Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client-server cannot access lan

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 7 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marvosa
      last edited by

      Post your openvpn config (server1.conf). Post your firewall rules.

      1 Reply Last reply Reply Quote 0
      • X
        xerovis
        last edited by

        I pulled the backup xml, changed all (hopefully) identifying details and changed it to txt file so I could upload it.

        config-fw-testing.XXX.com-20150309071146.txt

        1 Reply Last reply Reply Quote 0
        • T
          tsolrm
          last edited by

          What's your LAN?

          1 Reply Last reply Reply Quote 0
          • X
            xerovis
            last edited by

            @tsolrm:

            What's your LAN?

            I am not sure what you mean?

            The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by

              OP, this is what we need:

              1.  Post the contents of your openvpn server config (server1.conf).  i.e.:

              • Diagnostics -> Edit file

              • Navigate to "/var/etc/openvpn"

              • Post the contents of "server1.conf"

              2.  Post screenshots of the firewall rules on your LAN and OpenVPN tab

              1 Reply Last reply Reply Quote 0
              • T
                tsolrm
                last edited by

                @xerovis:

                @tsolrm:

                What's your LAN?

                I am not sure what you mean?

                The backup file I posted should allow someone to completely recreate the pfsense box I am having trouble with, except the the WAN IP configuration, which I changed before posting.

                What's your local network subnet? Go into Interfaces -> LAN -> Post your .../** number

                1 Reply Last reply Reply Quote 0
                • X
                  xerovis
                  last edited by

                  LAN subnet is 10.1.100.0/24

                  1 Reply Last reply Reply Quote 0
                  • T
                    tsolrm
                    last edited by

                    @xerovis:

                    LAN subnet is 10.1.100.0/24

                    That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255

                    1 Reply Last reply Reply Quote 0
                    • M
                      marvosa
                      last edited by

                      @tsolrm:

                      @xerovis:

                      LAN subnet is 10.1.100.0/24

                      That would be a problem. Put the VPN clients on an ENTIRELY different subnet, like 172.16.0.0 - 172.31.255.255

                      Yes and no.  Yes, in a routed tunnel your tunnel network needs to be on a different subnet than your LAN and everything else.  But no, he doesn't have to go to 172.16.0.0/12 because in fact his tunnel network is on an ENTIRELY different subnet:

                      Tunnel Network - 10.2.100.0/24
                      LAN - 10.1.100.0/24

                      So, he's ok there.

                      OP, as soon as you post your config and firewall rules we can tell you more.

                      1 Reply Last reply Reply Quote 0
                      • X
                        xerovis
                        last edited by

                        @marvosa:

                        OP, this is what we need:

                        1.  Post the contents of your openvpn server config (server1.conf).  i.e.:

                        • Diagnostics -> Edit file

                        • Navigate to "/var/etc/openvpn"

                        • Post the contents of "server1.conf"

                        2.  Post screenshots of the firewall rules on your LAN and OpenVPN tab

                        dev ovpns1
                        verb 1
                        dev-type tun
                        tun-ipv6
                        dev-node /dev/tun1
                        writepid /var/run/openvpn_server1.pid
                        #user nobody
                        #group nobody
                        script-security 3
                        daemon
                        keepalive 10 60
                        ping-timer-rem
                        persist-tun
                        persist-key
                        proto udp
                        cipher AES-256-CBC
                        auth SHA1
                        up /usr/local/sbin/ovpn-linkup
                        down /usr/local/sbin/ovpn-linkdown
                        local XXX.XXX.XXX.XXX
                        tls-server
                        server 10.2.100.0 255.255.255.0
                        client-config-dir /var/etc/openvpn-csc
                        tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'test-firewall' 1"
                        lport 1194
                        management /var/etc/openvpn/server1.sock unix
                        max-clients 10
                        push "route 10.1.100.0 255.255.255.0"
                        ca /var/etc/openvpn/server1.ca
                        cert /var/etc/openvpn/server1.cert
                        key /var/etc/openvpn/server1.key
                        dh /etc/dh-parameters.2048
                        tls-auth /var/etc/openvpn/server1.tls-auth 0
                        comp-lzo adaptive
                        persist-remote-ip
                        float
                        topology subnet

                        1 Reply Last reply Reply Quote 0
                        • X
                          xerovis
                          last edited by

                          Please find attached screenshots of my firewall rules.

                          ![Screen Shot 2015-03-11 at 7.20.40 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.40 am.png)
                          ![Screen Shot 2015-03-11 at 7.20.40 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.40 am.png_thumb)
                          ![Screen Shot 2015-03-11 at 7.20.50 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.50 am.png)
                          ![Screen Shot 2015-03-11 at 7.20.50 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 7.20.50 am.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab

                            1 Reply Last reply Reply Quote 0
                            • X
                              xerovis
                              last edited by

                              @kejianshi:

                              These look like LAN and WAN rules, but there also needs to be similar allow rules on the openvpn tab

                              Crap - Sorry!

                              ![Screen Shot 2015-03-11 at 8.24.04 am.png](/public/imported_attachments/1/Screen Shot 2015-03-11 at 8.24.04 am.png)
                              ![Screen Shot 2015-03-11 at 8.24.04 am.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-11 at 8.24.04 am.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                I see no problem with the rules…

                                Can you go to OpenVPN: Server, edit the server and post that page here.

                                I'm a simple minded guy.  Reading that is easier for me.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  phil.davis
                                  last edited by

                                  Your settings look good to me.
                                  What is it that you cannot ping on LAN?
                                  Various versions of Windows will respond to ping from devices on their local subnet, but not to ping from another subnet. Make sure to turn off any firewall on the LAN device. Make sure the LAN device has default gateway pfSense LAN IP, so it can answer.

                                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    marvosa
                                    last edited by

                                    You have an any/any firewall rule on our openvpn tab and your config is nearly identical to my working config, so I suspect your tunnel is working as expected.

                                    Most likely this is a software firewall issue.  If you're pinging a windows box, by default the windows firewall will deny ICMP echo requests from IP's sourced outside of it's local subnet.  Disable the windows firewall and test your ping.  If it works (which I suspect it will), and you want to keep the firewall enabled, you need to add a windows firewall exception that allows ICMP echo requests from all IP's.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      HunorR
                                      last edited by

                                      i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        marvosa
                                        last edited by

                                        @HunorR:

                                        i have the same problem, i can connect to the vpn, i can ping the host for me it`s 192.168.5.0/24 but i can't ping nobody on the network :-[
                                        [/quote]
                                        Happy to help, but start a new thread, so we can keep everything straight.

                                        1 Reply Last reply Reply Quote 0
                                        • W
                                          washimi
                                          last edited by

                                          I have the same issue here. It used to run flawlessly, but suddenly stoped. I already rebuilt the server, restored the configuration and got stucked on the server. Can ping, open the url in a browser but cannot reach any of the machines on the LAN side.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.