Another "can't access my LAN" situation.

panz

Hi,
situation: I need to access some webcams and Samba shared folders at my near-the-sea house.

I don't trust to put the webcams directly visible on the Internet, so I'm trying to setup an OpenVPN to my internal LAN behind the pfSense firewall.

example of real situation:

LAN (behind pfSense) : 192.168.1.0/24
WAN: PPPoE

setup: I created my CA, a server Certificate and a standard webcam user named "fra" with its own Certificate.

Then i setup an OpenVPN server as this screenshot (tunnel is 192.168.20.0/24)

I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?).

I connect successfully, but I can't neither see any shared directory nor ping any LAN remote client.

here's server config

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local [WAN ADDRESS, public IP]
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

as you can see, for privacy reasons, I omitted the [WAN ADDRESS, public IP]

client conf

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 82.57.23.246 1194 udp
lport 0
verify-x509-name "www.MyCompany.com" name
auth-user-pass
pkcs12 pfsense-udp-1194-fra.p12
tls-auth pfsense-udp-1194-fra-tls.key 1
ns-cert-type server

johnpoz

"LAN (behind pfSense) : 192.168.1.0/24"
"I try to connect from my iPad (which is behind a TP-Link Router and has the LAN address in the 192.168.1.0/24 range… maybe this is the problem?)."

Bingo - you win a cookie ;)

divsys

As johnpoz suggested, your problem is two of the same subnets trying to connect across the VPN tunnel.  The simplest solution is to change one of them to something other than 192.168.1.x.

Personally I would change both of them to something other than 192.168.0.x or 192.168.1.x, those two just get used by too many devices as defaults and eventually cause grief.  Just make sure they're different from one another.

panz

I changed the iPad’s LAN to 192.168.3.0/24 and still can't browse the LAN behind the pfSense OpenVPN server. I can only access and ping the pFSense box and use pFSense web interface, but I can't ping any IP address of the LAN.

divsys

What do your Firewall rules look like on the OpenVPN tab?

panz

The OpenVPN Tab under Firewall –> Rules was created at the end of the OpenVPN wizard, so is reporting an allow any rule.

johnpoz

What do the firewalls on the HOSTs your trying to ping look like..  This is such a common issue!!  Out of the box windows for example is not going to answer ping from different network.  What firewall profile are you in, private public?  Same goes for linux running local firewall.

edit:  Would show you a picture of the windows default icmp rule - but seems attachments not working

here I will link to it

When pinging other type devices like camera's do they even have a gateway setup..  Can not ping something from a remote segment if doesn't know the gateway to get off its segment.

panz

I found the solution!  ;D

Here is my new server.conf. I simply added

route 192.168.20.0 255.255.255.0

in the Advanced configuration box of the OpenVPN configuration.

Then I enabled in System: Advanced: Firewall and NAT

NAT Reflection mode for port forwards –> Enable pure NAT

and (in System: Advanced: Firewall and NAT too)

Enable automatic outbound NAT for Reflection –> Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.

dev ovpns1
dev-type tunable
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local [WAN ADDRESS HERE]
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet
route 192.168.20.0 255.255.255.0

divsys

Glad to hear you're up and running  :)

Interesting note about needing to set NAT reflection, that's not something I would normally have suggested with OpenVPN.  The "route 192.168.20.0 255.255.255.0" option also doesn't look like a typical req't.

My experience has been that the OpenVPN "Road Warrior" type installs are pretty easy.  Normally the biggest issues are with getting the certificates setup correctly.

How did you install the client on the iPad?  I usually install the OpenVPN client export package to make sure things get setup on the clients properly.

Anyway, I'm not one to argue with success!

panz

I followed this excellent tutorial

http://www.derman.com/blogs/OpenVPN-Server-Setup

johnpoz

You clearly do not need to route your tunnel network.. So that is not fixing your issue of no ping..

You do not need nat reflection - so while you think you fixed something with those setting..  They have nothing to do with what your original issue was - its more likely the restart of the openvpn service fixed the problem vs those settings.  They have nothing to do with using vpn – they are not in your guide you linked too that is for sure ;)

I don't have them setup and I access and ping resources via a vpn connection pretty much every single day.

Just Saying ;)

panz

I've just disabled

route 192.168.20.0 255.255.255.0

restarted the VPN and… it doesn't work anymore. Put it back in and... it works.

kejianshi

Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

I wonder what that would do?

panz

@kejianshi:

Try this - Just list it in "IPV4 local networks" along with the other /24 you have listed there and remove your push command.

I wonder what that would do?

Sorry, would you mind to elaborate? Thanks! :)