[SOLVED] Help with very basic OpenVPN setup – can't find route to LAN (naturall



  • Hello All:

    I feel kind of dumb because I can't find the solution to what seems like a simple setup.  I've been through the forums and while there are lots of people remarking on OpenVPN setups that can't route to LAN, every one seems to have a different solution (that doesn't seem to apply to me).

    I'm a prodigal pfSense user.  It was my router years ago, got replaced by an appliance, and now I'm looking to bring it back.  I have a clean very basic install of pfSense.  LAN, WAN and that's all. No VLAN.  No firewall rules outside of default.  There is an Opt1 interface that is not yet assigned.  It will be DMZ once the VPN is set up.
    pfSense is NOT the DHCP server, this is handled by an Active Directory computer on the LAN.  No VMs, everything is physical.

    I'm looking for a road warrior type setup.  No need to connect from the LAN to the remote clients and the remote clients do not need to connect to each other.  Remote clients are Windows PCs.

    psSense 2.1.5

    LAN: 192.168.10.10/23
    WAN: 207.128.128.226/27
    OPT1: not assigned
    Tunnel: 10.0.8.0/24

    OpenVPN set up according to wizard.  Remote Access (SSL/TLS + User Auth)

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 207.128.128.226
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 20
    push "route 192.168.10.0 255.255.254.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    
    

    The firewall rule to allow UDP connections via WAN on port 1194 is in place.  The OpenVPN firewall rule to allow all traffic is in place.

    Client (remote user) can connect successfully.  Client can ping WAN IP addresses (though no DNS, which is fine for now).  Client can ping the pfSense LAN interface (192.168.10.10).  Client can not ping and other LAN addresses nor connect via TCP (e.g. RDP, SSH).

    **There has to be something simple I'm missing here.  Can anyone point me in the right direction? Once I can make use of the OpenVPN connection to access the LAN, I can start setting up my firewall rules and configuring pfSense properly.

    Thanks.**

    Client route table:

    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.43.1  192.168.43.149       25
             10.0.8.1  255.255.255.255         10.0.8.5        10.0.8.6       1
             10.0.8.4  255.255.255.252         10.0.8.6        10.0.8.6       30
             10.0.8.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       30
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          169.254.0.0      255.255.0.0  169.254.140.101  169.254.140.101      20
      169.254.140.101  255.255.255.255        127.0.0.1       127.0.0.1       40
      169.254.255.255  255.255.255.255  169.254.140.101  169.254.140.101      40
         192.168.10.0    255.255.254.0         10.0.8.5        10.0.8.6       1
         192.168.43.0    255.255.255.0   192.168.43.149  192.168.43.149       25
       192.168.43.149  255.255.255.255        127.0.0.1       127.0.0.1       25
       192.168.43.255  255.255.255.255   192.168.43.149  192.168.43.149       25
            224.0.0.0        240.0.0.0         10.0.8.6        10.0.8.6       30
            224.0.0.0        240.0.0.0  169.254.140.101  169.254.140.101      40
            224.0.0.0        240.0.0.0   192.168.43.149  192.168.43.149       25
      255.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       1
      255.255.255.255  255.255.255.255  169.254.140.101  169.254.140.101      1
      255.255.255.255  255.255.255.255   192.168.43.149  192.168.43.149       1
      255.255.255.255  255.255.255.255   192.168.43.149               4       1
    Default Gateway:      192.168.43.1
    ===========================================================================
    Persistent Routes:
      None
    

    pfSense routes:

    IPv4
    Destination 		Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
    default 		207.128.128.225 UGS 	0 	34567 	1500 	re0 	 
    10.0.8.0/24 		10.0.8.2 	UGS 	0 	5 	1500 	ovpns1 	 
    10.0.8.1 		link#9 		UHS 	0 	0 	16384 	lo0 	 
    10.0.8.2 		link#9 		UH 	0 	0 	1500 	ovpns1 	 
    127.0.0.1 		link#7 		UH 	0 	182 	16384 	lo0 	 
    192.168.10.0/23 	link#2 		U 	0 	31879 	1500 	re1 	 
    192.168.10.10 		link#2 		UHS 	0 	0 	16384 	lo0 	 
    207.128.128.224/27 	link#1 		U 	0 	0 	1500 	re0 	 
    207.128.128.226 	link#1 		UHS 	0 	0 	16384 	lo0 	 
    
    


  • From what I can tell, your config looks ok, but here's what I see:

    According to your client's routing table, you are either on the network you're trying to connect to or the client's network is on the same LAN as yours.  Neither of those situations are going to work.  Where are you testing from?  You have to test from outside of your network… e.g. friend's house, coffe shop, work, etc.  If you're actually testing from a client site and their LAN subnet is the same as yours, one of you will need to change subnets.


