OpenVPN clients can only access some LAN clients

  • Hi all -

    I'm having an OpenVPN issue that's driving me nuts: I've configured OpenVPN and successfully connected with a client (OpenVPN Client DHCP pool =

    Once connected I can browse to the pfSense webadmin page on its local LAN address (, and I can browse to (HTTP) and ping 2 other hosts on the network ( &, but everything else (A range of devices from Linux hosts to printers) on the same small subnet ( appears to be unreachable - though none of these hosts block ICMP and will respond to pings & accept socket connections when connected directly to the network.

    I've not added any firewall rules other than those generated by the OpenVPN wizard - And certainly nothing that would allow access to just these two hosts!?

    Any advice on what to check next would be greatly appreciated - I've reviewed every setting and am at a total loss.



  • 1.  Do you have a firewall running on those linux machines?

    2.  Are you using IPs or Names to attempt to access these devices?

  • Hi kejianshi -

    No firewalls running on any of them, and I'm using IP addresses.

    Connected to VPN:

    neil@ip-172-20-10-2:~$ ping
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=62 time=69.903 ms
    64 bytes from icmp_seq=1 ttl=62 time=125.728 ms
    64 bytes from icmp_seq=2 ttl=62 time=72.278 ms
    –- ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 69.903/89.303/125.728/25.775 ms

    neil@ip-172-20-10-2:~$ ping
    PING ( 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1

    Disconnected from VPN, on ethernet on the network:
    neil@ip-172-20-10-2:~$ ping
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=1.110 ms
    64 bytes from icmp_seq=1 ttl=64 time=0.592 ms
    64 bytes from icmp_seq=2 ttl=64 time=0.695 ms



  • Need to see your lan tab firewall rules, openvpn tab firewall rules.
    Also, the VPN server setup page.

    And - shot in the dark…  What network are you on when you are testing the VPN?  And whats the IP address there?

  • Screenshots attached - Thanks again.

    ![Screen Shot 2015-03-12 at 18.36.55.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.36.55.png)
    ![Screen Shot 2015-03-12 at 18.36.55.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.36.55.png_thumb)
    ![Screen Shot 2015-03-12 at 18.37.28.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.28.png)
    ![Screen Shot 2015-03-12 at 18.37.28.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.28.png_thumb)
    ![Screen Shot 2015-03-12 at 18.37.33.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.33.png)
    ![Screen Shot 2015-03-12 at 18.37.33.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.33.png_thumb)

  • And where are you testing the openvpn client from?  What sort of internet and what IP?

  • When testing I'm connected via my phone - All other network devices (Ethernet/Wifi) turned off.

    ![Screen Shot 2015-03-12 at 18.40.49.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.40.49.png)
    ![Screen Shot 2015-03-12 at 18.40.49.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.40.49.png_thumb)
    ![Screen Shot 2015-03-12 at 18.41.03.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.03.png)
    ![Screen Shot 2015-03-12 at 18.41.03.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.03.png_thumb)
    ![Screen Shot 2015-03-12 at 18.41.10.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.10.png)
    ![Screen Shot 2015-03-12 at 18.41.10.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.10.png_thumb)

  • My initial thought is that its some sort of problem with the scope of the addresses your client device (phone) is using.

    No chance you can try it from some other network?

    (BTW - is the same default setting for alot of routers - not as bad as

  • IP assigned by mobile hotspot:

    Should add that I'm running the latest 2.2-RELEASE (amd64)
    built on Thu Jan 22 14:03:54 CST 2015
    FreeBSD 10.1-RELEASE-p4

  • I've tried it both on a mobile 3G hotspot and my home broadband - Both with the same results :/

  • I know for sure this problem can be caused if there is a firewall running on the linux servers with a firewall up but a allow rule.

    From the LAN all would work but from openvpn it would not work.

    Can you take another look at that?

  • Hi kejianshi  -

    Have double checked and definitely no firewalls running - In fact one of them ( is a printer that's the most insecure thing on the network - Same ping/TCP socket issues.



  • whats on 192.168.10/24 and whats on

  • LAYER 8 Netgate

    Do the devices you cannot reach have pfSense set as their default gateway?

  • The unreachable devices do indeed have set as their default gateway, and their subnet masks are correct at (The same as the reachable devices)

    The plot thickens -

    I've got another machine on the network (No VPN, connected via ethernet) and ssh'd to one of the "unreachable" machines.
    I then connected to the VPN on another machine, and noted it's VPN IP (
    I then ran tcp dump on the" unreachable" machine and telnetting to port 22 from the VPN client

    I can see packets from my VPN Client IP hitting the host, so something is stopping a full TCP handshake from occurring!?


    What next!?

    • Neil

  • LAYER 8 Netgate


    The unreachable devices do indeed have set as their default gateway, and their subnet masks are correct at (The same as the reachable devices)

    According to the information in your first post, that should be

  • Reading this, I am confused by the pfSense LAN IP of (/24 ?) and then all the talk of devices 192.168.10.* (/24 or /16 mentioned?)

    Are there 2 LANs (LAN and OPT1 or just a single big LAN ?

    What is the netmask on each device?

    What is the default gateway on each device?

    And what tunnel network is used for the OpenVPN?

  • Hi Phil -

    It's one single big LAN, but I've used DHCP to carve up the address space: for Network devices (Wifi Access points, configured via DHCP Static mappings) for VPN Clients (Configured via OpenVPN)
    192.168.10/0/24 for permanent devices (PC's, printers, and linux hosts, configured via DHCP Static mappings) for "Transient" clients (Laptops connected over wifi/ethernet)

    The default gateway is on all devices.
    The netmask is on all devices
    The OpenVPN tunnel network

    Thanks again for your help,


  • So you really have LAN - you have just allocated some pieces of that address space for convenience/convention to particular groups of devices. Personally I would not use such a large (all) of the 192.168 space for a single LAN with not so many devices. Also it will almost always cause a conflict with some local subnet that your OpenVPN clients are in when they "dialup".

    I presume you are using OpenVPN "tun" (tunnel) mode here. In that case the tunnel network MUST NOT overlap the LAN network.

    For a start, change the tunnel network to some other private address space - e.g. (pick a "random" subnet in the "10" space). Then things might start to work.

    Then I would move the LAN away from and - best to move it right away from 192.168 - that will minimise conflict with other device default settings at client ends.

  • Hi Phil -

    I still don't understand why, but setting the OpenVPN tunnel network to did the trick!

    Thanks everyone for your help - Much appreciated!



  • Unless you are a network supergenius, keep things on /24s just for simplicity until you really have a great understanding of subnets and subnet masks.

Log in to reply