Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can ping but can't connect to any VPN client service

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 890 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peppezic
      last edited by

      Hi there,
      I have a working routed configuration since 6 (or more) months…like this:
      Internet -> Router/Firewall (10.0.0.201/8) -> Ubuntu OpenVPN (eth0: 10.0.0.9/8, tun0:172.16.0.1) -> internal LAN clients (10.0.0.0/8)
      I also added appropriate policy routes on my router/firewall in order my LAN clients to reach VPN Clients.
      Here is the rule:
      starting ip: 172.16.0.0
      ending ip: 172.16.255.255
      staring port: 0
      ending port: 0
      Routing action > gateway: 10.0.0.9 (openvpn eth0 interface)

      So traffic generated from LAN to 172.16.x.x VPN clients go to my router/firewal who says that it has to be sent to eth0 OpenVPN server interface.

      Now I'm really surprised that I can correctly ping and traceroute my VPN clients from the LAN but I can't connect to any of the services that run on vpn clients machines (no remote desktop, no file shares, ...) even with vpn clients firewalls off...

      What could this be caused by? What am I missing?

      Here is my server.conf:

      port 1194
proto udp
dev tun
ca <...>
cert <...>
key <...>
dh <...>
server 172.16.0.0 255.255.255.0
client-config-dir ccd
route 172.16.1.0 255.255.255.0
route 172.16.2.0 255.255.255.0
route 172.16.3.0 255.255.255.0
client-connect clientconnect.sh
client-disconnect clientdisconnect.sh
keepalive 10 120
comp-lzo
persist-key
persist-tun
log-append  openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
reneg-sec 36000
tmp-dir /etc/openvpn/tmp-dir
client-cert-not-required
username-as-common-name
script-security 3 system
ccd-exclusive

      As explained in ccd directory I have a files like this:

      
...
push "route 10.0.0.0 255.0.0.0" #internal LAN

      When a client connect the script writes the following iptables rules:

      
iptables -A FORWARD -s $ifconfig_pool_remote_ip -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $ifconfig_pool_remote_ip -j ACCEPT
iptables -t nat -A POSTROUTING -s $ifconfig_pool_remote_ip -o eth0 -j MASQUERADE #can reach internal LAN

      So, VPN clients successfully ping, traceroute and connect to services running on internal LAN machines.
      Internal LAN machines can ping and traceroute but can't connect to any services running on vpn clients.

      Where am I wrong?

      Any help would be precious.

      Kind regards

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        What version of pfSense are you running?

        -jfp

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.