OpenVPN pfs2.2 routing problem
-
Hello,
I've configured openvpn with this tutorial : https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/ with some modifications. Client can connect to vpn with no problems but can access/connect to pfsense host only. I can't get other servers in LAN network, to defined DNS server too. On client machine I've checked routes after connection to vpn - its ok.
Some config details : LAN network : 10.6.148.0/22, tunel network : 192.168.200.0/24. OpenVPN is configure to wan_orange interface. Some configs on screen shots.
Maybe I must add some NAT Outbound or firewall rules?
Please help. Thanks for advice.EDIT:
Server config :
dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local XX.XX.XX.XX
tls-server
server 192.168.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'srpopenvpn' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 10.6.148.0 255.255.252.0"
push "dhcp-option DOMAIN XXX.net"
push "dhcp-option DNS 10.6.148.21"
push "dhcp-option DNS 10.6.148.22"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
floatClient config :
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote XX.XX.XX.XX 1194 udp
lport 0
verify-x509-name "srpopenvpn" name
auth-user-pass
pkcs12 srppfs01-udp-1194-test.p12
tls-auth srppfs01-udp-1194-test-tls.key 1
ns-cert-type server
comp-lzo adaptive![Firewall LAN.PNG](/public/imported_attachments/1/Firewall LAN.PNG)
![Firewall LAN.PNG_thumb](/public/imported_attachments/1/Firewall LAN.PNG_thumb)
![Firewall OpenVPN.PNG](/public/imported_attachments/1/Firewall OpenVPN.PNG)
![Firewall OpenVPN.PNG_thumb](/public/imported_attachments/1/Firewall OpenVPN.PNG_thumb)
![Firewall WAN_O.PNG](/public/imported_attachments/1/Firewall WAN_O.PNG)
![Firewall WAN_O.PNG_thumb](/public/imported_attachments/1/Firewall WAN_O.PNG_thumb)
![Outbound NAT.PNG](/public/imported_attachments/1/Outbound NAT.PNG)
![Outbound NAT.PNG_thumb](/public/imported_attachments/1/Outbound NAT.PNG_thumb) -
That all looks good for connecting, firewall passing and routing from clients in to the LAN devices.
Check the LAN devices (server…) for any firewall there - e.g. many Windows systems will allow access on the local subnet but the firewall stops traffic from other subnets (like the OpenVPN tunnel network).Also, if you ever want/need to connect out from a LAN device to a client then you will need an ordinary pass rule on LAN with (source LANnet, destination OpenVPN tunnel network) that has no gateway - that will allow that traffic without forcing it out one of your gateways/gateway groups.
-
Config looks ok to me as well. Post a network map. Post the routing table from PFsense. Post the routing table from the client after it's connected… then Lets check some of the simple things:
-
Make sure the open client is run as admin
-
How are you trying to access your servers? Are you referring to ICMP? Have you tried disabling the windows firewall? (ICMP echo is disabled by default)
-
Make sure your servers are using PFsense as the default gateway
-
-
Thank you guys !!! Of course simple thing :) All my clients (servers, desktops) have different gateway because I'm buiding pfsense host next to my main UTM. Of course when I changed gateways IP address I can get now that server. And of course pinging is not working in some servers because host interprets vpn client as they coming from privat network. Some firewall rules must be changed.
Thanks again.