External OpenVPN client can't see LAN devices

Hakker

I have an issue where external clients can't see the internal network. The connection gets established and I can ping the pfsense box, but the rest of the network is invisible. Being pretty new here with OpenVPN and not the greatest with pfsense yet I'm at a loss on the next step which I'm probably missing here.

orginal IP      (192.168.1.210)          orginal IP                  (192.168.1.211)
external PC1 (192.168.10.1)            External PC2 VPN IP (192.168.10.2)
            |                                                        |
–------------------------------------------------------
            |
            |-internet
            |
pfsense box (also OpenVPN server) (192.168.1.1)
            |
            |-internal network
            |

|                                              |                                      |
PC1 (192.168.1.11)      PC2 (192.168.1.12)        PC3 (192.168.1.13)

my /var/etc/openvpn/server1.conf file

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local HIDDEN
engine cryptodev
tls-server
server 192.168.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'SomeVPN' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet

edit1: changed the external adresses from 192.168.10.0/24 to 10.10.10.0/24
edit2: changed back to the 192.168.10.0/24 range

Derelict

I have an issue where external clients can't see the internal network. The connection gets established and I can ping the pfsense box, but the rest of the network is invisible.

What do you mean by can't see and invisible?

What address on pfSense is responding to ping?

Specifics help.

divsys

From your config file it looks like you've setup the pfSense Ovpn server in a RoadWarrior style setup where externalPC/PC2 connect indivdually to the OpenVPN server, is this correct?

It looks like your tunnel definition for the OVpn server overlaps the subnet of the external PC's.

Change the tunnel definition (Server 192.168.10.0 255.255.255.0) to something completely unrelated to either subnet eg. "Server 10.10.0.0 255.255.255.0".

Hakker

@divsys:

From your config file it looks like you've setup the pfSense Ovpn server in a RoadWarrior style setup where externalPC/PC2 connect indivdually to the OpenVPN server, is this correct?

It looks like your tunnel definition for the OVpn server overlaps the subnet of the external PC's.

Change the tunnel definition (Server 192.168.10.0 255.255.255.0) to something completely unrelated to either subnet eg. "Server 10.10.0.0 255.255.255.0".

correct each external client has their own connection as the list is quite small.
I changed the subnet of the server to 10.10.10.0/24 yet nothing changed still any pc in the internal network isn't found.

@Derelict:

I have an issue where external clients can't see the internal network. The connection gets established and I can ping the pfsense box, but the rest of the network is invisible.

What do you mean by can't see and invisible?

What address on pfSense is responding to ping?

Specifics help.

can't see/invisible is what it is, cannot see the internal network from the external PC as in not pinging on the internal adress eg 192.168.1.11 nor find it in the windows network as a pc.
as for response of the pfsense it responds to the internal IP as in 192.168.1.1 the webconfig is accesible as well through the internal ip.

Derelict

No.  Pinging is an ICMP echo request.  "can't see/invisible" is arbitrary language that doesn't tell people what you've tried.

Are you sure the firewalls on the internal PCs allow traffic into them from sources outside their local network?

Hakker

@Derelict:

No.  Pinging is an ICMP echo request.  "can't see/invisible" is arbitrary language that doesn't tell people what you've tried.

Are you sure the firewalls on the internal PCs allow traffic into them from sources outside their local network?

well if you have a better way to test if you can see any of the internal PC you're welcome to mention it.

I tried pinging which according to you will never happen, but when I added an internal PC as an OpenVPN client I could ping them I could ping it from the external PC with 192.168.1.13 I could also access it through the external PC's explorer as \internal-pc1 and could see the entire share map. when I disconnect that internal PC's OpenVPN the link was gone. and the internal PC was inaccessible again.

Derelict

Dude.  I'm telling you that when you're asking for help on a forum details matter.  Don't take it so personally.

Sounds like your setup is pretty convoluted.

I'm done even trying to help you.  Good luck.

divsys

When you changed the server's tunnel IP did you make sure to update each of the clients as well?

Have you made sure the PC's in both subnets don't block ping requests from external subnets (a common gotcha when testing)?

Normally when I setup Roadwarriors I use the OpenVpn client export package to install the clients, it's the easiest and most foolproof.
How did these get setup?

Did you remember to set a rule under "Firewall->Rules->OpenVPN" to allow all?

