A Little Help on Reaching LAN on openVPN



  • Hi, new here to the forums and have been working on pfSense for the past week. I have the pfSense installed on my ESXi 5.1 host and normal routing duties are working great. However I am trying to get VPN working with openVPN, and so far I got it to where I can connect to the VPN from outside the network, and I can ping the pfSense configurator from the tunnel.

    Only thing now is, I can't seem to reach any of the PC's or servers on the home LAN. I've set the local LAN subnet when I went through the configuration, so I am wondering if there's something I am missing or something within the firewall I need to add/adjust?

    I almost got this….once I can figure how to reach my LAN, i'll be golden. I can connect to the VPN with my Android tablet and laptop, so that's good.

    What else to I need to check? I still get a little confused on the rule to pass traffic from the LAN to the VPN, and whether that rule has to be set on each interface.


  • LAYER 8 Netgate

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Firewall rules are processed when a session is started coming INTO an interface.  This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface.  If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface.

    You do not need to worry about traffic getting back to the computer that initiated the connection.  pfSense is a stateful firewall.  It all happens as if by magic.

    For connections from LAN to VPN the rules go on LAN.  For connections from VPN to LAN the rules generally go on the OpenVPN tab.



  • do your lan clients have their gateway set to pfsense ?

    does your openvpn-client-device have a route for the lan-subnet by the tunnel (the defaultv openvpn client for windows, needs to be run "as administrator' to be able to SET the routes)

    did you try turning off windows-firewall (for testing). It is known to block pings outside its own subnet.


Log in to reply