OpenVPN client-server cannot access lan
-
I have built a new pfsense 2.2 (amd64) vm on ESXi 5.0. I followed the below steps.
I did the initial configuration via the wizard, after configuring the interfaces and IPs via console. I did no other changes.
I created a CA, Server and local user account (client certs). I installed the OpenVPN client export package.
I create an OpenVPN server/client config using the wizard, following the guide here - https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#OpenVPN_Server_Configuration. Tunnel network 10.2.100.0/24 all other things default.
I am able to connect to the VPN using viscosity on OSX 10.9.5. I am able to ping the pfsense server LAN address, I am able to access the pfsense web configurator. I am unable to access the LAN. I am unable to ping any address on the LAN.
I have checked the configuration manually to make sure all the configurations that should be there (ie firewall etc) are there.
I have done the above a couple of times now to make sure there are no mistakes.
Any ideas on why this would be happening?
-
Post your openvpn config (server1.conf). Post your firewall rules.
-
I pulled the backup xml, changed all (hopefully) identifying details and changed it to txt file so I could upload it.
-
What's your LAN?
-
What's your LAN?
I am not sure what you mean?
The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.
-
OP, this is what we need:
1. Post the contents of your openvpn server config (server1.conf). i.e.:
-
Diagnostics -> Edit file
-
Navigate to "/var/etc/openvpn"
-
Post the contents of "server1.conf"
2. Post screenshots of the firewall rules on your LAN and OpenVPN tab
-
-
What's your LAN?
I am not sure what you mean?
The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.
What's your local network subnet? Go into Interfaces -> LAN -> Post your .../** number
-
LAN subnet is 10.1.100.0/24
-
LAN subnet is 10.1.100.0/24
That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255
-
LAN subnet is 10.1.100.0/24
That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255
Yes and no. Yes, in a routed tunnel your tunnel network needs to be on a different subnet than your LAN and everything else. But no, he doesn't have to go to 172.16.0.0/12 because in fact his tunnel network is on an ENTIRELY different subnet:
Tunnel Network - 10.2.100.0/24
LAN - 10.1.100.0/24So, he's ok there.
OP, as soon as you post your config and firewall rules we can tell you more.
-
OP, this is what we need:
1. Post the contents of your openvpn server config (server1.conf). i.e.:
-
Diagnostics -> Edit file
-
Navigate to "/var/etc/openvpn"
-
Post the contents of "server1.conf"
2. Post screenshots of the firewall rules on your LAN and OpenVPN tab
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.XXX.XXX
tls-server
server 10.2.100.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'test-firewall' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 10.1.100.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
-
-
Please find attached screenshots of my firewall rules.
-
These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab
-
These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab
Crap - Sorry!
-
I see no problem with the rules…
Can you go to OpenVPN: Server, edit the server and post that page here.
I'm a simple minded guy. Reading that is easier for me.
-
Your settings look good to me.
What is it that you cannot ping on LAN?
Various versions of Windows will respond to ping from devices on their local subnet, but not to ping from another subnet. Make sure to turn off any firewall on the LAN device. Make sure the LAN device has default gateway pfSense LAN IP, so it can answer.
-
You have an any/any firewall rule on our openvpn tab and your config is nearly identical to my working config, so I suspect your tunnel is working as expected.
Most likely this is a software firewall issue. If you're pinging a windows box, by default the windows firewall will deny ICMP echo requests from IP's sourced outside of it's local subnet. Disable the windows firewall and test your ping. If it works (which I suspect it will), and you want to keep the firewall enabled, you need to add a windows firewall exception that allows ICMP echo requests from all IP's.
-
i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[
-
i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[
[/quote]
Happy to help, but start a new thread, so we can keep everything straight.
-
I have the same issue here. It used to run flawlessly, but suddenly stoped. I already rebuilt the server, restored the configuration and got stucked on the server. Can ping, open the url in a browser but cannot reach any of the machines on the LAN side.