RESOLVED OpenVPN server/client - can connect, cannot access anything on LAN



  • I used the wizard to create a VPN server so I could remotely connect to my home network. I can successfully connect (and hold a connection) to the VPN from my iPhone (OpenVPN app) and my Mac (Viscosity). However, I cannot ping or access anything on the local LAN from the remote client.

    I attached my Firewall rules for LAN and OpenVPN, along with some other screen shots it seems you often request.

    Any help is greatly appreciated!

    server1.conf:
    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local x.x.x.x
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 5
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    ![Screen Shot 2015-03-15 at 2.57.29 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.57.29 PM.png)
    ![Screen Shot 2015-03-15 at 2.57.29 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.57.29 PM.png_thumb)
    ![Screen Shot 2015-03-15 at 2.57.39 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.57.39 PM.png)
    ![Screen Shot 2015-03-15 at 2.57.39 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.57.39 PM.png_thumb)
    ![Screen Shot 2015-03-15 at 2.58.29 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.58.29 PM.png)
    ![Screen Shot 2015-03-15 at 2.58.29 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.58.29 PM.png_thumb)
    ![Screen Shot 2015-03-15 at 2.58.11 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.58.11 PM.png)
    ![Screen Shot 2015-03-15 at 2.58.11 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-15 at 2.58.11 PM.png_thumb)



  • Looks like a typical, split tunnel, routed setup to me and should be working.  A few things to check:

    • Verify the OpenVPN client is being run as administrator

    • Verify the client's LAN subnet is not the same as yours (192.168.1.0/24).  If so, one side will have to change.  Long term you will want to change your LAN subnet to something that is not in that popular SOHO range anyway

    • Verify the hosts you are trying to ping are using PFsense as their default gateway

    • Assuming you're pinging windows hosts, disable the windows firewall and see if your pings start to respond.  If they do, then you need add a firewall exception that allows ICMP echo from all IP's.  (The windows firewall blocks ICMP echo by default from IP's sourced outside of it's local subnet)



  • @marvosa:

    Looks like a typical, split tunnel, routed setup to me and should be working.  A few things to check:

    • Verify the OpenVPN client is being run as administrator

    • Verify the client's LAN subnet is not the same as yours (192.168.1.0/24).  If so, one side will have to change.  Long term you will want to change your LAN subnet to something that is not in that popular SOHO range anyway

    • Verify the hosts you are trying to ping are using PFsense as their default gateway

    • Assuming you're pinging windows hosts, disable the windows firewall and see if your pings start to respond.  If they do, then you need add a firewall exception that allows ICMP echo from all IP's.  (The windows firewall blocks ICMP echo by default from IP's sourced outside of it's local subnet)

    Thanks marvosa.

    1. openvpn is being run as an admin (on the Macbook). There is no control over this on iPhone so I assume it's kosher.
    2. confirmed: tunnel network: 10.0.8.0/24, local network: 192.168.1.0/24
    3. how do I confirm this? they are all behind the pfSense box.
    4. I have no windows machines, but I can't even ping 192.168.1.1

    Really banging my head on this one…


  • LAYER 8 Netgate

    Where are you testing from?  What is the subnet there?

    I think we should concentrate on the macbook.  We have more tools available.  Fixing that will probably fix the phone.  There is no requirement to run Viscosity as admin.  It wants elevated privs when installing/upgrading but that's it.

    Not being able to ping 192.168.1.1 from remote is telling.  It eliminates any problems with your LAN hosts.



  • @Derelict:

    Where are you testing from?  What is the subnet there?

    Perhaps this is the issue! I was using my T-Mobile/LTE connection. For the iPhone I was just running the OpenVPN app on LTE. For the Macbook I was connecting to the hotspot.


  • LAYER 8 Netgate

    Doubtful that all those conflict.



  • @Derelict:

    Doubtful that all those conflict.

    Dang. I really want to find the root cause.

    Not being able to ping 192.168.1.1 is the signal. I just don't know enough to figure out how to debug it.


  • LAYER 8 Netgate

    You didn't answer the question.

    Where are you testing from?  What is the subnet there?  This stuff isn't guesswork.  There's a reason it's not working.  You are the only one who has the information necessary to find out why.



  • Subnet on T-Mobile hotspot is: 172.20.10.1
    and
    tunnel network: 10.0.8.0/24, local network: 192.168.1.0/24

    so there shouldn't be an issue.

    edit: removed some unnecessary logging.



  • I solved the problem by brute force trial and error. I just fired up two "ping" requests, one for 192.168.1.1 (pfSense) and one to www.google.com. I changed shit until they both returned something. :)

    I needed to make 2 tweaks:

    1. In Firewall -> NAT -> Outbound I had to add an additional rule for the OpenVPN subnet (which I eventually switched to 192.168.2.0/24 during my trial/error). Note: in the photo below it is the 3rd rule.
    2. I had to change the Gateway from default to WAN_DHCP in the Firewall -> Rules under the OpenVPN tab.

    Photos attached.

    ![Screen Shot 2015-03-16 at 4.31.36 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-16 at 4.31.36 PM.png)
    ![Screen Shot 2015-03-16 at 4.31.36 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-16 at 4.31.36 PM.png_thumb)
    ![Screen Shot 2015-03-16 at 4.28.53 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-16 at 4.28.53 PM.png)
    ![Screen Shot 2015-03-16 at 4.28.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-16 at 4.28.53 PM.png_thumb)


  • LAYER 8 Netgate

    Those look like changes so the VPN clients can get out to the internet (not sure about the WAN_DHCP on the OpenVPN tab).

    You asked about being able to get to hosts on LAN, not the internet.



  • @Derelict:

    Those look like changes so the VPN clients can get out to the internet (not sure about the WAN_DHCP on the OpenVPN tab).

    You asked about being able to get to hosts on LAN, not the internet.

    Initially I couldn't ping the LAN or the internet. Somewhere along the way the LAN started working, but the internet held out for a while. While I was able to figure out how I enabled the internet (per the above), I have no idea what I did that got the LAN working. It could have been as simple as rebooting the box (instead of just the OpenVPN service).

    Thanks for your help.


Log in to reply