Keep at it, these setups are usually pretty easy once you find the step that was missed.

phil.davis

I do not understand:

external PC1 (10.10.10.1)            External PC2 (10.10.10.2)

I guess those 10.10.10.* addresses are just the addresses those PCs happen to have on some other network from which they are connecting.
The OpenVPN tunnel seems to be:

server 192.168.10.0 255.255.255.0

which is good.

So the OpenVPN external clients should be given tunnel IPs like 192.168.10.6 192.168.10.10 … (usually 4 numbers apart)

1. Make sure you have rule/s on OpenVPN permitting traffic from the tunnel subnet to the LAN (or permitting all traffic).
2. Make sure the device/s on LAN are actually setup to respond to pings coming from a different network - e.g. Windows firewall is an issue, often it responds to ping from its local subnet but configures itself to NOT respond to ping from a different network.

Hakker

@Derelict:

Dude.  I'm telling you that when you're asking for help on a forum details matter.  Don't take it so personally.

Sounds like your setup is pretty convoluted.

I'm done even trying to help you.  Good luck.

Uhm I just asked and tried to give you the details you requested. I didn't take anything personally. All I mentioned was that if you have a better way to test it I would like to know it. What is taking it personal on that? A. I'm not a network admin I just hobby away so not everything might be immediately understood and B English is not my main language so some terms I could translate incorrectly.
@phil.davis:

I do not understand:

external PC1 (10.10.10.1)            External PC2 (10.10.10.2)

I guess those 10.10.10.* addresses are just the addresses those PCs happen to have on some other network from which they are connecting.
The OpenVPN tunnel seems to be:

server 192.168.10.0 255.255.255.0

which is good.

So the OpenVPN external clients should be given tunnel IPs like 192.168.10.6 192.168.10.10 … (usually 4 numbers apart)

1. Make sure you have rule/s on OpenVPN permitting traffic from the tunnel subnet to the LAN (or permitting all traffic).
2. Make sure the device/s on LAN are actually setup to respond to pings coming from a different network - e.g. Windows firewall is an issue, often it responds to ping from its local subnet but configures itself to NOT respond to ping from a different network.

Sorry I didn't edit it fully I guess the server deals out 10.10.10.0/24 now as I changed it to that after a recommendation by divsys. So the code part should be updated as well as I will do so to reflect the situation better.
The external own IP is 192.168.178.0/24 it gets a 10.10.10.0/24 address from the VPN connection

1. OpenVPN firewall rules has only the line that the OpenVPN Wizard makes which is an allow all rule. If that isn't the answer hopefully you can describe it better for me on what you meant.
2. made a windows firewall rule to allow any data from 192.168.1.0/24 and 10.10.10.0/24 to be allowed just to test it. as with the screenshot.

I hope this is the info you need to be able to help me further.

doktornotor

Just as a side note: no NOT ever test Windows connectivity from outside with ping. And definitely not with the crappy Windows firewall enabled.

Hakker

Wll I first try it with firewall on, but I also check with the firewall off, my fileserver doesn't have a firewall at all and is also always checked but if there are ways or a tool that I can use reliably I'm all up for it.

scuzy

for what its worth i had similar issue as you and the only way i got it working was deleting the openvpn server and reinstalling it with the wizard then this solved my issues. for some reason the firewall see there is no rule set for openvpn i had to delete it and readd it with the wizard.

Hakker

Finally had proper time to do some more testing and being at an external place. I get to see this in the status log of the openvpn gui and well these are really the first steps in openvpn for me so it might be something simple I just missed.
I do have a bridge in pfsense I don't know if that is of any importance in this case?

ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=16]
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
ERROR: Windows route add command failed [adaptive]: returned error code 1
Initialization Sequence Completed

All the windows PC no sees is an unidentified network and the client does send packets but doesn't seem to receive any.

doktornotor

You must run that as administrator.

adrianomiranda

On "External PC", did you run OpenVPN as Administrator? You have to do it.
(sorry for my poor English)

Hakker

Thank you dr41 and doktornotor forgot to do that. That at least resolves the error in the OpenVPN status window

However For some reason it still is an unidentified network with no internet or my "home" network access. I have a bridge in my pfsense config so I was wondering if the vpn server needs to be in the bridge as an enabled device.