Can ping but can't connect to any VPN client service



  • Hi there,
    I have a working routed configuration since 6 (or more) months…like this:
    Internet -> Router/Firewall (10.0.0.201/8) -> Ubuntu OpenVPN (eth0: 10.0.0.9/8, tun0:172.16.0.1) -> internal LAN clients (10.0.0.0/8)
    I also added appropriate policy routes on my router/firewall in order my LAN clients to reach VPN Clients.
    Here is the rule:
    starting ip: 172.16.0.0
    ending ip: 172.16.255.255
    staring port: 0
    ending port: 0
    Routing action > gateway: 10.0.0.9 (openvpn eth0 interface)

    So traffic generated from LAN to 172.16.x.x VPN clients go to my router/firewal who says that it has to be sent to eth0 OpenVPN server interface.

    Now I'm really surprised that I can correctly ping and traceroute my VPN clients from the LAN but I can't connect to any of the services that run on vpn clients machines (no remote desktop, no file shares, ...) even with vpn clients firewalls off...

    What could this be caused by? What am I missing?

    Here is my server.conf:

    port 1194
    proto udp
    dev tun
    ca <...>
    cert <...>
    key <...>
    dh <...>
    server 172.16.0.0 255.255.255.0
    client-config-dir ccd
    route 172.16.1.0 255.255.255.0
    route 172.16.2.0 255.255.255.0
    route 172.16.3.0 255.255.255.0
    client-connect clientconnect.sh
    client-disconnect clientdisconnect.sh
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    log-append  openvpn.log
    verb 3
    plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
    reneg-sec 36000
    tmp-dir /etc/openvpn/tmp-dir
    client-cert-not-required
    username-as-common-name
    script-security 3 system
    ccd-exclusive
    

    As explained in ccd directory I have a files like this:

    
    ...
    push "route 10.0.0.0 255.0.0.0" #internal LAN
    
    

    When a client connect the script writes the following iptables rules:

    
    iptables -A FORWARD -s $ifconfig_pool_remote_ip -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s $ifconfig_pool_remote_ip -j ACCEPT
    iptables -t nat -A POSTROUTING -s $ifconfig_pool_remote_ip -o eth0 -j MASQUERADE #can reach internal LAN
    
    

    So, VPN clients successfully ping, traceroute and connect to services running on internal LAN machines.
    Internal LAN machines can ping and traceroute but can't connect to any services running on vpn clients.

    Where am I wrong?

    Any help would be precious.

    Kind regards



  • What version of pfSense are you running?


Log in to reply