HOW TO Communicate openvpn client to LAN host (LAN IP's without gateway)
-
Hi Everyone,
I need your help to solve this problem. OpenVPN clients can't access LAN IPs without gateway.
WAN : 192.168.100.10/28 gateway:192.168.100.1
LAN : 172.16.10.1 255.255.254.0
OpenVPN Tun : 10.10.8.0/24I have external machine on my network using (WAN IP 192.168.100.14/28 gateway:192.168.100.1) and (LAN ip 172.16.10.20 255.255.254.0 no gateway)
I can able to access all LAN IP's with gateway (172.16.10.1) thru OpenVPN , but for those machine without gateway I can't reach them.
I need only to access all local IP using openvpn without using Virtual IP's that's why I manually set an public IP on my external machine
Do I need to add some routes on my OpenVPN Server?
I will really appreciate your help. Thank you
-
I guess this is a test network, because the WAN subnet is private address space. And I am not totally sure where the external client is that makes the OpenVPN connection to the pfSense OpenVPN server at 192.168.100.10 - so if you need more help please post a network diagram.
Anyway, for any device on LAN to talk back to clients that are off the LAN (like back to your OpenVPN client) they must have a gateway set, or at least a static route to the OpenVPN tunnel, that points to the pfSense LAN IP 172.16.10.1
If it is some cheap AP, print server or whatever that has no place to set a gateway, then you would need to do manual outbound NAT on pfSense LAN for traffic the OpenVPN tunnel - that way the OpenVPN client will appear as if it has the pfSense LAN IP when it talks to LAN devices.
-
I already set that. I used public IP 192.xx.xx IP's as an example, but the lan net (172.16.10.0/23) and tunnel net(10.10.8.0/24) are actually my real networks
-
First, let me assume that the gateway on WS 172.16.10.10 is supposed to be 172.16.10.1, not 172.16.10.10
The reason your OpenVPN client can access 172.16.10.10 is because WS default gateway is the pfSense that has a route to the OpenVPN remote access network 10.10.8.0/24.
Server 192.168.100.14 has a default gateway of 192.168.100.1 which has no idea how to route to 10.10.8.0/24.
You either need to add a route for 10.10.8.0/24 to External Server, or WAN modem.
Personally, I would put External Server behind pfSense in almost all cases.
-
First, let me assume that the gateway on WS 172.16.10.10 is supposed to be 172.16.10.1, not 172.16.10.10
The reason your OpenVPN client can access 172.16.10.10 is because WS default gateway is the pfSense that has a route to the OpenVPN remote access network 10.10.8.0/24.
Server 192.168.100.14 has a default gateway of 192.168.100.1 which has no idea how to route to 10.10.8.0/24.
You either need to add a route for 10.10.8.0/24 to External Server, or WAN modem.
Personally, I would put External Server behind pfSense in almost all cases.
Apologize for that, image updated (172.16.10.1). Putting External Server behind pfSense is my plan B.
Btw Ive successfully accessed my External Server (WAN IP 192.168.100.14/28 gateway:192.168.100.1) and (LAN ip 172.16.10.20 255.255.254.0 no gateway) using PPTP VPN even without gateway on my setup (image attached).Or can OpenVPN set up using TAP via bridged can help me ?
Thanks a lot!!
-
Yeah. That PPTP tunnel probably gets you to pfSense with a route to 10.10.8.0/24. This really looks like a simple routing problem. Your outside server has no idea how to get to 10.10.8.0/24 so it sends the traffic to the default gateway, which also has no idea how to get to 10.10.8.0/24.
-
PPTP is faster and easy but less secure and for some reason it is not working on some broadband device users here, maybe because it uses some shared IP.
L2TP is good but giving me a hard time to it set properly, IPSec works well too particular on site-to-site using tunnel, but using client mode like openvpn I heard that its not working on some device/OS.
I think my plan is not possible to work for now after your interesting feedback regarding on my concern.
Putting my external server behind pfsense and use Virtual IP to solve this while finding some way to work it.
Thanks again Derelict
