[SOLVED] Help with very basic OpenVPN setup – can't find route to LAN (naturall
-
kejianshi, I am happy to oblige with screenshots. This stupidly simple configuration has been vexing me for a week now and I don't have many hairs left.
Here are the firewall config screens and the OpenVPN setup screen.
-
I'm not certain what I should (or shouldn't) be seeing in the firewall log. I cleared the log then attempted to connect from the client to two different LAN IP addresses. All I saw in the logs is the attached. It doesn't seem to shed any light.
The OpenVPN log shows:
Oct 22 20:31:32 openvpn: user 'vpnuser' authenticated
Oct 22 20:31:32 openvpn[37365]: 198.91.178.106:65342 [vpnuser] Peer Connection Initiated with [AF_INET]198.91.178.106:65342
Oct 22 20:31:32 openvpn[37365]: MULTI_sva: pool returned IPv4=10.0.8.6, IPv6=(Not enabled)
Oct 22 20:31:34 openvpn[37365]: vpnuser/198.91.178.106:65342 send_push_reply(): safe_cap=940
-
Switch to dynamic view and try to connect to your machines. See if there are blocks coming from your tunnel IP range.
Post your firewall rule from the openvpn tab.
** Sorry… just saw you already posted the pic of your rules **
-
Whats the private IP of the computer you are using to connect to openvpn?
Is it OUTSIDE the network that pfsense is in?
-
Okay, back to this with fresh eyes.
kejianshi, the client computer I'm connecting to OpenVPN with is tethered through a mobile phone.
IP addresses:
Client computer: 192.168.43.149 (behind a NAT, of course. It appears to route out through 192.168.43.149–>192.168.43.1-->172.25.83.33)
LAN: 192.168.10.10/23
WAN: 207.128.128.226/27
OPT1: not assigned
Tunnel: 10.0.8.0/24marvosa, here's a screenshot of the dynamic view while the VPN tunnel was established and ping and RDP connections attempted. Nothing was being blocked on the OpenVPN interface.
-
perhaps I'm asking another silly question.
Is the client a windows machine?
If so, when you installed, did you run the installer as admin?
After you installed, are you running the client as admin?
Why is the local network 192.168.10.0/23 instead of /24?
-
Yes, on a Windows machine (currently XP, but I have been trying Windows 7 as well). I have to admit, I don't always remember to run to run OpenVPN GUI as administrator but I did so on installation and first run and have done so again just now to confirm. No difference when running as local administrator.
-
and why /23 instead of a /24?
-
Ooops, sorry. Missed that part. When our LAN was set up many years ago, we anticipated the possibility for needing more than 255 IP addresses. Our IP range runs from 192.168.10.1 - 192.168.11.255. We use the 192.168.10.1-192.168.10.255 range for machines with static IPs and/or DHCP reservations and the 192.168.11.1-192.168.11.255 range for dynamic IPs. Workstations, laptops, BYOD, etc.
I can ping 192.168.10.10, which is the LAN IP of the pfSense box, but I cannot ping 192.168.10.6 which is the Active Directory & DNS server.
-
The "why" doesn't really matter. It's a routed tunnel. As long as he follows the "rules" and knows his LAN network range is 192.168.10.1 - 192.168.11.254 and doesn't overlap he's fine.
Have you tried a simple reboot of PFsense? Sometimes that fixes things believe it or not.
One last thing I thought of, in the case that everything looks correct in your config, etc, make sure the machines/devices on your LAN are using PFsense as the default gateway or you won't be able to communicate with them. i.e…. verify your dhcp server is configured to hand out PFsense as the gateway... of which you've stated is 192.168.10.10.
-
bbrooking, I'm guessing it was a typo, but you know that 192.168.11.255 is the broadcast and is not usable right?
-
Ah ha! You may have hit on it there, Marvosa. The machines are NOT using pfSense as their default gateway. This is me experimenting with pfSense to see if it can be a replacement for the current default gateway.
Does that mean I could set some machines on the LAN with pfSense as the default gateway for the purpose of experimentation. I'm not in a position (particularly in the middle of the day with a LAN full of users) to move all machines to a different default gateway.
I will experiment and report back. Much thanks.
(Yes, sorry. 255 would be the broadcast address. Let's call that a typo rather than a brain fart.)
-
Yes, statically set some with PFsense as the gateway and you should be able to ping them.
-
I understand that as long as the subnets are correct it should work.
I also know that unless there is a good reason to complicate the plumbing simple is better.
Since I have never had 1 single problem with openvpn when its set up very simply, I'd advise it.
No firewalls on the machines you are trying to "ping"?
Do they accept ICMP? Its not necessarily default that they would.
-
Okay, I've confirmed from several remote computer that this does indeed solve my problem. The LAN PCs do indeed need to have the pfSense/OpenVPN box as their default gateway for this to work. I guess the reason I wasn't looking in that direction is that our current VPN solution is not the default gateway.
Thanks very much marvosa and kejianshi for your great assistance. I appreciate it very much.
Now, I'm off to start making this firewall a little less basic with some firewall rules and whatnot. I'm going to call this one solved and I'm going to write the solution in big black letters for every one to read.
LAN computers must have the pfSense/OpenVPN box as their default gateway.
-
Glad its working.