RESOLVED OpenVPN server/client - can connect, cannot access anything on LAN

ILLCOMM

I used the wizard to create a VPN server so I could remotely connect to my home network. I can successfully connect (and hold a connection) to the VPN from my iPhone (OpenVPN app) and my Mac (Viscosity). However, I cannot ping or access anything on the local LAN from the remote client.

I attached my Firewall rules for LAN and OpenVPN, along with some other screen shots it seems you often request.

Any help is greatly appreciated!

server1.conf:
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

marvosa

Looks like a typical, split tunnel, routed setup to me and should be working.  A few things to check:

• Verify the OpenVPN client is being run as administrator

• Verify the client's LAN subnet is not the same as yours (192.168.1.0/24).  If so, one side will have to change.  Long term you will want to change your LAN subnet to something that is not in that popular SOHO range anyway

• Verify the hosts you are trying to ping are using PFsense as their default gateway

• Assuming you're pinging windows hosts, disable the windows firewall and see if your pings start to respond.  If they do, then you need add a firewall exception that allows ICMP echo from all IP's.  (The windows firewall blocks ICMP echo by default from IP's sourced outside of it's local subnet)

ILLCOMM

@marvosa:

Looks like a typical, split tunnel, routed setup to me and should be working.  A few things to check:

• Verify the OpenVPN client is being run as administrator

• Verify the client's LAN subnet is not the same as yours (192.168.1.0/24).  If so, one side will have to change.  Long term you will want to change your LAN subnet to something that is not in that popular SOHO range anyway

• Verify the hosts you are trying to ping are using PFsense as their default gateway

• Assuming you're pinging windows hosts, disable the windows firewall and see if your pings start to respond.  If they do, then you need add a firewall exception that allows ICMP echo from all IP's.  (The windows firewall blocks ICMP echo by default from IP's sourced outside of it's local subnet)

Thanks marvosa.

1. openvpn is being run as an admin (on the Macbook). There is no control over this on iPhone so I assume it's kosher.
2. confirmed: tunnel network: 10.0.8.0/24, local network: 192.168.1.0/24
3. how do I confirm this? they are all behind the pfSense box.
4. I have no windows machines, but I can't even ping 192.168.1.1

Really banging my head on this one…

Derelict

Where are you testing from?  What is the subnet there?

I think we should concentrate on the macbook.  We have more tools available.  Fixing that will probably fix the phone.  There is no requirement to run Viscosity as admin.  It wants elevated privs when installing/upgrading but that's it.

Not being able to ping 192.168.1.1 from remote is telling.  It eliminates any problems with your LAN hosts.

ILLCOMM

@Derelict:

Where are you testing from?  What is the subnet there?

Perhaps this is the issue! I was using my T-Mobile/LTE connection. For the iPhone I was just running the OpenVPN app on LTE. For the Macbook I was connecting to the hotspot.

Derelict

Doubtful that all those conflict.

ILLCOMM

@Derelict:

Doubtful that all those conflict.

Dang. I really want to find the root cause.

Not being able to ping 192.168.1.1 is the signal. I just don't know enough to figure out how to debug it.

Derelict

You didn't answer the question.

Where are you testing from?  What is the subnet there?  This stuff isn't guesswork.  There's a reason it's not working.  You are the only one who has the information necessary to find out why.

ILLCOMM

Subnet on T-Mobile hotspot is: 172.20.10.1
and
tunnel network: 10.0.8.0/24, local network: 192.168.1.0/24

so there shouldn't be an issue.

edit: removed some unnecessary logging.

ILLCOMM

I solved the problem by brute force trial and error. I just fired up two "ping" requests, one for 192.168.1.1 (pfSense) and one to www.google.com. I changed shit until they both returned something. :)

I needed to make 2 tweaks:

1. In Firewall -> NAT -> Outbound I had to add an additional rule for the OpenVPN subnet (which I eventually switched to 192.168.2.0/24 during my trial/error). Note: in the photo below it is the 3rd rule.
2. I had to change the Gateway from default to WAN_DHCP in the Firewall -> Rules under the OpenVPN tab.

Photos attached.


Derelict

Those look like changes so the VPN clients can get out to the internet (not sure about the WAN_DHCP on the OpenVPN tab).

You asked about being able to get to hosts on LAN, not the internet.

ILLCOMM

@Derelict:

Those look like changes so the VPN clients can get out to the internet (not sure about the WAN_DHCP on the OpenVPN tab).

You asked about being able to get to hosts on LAN, not the internet.

Initially I couldn't ping the LAN or the internet. Somewhere along the way the LAN started working, but the internet held out for a while. While I was able to figure out how I enabled the internet (per the above), I have no idea what I did that got the LAN working. It could have been as simple as rebooting the box (instead of just the OpenVPN service).

Thanks for your help.