Can ping but can't connect to any VPN client service
I have a working routed configuration since 6 (or more) months…like this:
Internet -> Router/Firewall (10.0.0.201/8) -> Ubuntu OpenVPN (eth0: 10.0.0.9/8, tun0:172.16.0.1) -> internal LAN clients (10.0.0.0/8)
I also added appropriate policy routes on my router/firewall in order my LAN clients to reach VPN Clients.
Here is the rule:
starting ip: 172.16.0.0
ending ip: 172.16.255.255
staring port: 0
ending port: 0
Routing action > gateway: 10.0.0.9 (openvpn eth0 interface)
So traffic generated from LAN to 172.16.x.x VPN clients go to my router/firewal who says that it has to be sent to eth0 OpenVPN server interface.
Now I'm really surprised that I can correctly ping and traceroute my VPN clients from the LAN but I can't connect to any of the services that run on vpn clients machines (no remote desktop, no file shares, ...) even with vpn clients firewalls off...
What could this be caused by? What am I missing?
Here is my server.conf:
port 1194 proto udp dev tun ca <...> cert <...> key <...> dh <...> server 172.16.0.0 255.255.255.0 client-config-dir ccd route 172.16.1.0 255.255.255.0 route 172.16.2.0 255.255.255.0 route 172.16.3.0 255.255.255.0 client-connect clientconnect.sh client-disconnect clientdisconnect.sh keepalive 10 120 comp-lzo persist-key persist-tun log-append openvpn.log verb 3 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn reneg-sec 36000 tmp-dir /etc/openvpn/tmp-dir client-cert-not-required username-as-common-name script-security 3 system ccd-exclusive
As explained in ccd directory I have a files like this:
... push "route 10.0.0.0 255.0.0.0" #internal LAN
When a client connect the script writes the following iptables rules:
iptables -A FORWARD -s $ifconfig_pool_remote_ip -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s $ifconfig_pool_remote_ip -j ACCEPT iptables -t nat -A POSTROUTING -s $ifconfig_pool_remote_ip -o eth0 -j MASQUERADE #can reach internal LAN
So, VPN clients successfully ping, traceroute and connect to services running on internal LAN machines.
Internal LAN machines can ping and traceroute but can't connect to any services running on vpn clients.
Where am I wrong?
Any help would be precious.
What version of pfSense are you running?