OpenVPN client-server cannot access lan



  • I have built a new pfsense 2.2 (amd64) vm on ESXi 5.0. I followed the below steps.

    I did the initial configuration via the wizard, after configuring the interfaces and IPs via console. I did no other changes.

    I created a CA, Server and local user account (client certs). I installed the OpenVPN client export package.

    I create an OpenVPN server/client config using the wizard, following the guide here - https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration. Tunnel network 10.2.100.0/24 all other things default.

    I am able to connect to the VPN using viscosity on OSX 10.9.5. I am able to ping the pfsense server LAN address, I am able to access the pfsense web configurator. I am unable to access the LAN. I am unable to ping any address on the LAN.

    I have checked the configuration manually to make sure all the configurations that should be there (ie firewall etc) are there.

    I have done the above a couple of times now to make sure there are no mistakes.

    Any ideas on why this would be happening?



  • Post your openvpn config (server1.conf). Post your firewall rules.



  • I pulled the backup xml, changed all (hopefully) identifying details and changed it to txt file so I could upload it.

    config-fw-testing.XXX.com-20150309071146.txt



  • What's your LAN?



  • @tsolrm:

    What's your LAN?

    I am not sure what you mean?

    The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.



  • OP, this is what we need:

    1.  Post the contents of your openvpn server config (server1.conf).  i.e.:

    • Diagnostics -> Edit file

    • Navigate to "/var/etc/openvpn"

    • Post the contents of "server1.conf"

    2.  Post screenshots of the firewall rules on your LAN and OpenVPN tab



  • @xerovis:

    @tsolrm:

    What's your LAN?

    I am not sure what you mean?

    The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.

    What's your local network subnet? Go into Interfaces -> LAN -> Post your .../** number



  • LAN subnet is 10.1.100.0/24



  • @xerovis:

    LAN subnet is 10.1.100.0/24

    That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255



  • @tsolrm:

    @xerovis:

    LAN subnet is 10.1.100.0/24

    That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255

    Yes and no.  Yes, in a routed tunnel your tunnel network needs to be on a different subnet than your LAN and everything else.  But no, he doesn't have to go to 172.16.0.0/12 because in fact his tunnel network is on an ENTIRELY different subnet:

    Tunnel Network - 10.2.100.0/24
    LAN - 10.1.100.0/24

    So, he's ok there.

    OP, as soon as you post your config and firewall rules we can tell you more.



  • @marvosa:

    OP, this is what we need:

    1.  Post the contents of your openvpn server config (server1.conf).  i.e.:

    • Diagnostics -> Edit file

    • Navigate to "/var/etc/openvpn"

    • Post the contents of "server1.conf"

    2.  Post screenshots of the firewall rules on your LAN and OpenVPN tab

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local XXX.XXX.XXX.XXX
    tls-server
    server 10.2.100.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'test-firewall' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 10.1.100.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet



  • Please find attached screenshots of my firewall rules.

    ![Screen Shot 2015-03-11 at 7.20.40 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.40 am.png)
    ![Screen Shot 2015-03-11 at 7.20.40 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.40 am.png_thumb)
    ![Screen Shot 2015-03-11 at 7.20.50 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.50 am.png)
    ![Screen Shot 2015-03-11 at 7.20.50 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.50 am.png_thumb)



  • These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab



  • @kejianshi:

    These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab

    Crap - Sorry!

    ![Screen Shot 2015-03-11 at 8.24.04 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 8.24.04 am.png)
    ![Screen Shot 2015-03-11 at 8.24.04 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 8.24.04 am.png_thumb)



  • I see no problem with the rules…

    Can you go to OpenVPN: Server, edit the server and post that page here.

    I'm a simple minded guy.  Reading that is easier for me.



  • Your settings look good to me.
    What is it that you cannot ping on LAN?
    Various versions of Windows will respond to ping from devices on their local subnet, but not to ping from another subnet. Make sure to turn off any firewall on the LAN device. Make sure the LAN device has default gateway pfSense LAN IP, so it can answer.



  • You have an any/any firewall rule on our openvpn tab and your config is nearly identical to my working config, so I suspect your tunnel is working as expected.

    Most likely this is a software firewall issue.  If you're pinging a windows box, by default the windows firewall will deny ICMP echo requests from IP's sourced outside of it's local subnet.  Disable the windows firewall and test your ping.  If it works (which I suspect it will), and you want to keep the firewall enabled, you need to add a windows firewall exception that allows ICMP echo requests from all IP's.



  • i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[



  • @HunorR:

    i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[
    [/quote]
    Happy to help, but start a new thread, so we can keep everything straight.



  • I have the same issue here. It used to run flawlessly, but suddenly stoped. I already rebuilt the server, restored the configuration and got stucked on the server. Can ping, open the url in a browser but cannot reach any of the machines on the LAN side.


Log in to reply