Full Access from LAN to pfSense openVPN Windows 7 Client
-
Dear Team,
from my lan i can ping my vpn-client (Windows 7 - 10.0.9.6), but i cannot Access it (no ports). but the Firewall is allow * FROM * on WAN LAN and OPENVPN.
from pfSense (via Shell) i can Access to all ports for on 10.0.9.6.what i must do that i have full access from my LAN to the vpn-client (Windows 7 - 10.0.9.6)?
can anyone help me?
thanks
-
Dear Team,
from my lan i can ping my vpn-client (Windows 7 - 10.0.9.6), but i cannot Access it (no ports). but the Firewall is allow * FROM * on WAN LAN and OPENVPN.
from pfSense (via Shell) i can Access to all ports for on 10.0.9.6.what i must do that i have full access from my LAN to the vpn-client (Windows 7 - 10.0.9.6)?
can anyone help me?
thanks
Maybe i have found my Problem:
if i connect from LAN (my lan pc = 192.168.0.62), i get this message:
(000003)09.10.2014 16:42:50 - (not logged in) (192.168.0.62)> 220-FileZilla Server version 0.9.47 beta
(000003)09.10.2014 16:42:50 - (not logged in) (192.168.0.62)> could not send reply, disconnected.if i connect from pfsense to my FTP Server (which is installed on my Windows 7 Client that connects to vpn Server) all is fine.
(000004)09.10.2014 16:43:49 - (not logged in) (10.0.9.1)> 220-FileZilla Server version 0.9.47 beta
(000004)09.10.2014 16:43:01 - (not logged in) (10.0.9.1)> USER testuser
(000004)09.10.2014 16:43:01 - (not logged in) (10.0.9.1)> 331 Password required for anonymousMaybe a nat Problem?
what i dont understand: why i can ping my external openvpn Client? if i activate the Firewall on the external openvpn Client, i get packet lost…
Please help...
any ideas?
192.168.0.254 = mainrouter (Internet Gateway)
192.168.0.250 = pfsensePort 1194 UDP forwarded from 192.168.0.254 to 192.168.0.250
Route set from 10.0.9.0/24 -> 192.168.0.250 on 192.168.0.254thanks
-
and you sure your windows 7 client firewall is not blocking this? When you come from pfsense your on the same IP range.
There is nothing special that has to be done to allow access to vpn clients from the lan of pfsense..
-
Hello,
yes if i enable the Windows Firewall, i get packet lost. if i disable the Windows Firewall, i get an reply.
any ideas?
thanks
-
Can you post your openvpn configuration?
There are settings in there that control client access to other clients and to other machines on the LAN of the pfsense.
-
Client Configuration:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote X.X.X.X 1194 udp
lport 0
auth-user-pass
ca openvpn-udp-1194-ca.crt
tls-auth openvpn-udp-1194-tls.key 1
ns-cert-type server
comp-lzoServer Configuration:
dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.0.250
tls-server
server 10.0.9.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
client-cert-not-required
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 80
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.10"
push "redirect-gateway def1"
duplicate-cn
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
persist-remote-ip
float
push "route 192.168.0.0 255.255.255.0"Thanks!
-
what openvpn client are you using – seems to be some issue with the 2.3.4 i603 versions - try the ones that say for xp and above i003 version. There was a previous thread, I think if you take the persist tun setting out it works?
-
what openvpn client are you using – seems to be some issue with the 2.3.4 i603 versions - try the ones that say for xp and above i003 version. There was a previous thread, I think if you take the persist tun setting out it works?
Problem solved…
the router has changed the tcp ip package (sequence number). now i have created the route on the local pc in lan, all working fine :)
thanks
-
why should you have to create a route on the client.. Does it not point to pfsense as its default gateway? If not - then yeah sure you would have to create a route on that client saying hey you want to get to openvpn clients talk to pfsense.
