Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN pfs2.2 routing problem

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fresco
      last edited by

      Hello,
      I've configured openvpn with this tutorial : https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/ with some modifications. Client can connect to vpn with no problems but can access/connect to pfsense host only. I can't get other servers in LAN network, to defined DNS server too. On client machine I've checked routes after connection to vpn - its ok.
      Some config details : LAN network : 10.6.148.0/22, tunel network : 192.168.200.0/24. OpenVPN is configure to wan_orange interface. Some configs on screen shots.
      Maybe I must add some NAT Outbound or firewall rules?
      Please help. Thanks for advice.

      EDIT:

      Server config :

      dev ovpns1
      verb 4
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local XX.XX.XX.XX
      tls-server
      server 192.168.200.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'srpopenvpn' 1"
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      max-clients 10
      push "route 10.6.148.0 255.255.252.0"
      push "dhcp-option DOMAIN XXX.net"
      push "dhcp-option DNS 10.6.148.21"
      push "dhcp-option DNS 10.6.148.22"
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo adaptive
      persist-remote-ip
      float

      Client config :

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote XX.XX.XX.XX 1194 udp
      lport 0
      verify-x509-name "srpopenvpn" name
      auth-user-pass
      pkcs12 srppfs01-udp-1194-test.p12
      tls-auth srppfs01-udp-1194-test-tls.key 1
      ns-cert-type server
      comp-lzo adaptive

      ![Firewall LAN.PNG](/public/imported_attachments/1/Firewall LAN.PNG)
      ![Firewall LAN.PNG_thumb](/public/imported_attachments/1/Firewall LAN.PNG_thumb)
      ![Firewall OpenVPN.PNG](/public/imported_attachments/1/Firewall OpenVPN.PNG)
      ![Firewall OpenVPN.PNG_thumb](/public/imported_attachments/1/Firewall OpenVPN.PNG_thumb)
      ![Firewall WAN_O.PNG](/public/imported_attachments/1/Firewall WAN_O.PNG)
      ![Firewall WAN_O.PNG_thumb](/public/imported_attachments/1/Firewall WAN_O.PNG_thumb)
      ![Outbound NAT.PNG](/public/imported_attachments/1/Outbound NAT.PNG)
      ![Outbound NAT.PNG_thumb](/public/imported_attachments/1/Outbound NAT.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        That all looks good for connecting, firewall passing and routing from clients in to the LAN devices.
        Check the LAN devices (server…) for any firewall there - e.g. many Windows systems will allow access on the local subnet but the firewall stops traffic from other subnets (like the OpenVPN tunnel network).

        Also, if you ever want/need to connect out from a LAN device to a client then you will need an ordinary pass rule on LAN with (source LANnet, destination OpenVPN tunnel network) that has no gateway - that will allow that traffic without forcing it out one of your gateways/gateway groups.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          Config looks ok to me as well.  Post a network map.  Post the routing table from PFsense.  Post the routing table from the client after it's connected… then Lets check some of the simple things:

          • Make sure the open client is run as admin

          • How are you trying to access your servers?  Are you referring to ICMP?  Have you tried disabling the windows firewall? (ICMP echo is disabled by default)

          • Make sure your servers are using PFsense as the default gateway

          1 Reply Last reply Reply Quote 0
          • F
            Fresco
            last edited by

            Thank you guys !!! Of course simple thing :) All my clients (servers, desktops) have different gateway because I'm buiding pfsense host next to my main UTM. Of course when I changed gateways IP address I can get now that server. And of course pinging is not working in some servers because host interprets vpn client as they coming from privat network. Some firewall rules must be changed.
            Thanks again.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.