OpenVPN clients can only access some LAN clients

neilsaunders

Hi all -

I'm having an OpenVPN issue that's driving me nuts: I've configured OpenVPN and successfully connected with a client (OpenVPN Client DHCP pool = 192.168.9.0/24)

Once connected I can browse to the pfSense webadmin page on its local LAN address (192.168.1.1), and I can browse to (HTTP) and ping 2 other hosts on the network (192.168.10.10 & 192.168.10.11), but everything else (A range of devices from Linux hosts to printers) on the same small subnet (192.168.10.0/24) appears to be unreachable - though none of these hosts block ICMP and will respond to pings & accept socket connections when connected directly to the network.

I've not added any firewall rules other than those generated by the OpenVPN wizard - And certainly nothing that would allow access to just these two hosts!?

Any advice on what to check next would be greatly appreciated - I've reviewed every setting and am at a total loss.

Thanks,

Neil

kejianshi

1.  Do you have a firewall running on those linux machines?

2.  Are you using IPs or Names to attempt to access these devices?

neilsaunders

Hi kejianshi -

No firewalls running on any of them, and I'm using IP addresses.

Connected to VPN:

neil@ip-172-20-10-2:~$ ping 192.168.10.11
PING 192.168.10.11 (192.168.10.11): 56 data bytes
64 bytes from 192.168.10.11: icmp_seq=0 ttl=62 time=69.903 ms
64 bytes from 192.168.10.11: icmp_seq=1 ttl=62 time=125.728 ms
64 bytes from 192.168.10.11: icmp_seq=2 ttl=62 time=72.278 ms
^C
–- 192.168.10.11 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 69.903/89.303/125.728/25.775 ms

neil@ip-172-20-10-2:~$ ping 192.168.10.12
PING 192.168.10.12 (192.168.10.12): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C

Disconnected from VPN, on ethernet on the network:
neil@ip-172-20-10-2:~$ ping 192.168.10.12
PING 192.168.10.12 (192.168.10.12): 56 data bytes
64 bytes from 192.168.10.12: icmp_seq=0 ttl=64 time=1.110 ms
64 bytes from 192.168.10.12: icmp_seq=1 ttl=64 time=0.592 ms
64 bytes from 192.168.10.12: icmp_seq=2 ttl=64 time=0.695 ms

Thanks,

Neil

kejianshi

Need to see your lan tab firewall rules, openvpn tab firewall rules.
Also, the VPN server setup page.

And - shot in the dark…  What network are you on when you are testing the VPN?  And whats the IP address there?

neilsaunders

Screenshots attached - Thanks again.


kejianshi

And where are you testing the openvpn client from?  What sort of internet and what IP?

neilsaunders

When testing I'm connected via my phone - All other network devices (Ethernet/Wifi) turned off.


kejianshi

My initial thought is that its some sort of problem with the scope of the addresses your client device (phone) is using.

No chance you can try it from some other network?

(BTW - 192.168.10.0/24 is the same default setting for alot of routers - not as bad as 192.168.1.0/24)

neilsaunders

IP assigned by mobile hotspot: 149.254.181.53

Should add that I'm running the latest 2.2-RELEASE (amd64)
built on Thu Jan 22 14:03:54 CST 2015
FreeBSD 10.1-RELEASE-p4

neilsaunders

I've tried it both on a mobile 3G hotspot and my home broadband - Both with the same results :/

kejianshi

I know for sure this problem can be caused if there is a firewall running on the linux servers with a firewall up but a allow 192.168.10.0/24 rule.

From the LAN all would work but from openvpn it would not work.

Can you take another look at that?

neilsaunders

Hi kejianshi  -

Have double checked and definitely no firewalls running - In fact one of them (192.168.10.14) is a printer that's the most insecure thing on the network - Same ping/TCP socket issues.

Ta,

Neil

kejianshi

whats on 192.168.10/24 and whats on 192.168.1.0/24?

Derelict

Do the devices you cannot reach have pfSense set as their default gateway?

neilsaunders

The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)

The plot thickens -

I've got another machine on the network (No VPN, connected via ethernet) and ssh'd to one of the "unreachable" machines.
I then connected to the VPN on another machine, and noted it's VPN IP (192.168.9.6)
I then ran tcp dump on the" unreachable" machine and telnetting to port 22 from the VPN client

I can see packets from my VPN Client IP hitting the host, so something is stopping a full TCP handshake from occurring!?

#handscracher

What next!?

• Neil

Derelict

@neilsaunders:

The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)

According to the information in your first post, that should be 255.255.255.0.

phil.davis

Reading this, I am confused by the pfSense LAN IP of 192.168.1.1 (/24 ?) and then all the talk of devices 192.168.10.* (/24 or /16 mentioned?)

Are there 2 LANs (LAN 192.168.1.0/24 and OPT1 192.168.10.0/24) or just a single big LAN 192.168.0.0/16 ?

What is the netmask on each device?

What is the default gateway on each device?

And what tunnel network is used for the OpenVPN?

neilsaunders

Hi Phil -

It's one single big LAN, but I've used DHCP to carve up the address space:

192.168.0.0/24 for Network devices (Wifi Access points, configured via DHCP Static mappings)
192.168.9.0/24 for VPN Clients (Configured via OpenVPN)
192.168.10/0/24 for permanent devices (PC's, printers, and linux hosts, configured via DHCP Static mappings)
192.168.100.0/24 for "Transient" clients (Laptops connected over wifi/ethernet)

The default gateway is 192.168.1.1 on all devices.
The netmask is 255.255.0.0 on all devices
The OpenVPN tunnel network 192.168.9.0/24

Thanks again for your help,

Neil

phil.davis

So you really have LAN 192.168.0.0/16 - you have just allocated some pieces of that address space for convenience/convention to particular groups of devices. Personally I would not use such a large (all) of the 192.168 space for a single LAN with not so many devices. Also it will almost always cause a conflict with some local subnet that your OpenVPN clients are in when they "dialup".

I presume you are using OpenVPN "tun" (tunnel) mode here. In that case the tunnel network MUST NOT overlap the LAN network.

For a start, change the tunnel network to some other private address space - e.g. 10.123.45.0/24 (pick a "random" subnet in the "10" space). Then things might start to work.

Then I would move the LAN away from 192.168.0.0/24 and 192.168.1.0/24 - best to move it right away from 192.168 - that will minimise conflict with other device default settings at client ends.

neilsaunders

Hi Phil -

I still don't understand why, but setting the OpenVPN tunnel network to 10.0.8.0/24 did the trick!

Thanks everyone for your help - Much appreciated!

Ta,

Neil