Full Access from LAN to pfSense openVPN Windows 7 Client



  • Dear Team,

    from my lan i can ping my vpn-client (Windows 7 - 10.0.9.6), but i cannot Access it (no ports). but the Firewall is allow * FROM * on WAN LAN and OPENVPN.
    from pfSense (via Shell) i can Access to all ports for on 10.0.9.6.

    what i must do that i have full access from my LAN to the vpn-client (Windows 7 - 10.0.9.6)?

    can anyone help me?

    thanks



  • @iceget:

    Dear Team,

    from my lan i can ping my vpn-client (Windows 7 - 10.0.9.6), but i cannot Access it (no ports). but the Firewall is allow * FROM * on WAN LAN and OPENVPN.
    from pfSense (via Shell) i can Access to all ports for on 10.0.9.6.

    what i must do that i have full access from my LAN to the vpn-client (Windows 7 - 10.0.9.6)?

    can anyone help me?

    thanks

    Maybe i have found my Problem:

    if i connect from LAN (my lan pc = 192.168.0.62), i get this message:
    (000003)09.10.2014 16:42:50 - (not logged in) (192.168.0.62)> 220-FileZilla Server version 0.9.47 beta
    (000003)09.10.2014 16:42:50 - (not logged in) (192.168.0.62)> could not send reply, disconnected.

    if i connect from pfsense to my FTP Server (which is installed on my Windows 7 Client that connects to vpn Server) all is fine.
    (000004)09.10.2014 16:43:49 - (not logged in) (10.0.9.1)> 220-FileZilla Server version 0.9.47 beta
    (000004)09.10.2014 16:43:01 - (not logged in) (10.0.9.1)> USER testuser
    (000004)09.10.2014 16:43:01 - (not logged in) (10.0.9.1)> 331 Password required for anonymous

    Maybe a nat Problem?

    what i dont understand: why i can ping my external openvpn Client? if i activate the Firewall on the external openvpn Client, i get packet lost…

    Please help...

    any ideas?

    192.168.0.254 = mainrouter (Internet Gateway)
    192.168.0.250 = pfsense

    Port 1194 UDP forwarded from 192.168.0.254 to 192.168.0.250
    Route set from 10.0.9.0/24 -> 192.168.0.250 on 192.168.0.254

    thanks


  • LAYER 8 Global Moderator

    and you sure your windows 7 client firewall is not blocking this?  When you come from pfsense your on the same IP range.

    There is nothing special that has to be done to allow access to vpn clients from the lan of pfsense..



  • Hello,

    yes if i enable the Windows Firewall, i get packet lost. if i disable the Windows Firewall, i get an reply.

    any ideas?

    thanks



  • Can you post your openvpn configuration?

    There are settings in there that control client access to other clients and to other machines on the LAN of the pfsense.



  • Client Configuration:
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote X.X.X.X 1194 udp
    lport 0
    auth-user-pass
    ca openvpn-udp-1194-ca.crt
    tls-auth openvpn-udp-1194-tls.key 1
    ns-cert-type server
    comp-lzo

    Server Configuration:
    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.0.250
    tls-server
    server 10.0.9.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    client-cert-not-required
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    max-clients 80
    push "route 192.168.0.0 255.255.255.0"
    push "dhcp-option DNS 192.168.0.10"
    push "redirect-gateway def1"
    duplicate-cn
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    push "route 192.168.0.0 255.255.255.0"

    Thanks!


  • LAYER 8 Global Moderator

    what openvpn client are you using – seems to be some issue with the 2.3.4 i603 versions - try the ones that say for xp and above i003 version.  There was a previous thread, I think if you take the persist tun setting out it works?



  • @johnpoz:

    what openvpn client are you using – seems to be some issue with the 2.3.4 i603 versions - try the ones that say for xp and above i003 version.  There was a previous thread, I think if you take the persist tun setting out it works?

    Problem solved…

    the router has changed the tcp ip package (sequence number). now i have created the route on the local pc in lan, all working fine :)

    thanks


  • LAYER 8 Global Moderator

    why should you have to create a route on the client.. Does it not point to pfsense as its default gateway?  If not - then yeah sure you would have to create a route on that client saying hey you want to get to openvpn clients talk to pfsense.


Log in to reply