(Solved) OpenVPN connects but not ping the internal network



  • Hello, OpenVPN connects but not ping the internal network.

    My internal network is 192.168.0.0/24.
    The tunnel and OpenVPN: 172.16.0.0/24.

    Already redid the setup of OpenVPN but do not know where I am wrong.




    Thanks.



  • The first thing I would do is disable the software firewall on the machine you're trying to connect to, so we can rule that out.

    Second, make sure you're running the openvpn client as admin.

    Third, post your server1.conf, so we can look at your config.



  • Thank you for your help marvosa,

    1. Firewall is disabled and still does not connect.
    2. My user is administrator.
    3. As follows Server2.CONF Server1.CONF is a VPN server vs server.

    My Server2.Conf (/var/etc/openvpn/server2.conf)

    
    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 123.123.123.123
    tls-server
    server 172.16.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    lport 1234
    management /var/etc/openvpn/server2.sock unix
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    push "dhcp-option DNS 192.168.0.231"
    
    push "dhcp-option WINS 192.168.0.231"
    
    route 192.168.0.0 255.255.255.0
    
    

    Thanks.



    • Remove "route 192.168.0.0 255.255.255.0" from your advanced config.  That is actually telling the PFsense to route your LAN through the tunnel.

    • Uncheck "Force all client generated traffic through the tunnel.", enter "192.168.0.0/24" in the "IPv4 Local Network/s" field, re-check  "Force all client generated traffic through the tunnel.", save.

    • I'd remove the other two push directives from your advanced config and add that IP to "DNS Servers" and "WINS Servers" in the GUI and let PFsense auto-generate those lines.

    • "My users is administrator" can be interpreted a couple ways, so I'll just say it… you have to explicitly run the client as administrator...  i.e. right-click, "Run as administrator" or the client will not have permissions to add routes.

    At this point, assuming you didn't manually add anything to the client side, you should be good to go.

    After you've got it working, you should consider moving your LAN scope off the 192.168.0.0/24 network, it's too common and will cause you problems sooner or later.



  • marvosa hello, I did everything you said and it did not work. Until 10 days ago was running normal and was not updated anything.

    What I noticed is that when the client connects to the OpenVPN it drops the connection and gets to drop the sails and Skype but not even drips on the 192.168.0.0/24 network.

    Thanks for the help, if you can help me more I am grateful.



  • Reboot PFsense, then repost your server2.conf.

    Sometimes after certain changes PFsense needs a reboot to get things working for some reason.



  • Thanks again marvosa, did not connect, I rebooted the pfSense as requested.

    
    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 123.123.123.123
    tls-server
    server 172.16.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    lport 1234
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.0.0 255.255.255.0"
    push "dhcp-option DNS 192.168.0.231"
    push "dhcp-option NTP 192.168.0.231"
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    
    

    Tanks



  • Ok, I would do 2 things:

    • Re-verify that your DNS server is indeed @ 192.168.0.231, has network connectivity and that the software firewall is off.

    • Verify that the machines on your LAN (including the DNS server) are using PFsense as the default gateway



  • marvosa, thanks for the help.

    It worked now, just changed the IP to 172.16.1.0 and gave first began to PING the same second.

    It seems that pfsense does not accept second virtual IP in the same class.

    Thanks for your help.



  • killing two birds with one stone?

    Smart…