Cannot connect to LAN from VPN



  • So I have setup OpenVPN on my PFSense server using the wizard and following the instructions. However, I can access any LAN computers. I have fought this for way to many hours now. I've read just about every related forum entry and I cannot understand why this is not working. Here are my details. Maybe someone can see something that I am missing.

    I am using PFSense as our gateway, DHCP server, Firewall and OpenVPN server.
    Tunnel Network: 10.0.8.0/24
    Local Network: 10.21.0.0/16
    I am using windows as my client OS and used the VPN client downloaded from PFSense.

    Like many most. I attach to the VPN just fine. I am assigned 10.0.8.6 as my IP and my gateway is 10.0.8.5
    I can ping and open the web console for PFSense just fine through the VPN.
    I have the standard firewall rules (anything to anything) for the LAN and the OpenVPN

    I can ping IPs on my LAN using PFSense, but not through the VPN.

    Any help would be appreciated. I'll see if I can upload images.



  • I assume your LAN is 10.21.0.0/16. And you have entered this in your OVPN server configuration in Local Networks field to get pushed the route at client?

    Another reason could be that the IP you want to access from client is part of a network range which is configured on one of its interfaces.

    With which IP can you reach your pfSense? The OVPN gateway 10.0.8.5, WAN or LAN IP?



  • So I can get into my PFSense using it's LAN IP which is 10.21.26.254 and I can get in using 10.0.8.1.

    Here is my computers route table. You can see that it is using 10.0.8.5 as it's gateway which I assume is correct:

    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.120    10
            10.0.8.1  255.255.255.255        10.0.8.5        10.0.8.6    20
            10.0.8.4  255.255.255.252        On-link          10.0.8.6    276
            10.0.8.6  255.255.255.255        On-link          10.0.8.6    276
            10.0.8.7  255.255.255.255        On-link          10.0.8.6    276
            10.21.0.0      255.255.0.0        10.0.8.5        10.0.8.6    20
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          169.254.0.0      255.255.0.0        On-link    169.254.46.53    261
        169.254.46.53  255.255.255.255        On-link    169.254.46.53    261
      169.254.255.255  255.255.255.255        On-link    169.254.46.53    261
          192.168.1.0    255.255.255.0        On-link    192.168.1.120    266
        192.168.1.120  255.255.255.255        On-link    192.168.1.120    266
        192.168.1.255  255.255.255.255        On-link    192.168.1.120    266
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link          10.0.8.6    276
            224.0.0.0        240.0.0.0        On-link    169.254.46.53    261
            224.0.0.0        240.0.0.0        On-link    192.168.1.120    266
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link          10.0.8.6    276
      255.255.255.255  255.255.255.255        On-link    169.254.46.53    261
      255.255.255.255  255.255.255.255        On-link    192.168.1.120    266



  • Here is the route table on the PFSense




  • Here are my openvpn settings




  • Here is the openvpn firewall rule




  • Here is the LAN rule




  • Post your server1.conf.

    Looking at what you've posted so far, it appears the tunnel is routing and allowing traffic as expected.  I'm betting your packets are making it to their destination, but getting blocked at the endpoint.  A couple things:

    • Verify the device you are trying to ping is using PFsense as the default gateway

    • Assuming you're trying to connect to a windows machine, remember the Windows Firewall blocks ICMP echo requests by default unless the traffic is sourced from the firewall's local subnet.  On Win 7/8 you have to either disable the windows firewall or add an explicit rule allowing ICMP echo from all IP's.  e.g. -> http://www.sysprobs.com/enable-ping-reply-windows-7

      On Server 2008/2012, you can enable this inbound rule -> "File and Printer Sharing (Echo Request - ICMPv4-In)"