Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOW TO Communicate openvpn client to LAN host (LAN IP's without gateway)

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jinm0388
      last edited by

      Hi Everyone,

      I need your help to solve this problem. OpenVPN clients can't access LAN IPs without gateway.

      WAN                : 192.168.100.10/28 gateway:192.168.100.1
      LAN                  : 172.16.10.1 255.255.254.0
      OpenVPN Tun  : 10.10.8.0/24

      I have external machine on my network using (WAN IP 192.168.100.14/28 gateway:192.168.100.1) and (LAN ip 172.16.10.20 255.255.254.0 no gateway)

      I can able to access all LAN IP's with gateway (172.16.10.1) thru OpenVPN ,  but for those machine without gateway I can't reach them.

      I need only to access all local IP using openvpn without using Virtual IP's that's why I manually set an public IP on my external machine

      Do I need to add some routes on my OpenVPN Server?

      I will really appreciate your help. Thank you

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I guess this is a test network, because the WAN subnet is private address space. And I am not totally sure where the external client is that makes the OpenVPN connection to the pfSense OpenVPN server at 192.168.100.10 - so if you need more help please post a network diagram.

        Anyway, for any device on LAN to talk back to clients that are off the LAN (like back to your OpenVPN client) they must have a gateway set, or at least a static route to the OpenVPN tunnel, that points to the pfSense LAN IP 172.16.10.1

        If it is some cheap AP, print server or whatever that has no place to set a gateway, then you would need to do manual outbound NAT on pfSense LAN for traffic the OpenVPN tunnel - that way the OpenVPN client will appear as if it has the pfSense LAN IP when it talks to LAN devices.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • J
          jinm0388
          last edited by

          I already set that. I used public IP 192.xx.xx IP's as an example, but the lan net (172.16.10.0/23) and tunnel net(10.10.8.0/24) are actually my real networks

          ![Net Diag.png_thumb](/public/imported_attachments/1/Net Diag.png_thumb)
          ![Net Diag.png](/public/imported_attachments/1/Net Diag.png)
          ![VPN Server settings.png](/public/imported_attachments/1/VPN Server settings.png)
          ![VPN Server settings.png_thumb](/public/imported_attachments/1/VPN Server settings.png_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            First, let me assume that the gateway on WS 172.16.10.10 is supposed to be 172.16.10.1, not 172.16.10.10

            The reason your OpenVPN client can access 172.16.10.10 is because WS default gateway is the pfSense that has a route to the OpenVPN remote access network 10.10.8.0/24.

            Server 192.168.100.14 has a default gateway of 192.168.100.1 which has no idea how to route to 10.10.8.0/24.

            You either need to add a route for 10.10.8.0/24 to External Server, or WAN modem.

            Personally, I would put External Server behind pfSense in almost all cases.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              jinm0388
              last edited by

              @Derelict:

              First, let me assume that the gateway on WS 172.16.10.10 is supposed to be 172.16.10.1, not 172.16.10.10

              The reason your OpenVPN client can access 172.16.10.10 is because WS default gateway is the pfSense that has a route to the OpenVPN remote access network 10.10.8.0/24.

              Server 192.168.100.14 has a default gateway of 192.168.100.1 which has no idea how to route to 10.10.8.0/24.

              You either need to add a route for 10.10.8.0/24 to External Server, or WAN modem.

              Personally, I would put External Server behind pfSense in almost all cases.

              Apologize for that, image updated (172.16.10.1). Putting External Server behind pfSense is my plan B.
              Btw Ive successfully accessed my External Server (WAN IP 192.168.100.14/28 gateway:192.168.100.1) and (LAN ip 172.16.10.20 255.255.254.0 no gateway) using PPTP VPN even without gateway on my setup (image attached).

              Or can OpenVPN set up using TAP via bridged can help me ?

              Thanks a lot!!

              ![PPTP set up.png](/public/imported_attachments/1/PPTP set up.png)
              ![PPTP set up.png_thumb](/public/imported_attachments/1/PPTP set up.png_thumb)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yeah.  That PPTP tunnel probably gets you to pfSense with a route to 10.10.8.0/24.  This really looks like a simple routing problem.  Your outside server has no idea how to get to 10.10.8.0/24 so it sends the traffic to the default gateway, which also has no idea how to get to 10.10.8.0/24.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  jinm0388
                  last edited by

                  PPTP is faster and easy but less secure and for some reason it is not working on some broadband device users here, maybe because it uses some shared IP.

                  L2TP is good but giving me a hard time to it set properly, IPSec works well too particular on site-to-site using tunnel, but using client mode like openvpn I heard that its not working on some device/OS.

                  I think my plan is not possible to work for now after your interesting feedback regarding on my concern.

                  Putting my external server behind pfsense and use Virtual IP to solve this while finding some way to work it.

                  Thanks again Derelict

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.