  • Netgate

    Yes.  It looks like it's being tested from the host on 192.168.11.167 from behind the LAN interface.  You need to find a way to test from the outside.  You could also configure OPT1 like  a WAN interface and tell OpenVPN to listen there and test from a computer on OPT1.



  • Sorry for the delay.  Lots happening around here today.

    I don't know how I messed that part up.  I was conducting testing by tethering the client PC through a mobile phone.  I have fixed the client route table above.  The client IP address is 192.168.43.149 (behind a NAT of course) and its tunnel address is 10.0.8.6.

    While the client does appear to have a route to the LAN (192.168.10.0/23) I'm not able to access or ping any LAN IP Addresses.  What piece am I missing?

    Corrected route table.

    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.43.1  192.168.43.149       25
             10.0.8.1  255.255.255.255         10.0.8.5        10.0.8.6       1
             10.0.8.4  255.255.255.252         10.0.8.6        10.0.8.6       30
             10.0.8.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       30
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          169.254.0.0      255.255.0.0  169.254.140.101  169.254.140.101      20
      169.254.140.101  255.255.255.255        127.0.0.1       127.0.0.1       40
      169.254.255.255  255.255.255.255  169.254.140.101  169.254.140.101      40
         192.168.10.0    255.255.254.0         10.0.8.5        10.0.8.6       1
         192.168.43.0    255.255.255.0   192.168.43.149  192.168.43.149       25
       192.168.43.149  255.255.255.255        127.0.0.1       127.0.0.1       25
       192.168.43.255  255.255.255.255   192.168.43.149  192.168.43.149       25
            224.0.0.0        240.0.0.0         10.0.8.6        10.0.8.6       30
            224.0.0.0        240.0.0.0  169.254.140.101  169.254.140.101      40
            224.0.0.0        240.0.0.0   192.168.43.149  192.168.43.149       25
      255.255.255.255  255.255.255.255         10.0.8.6        10.0.8.6       1
      255.255.255.255  255.255.255.255  169.254.140.101  169.254.140.101      1
      255.255.255.255  255.255.255.255   192.168.43.149  192.168.43.149       1
      255.255.255.255  255.255.255.255   192.168.43.149               4       1
    Default Gateway:      192.168.43.1
    ===========================================================================
    Persistent Routes:
      None
    


  • I should note that I cannot make a connection to LAN whether "Force all client generated traffic through the tunnel" is checked or not.  And all local firewalls are disabled.



  • Am I the only one who would rather see the openvpn config page than all this text?



  • Ok, so software firewalls are turned off?  Client appears to get getting the right route, but just in case… verify the client is run as administrator.

    Check your firewall logs for blocks.  Try to make connections to your local machines and watch your logs live.  Assuming the routing is correct, you're looking at firewall rules.

    make sure there's an any/any rule on your openvpn tab.



  • kejianshi, nah… I'd rather see the raw config... but that's just me.

    It's easier to compare to my own working config and identify mistakes



  • This stuff is SIMPLE - I think a screen shot of the config would help me to see if something is weird anyway…

    BTW - There is a pass rule on the openvpn firewall tab?

    If so, it would help to see that rule also.



  • kejianshi, I am happy to oblige with screenshots.  This stupidly simple configuration has been vexing me for a week now and I don't have many hairs left.

    Here are the firewall config screens and the OpenVPN setup screen.








  • I'm not certain what I should (or shouldn't) be seeing in the firewall log.  I cleared the log then attempted to connect from the client to two different LAN IP addresses.  All I saw in the logs is the attached.  It doesn't seem to shed any light.

    The OpenVPN log shows:
    Oct 22 20:31:32 openvpn: user 'vpnuser' authenticated
    Oct 22 20:31:32 openvpn[37365]: 198.91.178.106:65342 [vpnuser] Peer Connection Initiated with [AF_INET]198.91.178.106:65342
    Oct 22 20:31:32 openvpn[37365]: MULTI_sva: pool returned IPv4=10.0.8.6, IPv6=(Not enabled)
    Oct 22 20:31:34 openvpn[37365]: vpnuser/198.91.178.106:65342 send_push_reply(): safe_cap=940




  • Switch to dynamic view and try to connect to your machines.  See if there are blocks coming from your tunnel IP range.

