Cannot connect to LAN from VPN
-
So I have setup OpenVPN on my PFSense server using the wizard and following the instructions. However, I can access any LAN computers. I have fought this for way to many hours now. I've read just about every related forum entry and I cannot understand why this is not working. Here are my details. Maybe someone can see something that I am missing.
I am using PFSense as our gateway, DHCP server, Firewall and OpenVPN server.
Tunnel Network: 10.0.8.0/24
Local Network: 10.21.0.0/16
I am using windows as my client OS and used the VPN client downloaded from PFSense.Like many most. I attach to the VPN just fine. I am assigned 10.0.8.6 as my IP and my gateway is 10.0.8.5
I can ping and open the web console for PFSense just fine through the VPN.
I have the standard firewall rules (anything to anything) for the LAN and the OpenVPNI can ping IPs on my LAN using PFSense, but not through the VPN.
Any help would be appreciated. I'll see if I can upload images.
-
I assume your LAN is 10.21.0.0/16. And you have entered this in your OVPN server configuration in Local Networks field to get pushed the route at client?
Another reason could be that the IP you want to access from client is part of a network range which is configured on one of its interfaces.
With which IP can you reach your pfSense? The OVPN gateway 10.0.8.5, WAN or LAN IP?
-
So I can get into my PFSense using it's LAN IP which is 10.21.26.254 and I can get in using 10.0.8.1.
Here is my computers route table. You can see that it is using 10.0.8.5 as it's gateway which I assume is correct:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.120 10
10.0.8.1 255.255.255.255 10.0.8.5 10.0.8.6 20
10.0.8.4 255.255.255.252 On-link 10.0.8.6 276
10.0.8.6 255.255.255.255 On-link 10.0.8.6 276
10.0.8.7 255.255.255.255 On-link 10.0.8.6 276
10.21.0.0 255.255.0.0 10.0.8.5 10.0.8.6 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.46.53 261
169.254.46.53 255.255.255.255 On-link 169.254.46.53 261
169.254.255.255 255.255.255.255 On-link 169.254.46.53 261
192.168.1.0 255.255.255.0 On-link 192.168.1.120 266
192.168.1.120 255.255.255.255 On-link 192.168.1.120 266
192.168.1.255 255.255.255.255 On-link 192.168.1.120 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.8.6 276
224.0.0.0 240.0.0.0 On-link 169.254.46.53 261
224.0.0.0 240.0.0.0 On-link 192.168.1.120 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.8.6 276
255.255.255.255 255.255.255.255 On-link 169.254.46.53 261
255.255.255.255 255.255.255.255 On-link 192.168.1.120 266 -
Here is the route table on the PFSense
-
Here are my openvpn settings
-
Here is the openvpn firewall rule
-
Here is the LAN rule
-
Post your server1.conf.
Looking at what you've posted so far, it appears the tunnel is routing and allowing traffic as expected. I'm betting your packets are making it to their destination, but getting blocked at the endpoint. A couple things:
-
Verify the device you are trying to ping is using PFsense as the default gateway
-
Assuming you're trying to connect to a windows machine, remember the Windows Firewall blocks ICMP echo requests by default unless the traffic is sourced from the firewall's local subnet. On Win 7/8 you have to either disable the windows firewall or add an explicit rule allowing ICMP echo from all IP's. e.g. -> http://www.sysprobs.com/enable-ping-reply-windows-7
On Server 2008/2012, you can enable this inbound rule -> "File and Printer Sharing (Echo Request - ICMPv4-In)"
-