAN behind the pfSense OpenVPN server. I can only access and ping the pFSense box and use pFSense web interface, but I can't ping any IP address of the LAN.

            pfSense 2.3.2-RELEASE-p1 (amd64)
            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              What do your Firewall rules look like on the OpenVPN tab?

              -jfp

              1 Reply Last reply Reply Quote 0
              • panzP
                panz
                last edited by

                The OpenVPN Tab under Firewall –> Rules was created at the end of the OpenVPN wizard, so is reporting an allow any rule.

                pfSense 2.3.2-RELEASE-p1 (amd64)
                motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  What do the firewalls on the HOSTs your trying to ping look like..  This is such a common issue!!  Out of the box windows for example is not going to answer ping from different network.  What firewall profile are you in, private public?  Same goes for linux running local firewall.

                  edit:  Would show you a picture of the windows default icmp rule - but seems attachments not working

                  here I will link to it

                  When pinging other type devices like camera's do they even have a gateway setup..  Can not ping something from a remote segment if doesn't know the gateway to get off its segment.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • panzP
                    panz
                    last edited by

                    I found the solution!  ;D

                    Here is my new server.conf. I simply added

                    route 192.168.20.0 255.255.255.0
                    

                    in the Advanced configuration box of the OpenVPN configuration.

                    Then I enabled in System: Advanced: Firewall and NAT

                    NAT Reflection mode for port forwards –> Enable pure NAT

                    and (in System: Advanced: Firewall and NAT too)

                    Enable automatic outbound NAT for Reflection –> Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.

                    dev ovpns1
                    dev-type tunable
                    tun-ipv6
                    dev-node /dev/tun1
                    writepid /var/run/openvpn_server1.pid
                    #user nobody
                    #group nobody
                    script-security 3
                    daemon
                    keepalive 10 60
                    ping-timer-rem
                    persist-tun
                    persist-key
                    proto udp
                    cipher AES-128-CBC
                    up /usr/local/sbin/ovpn-linkup
                    down /usr/local/sbin/ovpn-linkdown
                    client-connect /usr/local/sbin/openvpn.attributes.sh
                    client-disconnect /usr/local/sbin/openvpn.attributes.sh
                    local [WAN ADDRESS HERE]
                    tls-server
                    server 192.168.20.0 255.255.255.0
                    client-config-dir /var/etc/openvpn-csc
                    username-as-common-name
                    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
                    tls-verify /var/etc/openvpn/server1.tls-verify.php
                    lport 1194
                    management /var/etc/openvpn/server1.sock unix
                    push "route 192.168.1.0 255.255.255.0"
                    ca /var/etc/openvpn/server1.ca
                    cert /var/etc/openvpn/server1.cert
                    key /var/etc/openvpn/server1.key
                    dh /etc/dh-parameters.4096
                    crl-verify /var/etc/openvpn/server1.crl-verify
                    tls-auth /var/etc/openvpn/server1.tls-auth 0
                    comp-lzo
                    persist-remote-ip
                    float
                    topology subnet
                    route 192.168.20.0 255.255.255.0

                    pfSense 2.3.2-RELEASE-p1 (amd64)
                    motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                    1 Reply Last reply Reply Quote 0
                    • D
                      divsys
                      last edited by

                      Glad to hear you're up and running  :)

                      Interesting note about needing to set NAT reflection, that's not something I would normally have suggested with OpenVPN.  The "route 192.168.20.0 255.255.255.0" option also doesn't look like a typical req't.

                      My experience has been that the OpenVPN "Road Warrior" type installs are pretty easy.  Normally the biggest issues are with getting the certificates setup correctly.

                      How did you install the client on the iPad?  I usually install the OpenVPN client export package to make sure things get setup on the clients properly.

                      Anyway, I'm not one to argue with success!

                      -jfp

                      1 Reply Last reply Reply Quote 0
                      • panzP
                        panz
                        last edited by

                        I followed this excellent tutorial

                        http://www.derman.com/blogs/OpenVPN-Server-Setup

                        pfSense 2.3.2-RELEASE-p1 (amd64)
                        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          You clearly do not need to route your tunnel network.. So that is not fixing your issue of no ping..

                          You do not need nat reflection - so while you think you fixed something with those setting..  They have nothing to do with what your original issue was - its more likely the restart of the openvpn service fixed the problem vs those settings.  They have nothing to do with using vpn – they are not in your guide you linked too that is for sure ;)

                          I don't have them setup and I access and ping resources via a vpn connection pretty much every single day.

                          Just Saying ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • panzP
                            panz
                            last edited by

                            I've just disabled

                            route 192.168.20.0 255.255.255.0

                            restarted the VPN and… it doesn't work anymore. Put it back in and... it works.

                            pfSense 2.3.2-RELEASE-p1 (amd64)
                            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

                              I wonder what that would do?

                              1 Reply Last reply Reply Quote 0
                              • panzP
                                panz
                                last edited by

                                @kejianshi:

                                Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

                                I wonder what that would do?

                                Sorry, would you mind to elaborate? Thanks! :)

                                pfSense 2.3.2-RELEASE-p1 (amd64)
                                motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.