Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No access to LAN over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    21 Posts 4 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tsolrm
      last edited by

      I have a pfSense router with DHCP dishing out IP addresses (range 10.10.1.) to devices on the network with openvpn set up and that gives IPs (10.10.10.).

      I can connect to VPN and access the pfSense control panel on 10.10.1.1 but I can't access or ping anything on the LAN.

      I suspect it could be the wrong subnet mask, because the VPN client has a subnet mask of 255.255.255.252 and the default gateway is empty but I have no idea how to fix that.

      Any ideas? thanks

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        Need more details.  Post your server1.conf.

        1 Reply Last reply Reply Quote 0
        • T
          tsolrm
          last edited by

          @marvosa:

          Need more details.  Post your server1.conf.

          What I was trying to achieve is access a NAS4Free device through VPN.

          This seems to be a routing problem, because when I created a Static route inside the NAS4Free box to the OpenVPN network pointing it to the pfsense default gateway - instantly I was able to access and ping NAS4Free device.

          But I can't be doing this for every device on the network! Any ideas?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Give us a network diagram.
            Is pfSense the default gateway?
            Maybe it is not because you say that adding a static route on the client made it work. If there are multiple routers on your LAN and pfSense is not the default gateway, then there are going to be some hoops to jump through.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • T
              tsolrm
              last edited by

              Where do I set pfsense as the default gateway please? I think it already is

              1 Reply Last reply Reply Quote 0
              • T
                tsolrm
                last edited by

                when I do ipconfig on the VPN client I get the following:

                Subnet mask 255.255.255.252 and Default gateway as empty.

                My LAN is 10.10.1.1-1-10.10.1.200 the pfsense is 10.10.10.1

                and the VPN is 10.10.11.0/24

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by

                  There very well may be a routing issue, but we can't help you troubleshoot if you do not provide more details.

                  • Post a network map and your openvpn config (server1.conf)

                  • Verify all the devices/PC's on your LAN are using PFsense the default gateway

                  1 Reply Last reply Reply Quote 0
                  • T
                    tsolrm
                    last edited by

                    NAS4Free box is using 10.10.10.1 as the gateway.

                    When I add a static route to the VPN network inside NAS4free - it becomes instantly accessible.

                    Network is Internet modem -> pfsense -> LAN -> two laptops with one of them running NAS4free inside a VM.

                    I can access the NAS4free from any machine on the LAN just fine.

                    Where do I get the server config?

                    1 Reply Last reply Reply Quote 0
                    • M
                      marvosa
                      last edited by

                      • Diagnostics -> Edit file

                      • Navigate to "/var/etc/openvpn" and post the contents of "server1.conf"

                      1 Reply Last reply Reply Quote 0
                      • T
                        tsolrm
                        last edited by

                        It seems that the issue was the network mask. They overlapped. I have set VPN to be 192.168.1.* and everything came to life.

                        I still can't do an nslookup on one of the lan devices from the vpn client, can that be achieved?

                        Thank you

                        1 Reply Last reply Reply Quote 0
                        • P
                          phil.davis
                          last edited by

                          @tsolrm:

                          It seems that the issue was the network mask. They overlapped. I have set VPN to be 192.168.1.* and everything came to life.

                          I still can't do an nslookup on one of the lan devices from the vpn client, can that be achieved?

                          Thank you

                          Get away from 192.168.1.* completely. When the OpenVPN client it at somebody's home, cafe etc that has local LAN 192.168.1.0/24 then it is going to get confused having its local LAN and OpenVPN tunnel the same. Use some "random" piece of private IPv4 address space.

                          If you have specified "Provide a DNS server list to clients", given an internal DNS server IP address that should know the names of LAN devices, and have firewall rules that let that traffic through the tunnel, then it should work.
                          Post more details of the settings.

                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                          1 Reply Last reply Reply Quote 0
                          • T
                            tsolrm
                            last edited by

                            Which Subnet would you recommend to use?

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              Use something "random". Like, 10.156.74.0/24, 192.168.219.0/24 or whatever. Also, 172.16/12 space (172.16.0.0 - 172.31.255.255) seems a whole lot less popular. 192.168.[01].* and 10.0.0.* is where  some 99% of default modem/router configurations sit out there.

                              1 Reply Last reply Reply Quote 0
                              • T
                                tsolrm
                                last edited by

                                Thank you. I have changed that and also pushed the DNS servers to the clients. It seems that I can use nslookup now.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tsolrm
                                  last edited by

                                  Just one more question in case you have knowledge on the matter.

                                  I have checked the box: Redirect gateway in the OpenVPN server config.

                                  I understand this makes the client use the OpenVPN server bandwidth instead of their own. So basically it's eating up the networks bandwidth when it comes to internet usage.

                                  What if I disable this feature - would I still be able to access the LAN?

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    doktornotor Banned
                                    last edited by

                                    Of course, yes… The checkbox is only useful if you want to use OpenVPN as your WAN (i.e., direct all WAN traffic from the client via OpenVPN).

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      tsolrm
                                      last edited by

                                      Once unchecked it opens up 'IPv4 Local Network/s'

                                      Do I put the details of my LAN here? And this way only LAN traffic goes through vpn?

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned
                                        last edited by

                                        Did you consider reading the OpenVPN wiki docs?

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          tsolrm
                                          last edited by

                                          I'm really tight for time with this, I'm not doing this for my own amusement and I have a deadline for configuring the entire box. Could you please give me an answer?

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            phil.davis
                                            last edited by

                                            @tsolrm:

                                            Once unchecked it opens up 'IPv4 Local Network/s'

                                            Do I put the details of my LAN here? And this way only LAN traffic goes through vpn?

                                            Yes, you need to tell it the subnet(s) that you want to be reached across the OpenVPN - your LAN(s)

                                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.