    Post your firewall rule from the openvpn tab.

    ** Sorry… just saw you already posted the pic of your rules **



  • Whats the private IP of the computer you are using to connect to openvpn?

    Is it OUTSIDE the network that pfsense is in?



  • Okay, back to this with fresh eyes.

    kejianshi, the client computer I'm connecting to OpenVPN with is tethered through a mobile phone.

    IP addresses:
    Client computer: 192.168.43.149  (behind a NAT, of course.  It appears to route out through 192.168.43.149–>192.168.43.1-->172.25.83.33)
    LAN: 192.168.10.10/23
    WAN: 207.128.128.226/27
    OPT1: not assigned
    Tunnel: 10.0.8.0/24

    marvosa, here's a screenshot of the dynamic view while the VPN tunnel was established and ping and RDP connections attempted.  Nothing was being blocked on the OpenVPN interface.




  • perhaps I'm asking another silly question.

    Is the client a windows machine?

    If so, when you installed, did you run the installer as admin?

    After you installed, are you running the client as admin?

    Why is the local network 192.168.10.0/23 instead of /24?



  • Yes, on a Windows machine (currently XP, but I have been trying Windows 7 as well).  I have to admit, I don't always remember to run to run OpenVPN GUI as administrator but I did so on installation and first run and have done so again just now to confirm.  No difference when running as local administrator.



  • and why /23 instead of a /24?



  • Ooops, sorry.  Missed that part.  When our LAN was set up many years ago, we anticipated the possibility for needing more than 255 IP addresses.  Our IP range runs from 192.168.10.1 - 192.168.11.255.  We use the 192.168.10.1-192.168.10.255 range for machines with static IPs and/or DHCP reservations and the 192.168.11.1-192.168.11.255 range for dynamic IPs.  Workstations, laptops, BYOD, etc.

    I can ping 192.168.10.10, which is the LAN IP of the pfSense box, but I cannot ping 192.168.10.6 which is the Active Directory & DNS server.



  • The "why" doesn't really matter.  It's a routed tunnel.  As long as he follows the "rules" and knows his LAN network range is 192.168.10.1 - 192.168.11.254 and doesn't overlap he's fine.

    Have you tried a simple reboot of PFsense?  Sometimes that fixes things believe it or not.

    One last thing I thought of, in the case that everything looks correct in your config, etc, make sure the machines/devices on your LAN are using PFsense as the default gateway or you won't be able to communicate with them.  i.e…. verify your dhcp server is configured to hand out PFsense as the gateway... of which you've stated is 192.168.10.10.



  • bbrooking, I'm guessing it was a typo, but you know that 192.168.11.255 is the broadcast and is not usable right?



  • Ah ha!  You may have hit on it there, Marvosa.  The machines are NOT using pfSense as their default gateway.  This is me experimenting with pfSense to see if it can be a replacement for the current default gateway.

    Does that mean I could set some machines on the LAN with pfSense as the default gateway for the purpose of experimentation.  I'm not in a position (particularly in the middle of the day with a LAN full of users) to move all machines to a different default gateway.

    I will experiment and report back.  Much thanks.

    (Yes, sorry.  255 would be the broadcast address.  Let's call that a typo rather than a brain fart.)



  • Yes, statically set some with PFsense as the gateway and you should be able to ping them.



  • I understand that as long as the subnets are correct it should work.

    I also know that unless there is a good reason to complicate the plumbing simple is better.

    Since I have never had 1 single problem with openvpn when its set up very simply, I'd advise it.

    No firewalls on the machines you are trying to "ping"?

    Do they accept ICMP?  Its not necessarily default that they would.



  • Okay, I've confirmed from several remote computer that this does indeed solve my problem.  The LAN PCs do indeed need to have the pfSense/OpenVPN box as their default gateway for this to work.  I guess the reason I wasn't looking in that direction is that our current VPN solution is not the default gateway.

    Thanks very much marvosa and kejianshi for your great assistance.  I appreciate it very much.

    Now, I'm off to start making this firewall a little less basic with some firewall rules and whatnot.  I'm going to call this one solved and I'm going to write the solution in big black letters for every one to read.

    LAN computers must have the pfSense/OpenVPN box as their default gateway.



  • Glad its working.