Unable to reach LAN after succesful connection



  • Hello,
      I'm having a bit of trouble getting openVPN working.  So far my client can authenticate successfully and I'm able to ping the tunnel IP address.  I'm able to load the webConfigurator fine.  However, I cannot reach any address on the LAN.

    I believe my problem is LAN is not the gateway for that network.  I need to "push" IP + subnet to the clients, correct?  Alternatively, could I use the DHCP server on that network to assign IP?  Could you provide some examples?  I'm quite new to pfSense and not familiar with the syntax just yet :)

    Thank you,
    Joschi



  • Are you using TCP or UDP?

    Put a image of your server configuration



  • @ega:

    Are you using TCP or UDP?

    Put a image of your server configuration

    I'm using UDP.  Attached is the openVPN server edit page.







  • LAYER 8 Global Moderator

    Your telling the client to use the tunnel as their default gateway.. So no you don't really need push any specific routes.

    What network is on the remote side and what is your lan.. Common issues is remote is 192.168.0.0/24 and your also on 192.168.0.0/24 on your lan.. Why would the client go down the tunnel even if default gateway when to the remote client that network is local.

    Do you want these remote clients to use your tunnel for their internet as well while they are connected to you, or only to access your lan?  If just access lan - then uncheck use default gateway and put in your local network so that will be handed to the client. You can then view that in a route print on the client side.  Make sure they run the openvpn as admin or you can have issues with routes being added, etc.

    Also what is the firewall rules on your openvpn tab?



  • @Joschide:

    I believe my problem is LAN is not the gateway for that network.

    That will be the problem.
    Since you LAN hosts don't know the subnet of the OpenVPN tunnel they will send their response to the default gateway.

    You can easily resolve this by adding an Outbond NAT rule for VPN tunnel to LAN.
    To do so, you have to switch Outbond NAT to "Hybrid Outbound NAT rule generation" or "Manual Outbound NAT rule generation" at first and save this.
    Then add a rule like:
    Interface=LAN, Source=<your openvpn="" tunnel="" network="">, Translation=Interface address

    This will translate the VPN packets source address to the pfSenses LAN address, so the host on LAN will send their response to LAN address and pfSense routes it to the VPN client.</your>



  • Is it possible to give the client a valid IP from the LAN network?  Preferrebly, I'd want to use the DHCP server on the LAN (it's an SBS box).  I'm able to see the ping request from a firewall on the LAN and it is being blocked because it is coming over as the tunnel network (10.0.8.*)..

    My LAN network is 192.168.16.0/24

    Thank you,
    Joschi


  • LAYER 8 Global Moderator

    you could use TAP vs TUN – but that really is not a very good idea..

    "I'm able to see the ping request from a firewall on the LAN"
    So your traffic is being blocked by the client firewall and not pfsense then?



  • @viragomann:

    You can easily resolve this by adding an Outbond NAT rule for VPN tunnel to LAN.
    To do so, you have to switch Outbond NAT to "Hybrid Outbound NAT rule generation" or "Manual Outbound NAT rule generation" at first and save this.
    Then add a rule like:
    Interface=LAN, Source=<your openvpn="" tunnel="" network="">, Translation=Interface address

    This will translate the VPN packets source address to the pfSenses LAN address, so the host on LAN will send their response to LAN address and pfSense routes it to the VPN client.</your>

    I'm able to ping by IP address now.  Thank you.

    I'm not able to ping by FQDN yet.  The client isn't getting the right IP address.  Can I Push the LAN DNS to the client?



  • Yeah. You can check "Provide a DNS server list to clients" in the server config and enter you LAN DNS there. But remember that if you do that the client will only use this DNS server. So ensure that it can resolve everthing, what your clients need.



  • @viragomann:

    Yeah. You can check "Provide a DNS server list to clients" in the server config and enter you LAN DNS there. But remember that if you do that the client will only use this DNS server. So ensure that it can resolve everthing, what your clients need.

    Hmm, I already have that set in the client configuration.  I also have Redirect gateway checked.




  • The DNS server is also part of your LAN network, which the outbound NAT rule refer to?

    Do an nslookup at the client to see if the correct DNS server is accessed.



  • @viragomann:

    The DNS server is also part of your LAN network, which the outbound NAT rule refer to?

    Do an nslookup at the client to see if the correct DNS server is accessed.

    Correct, the DNS server (part of SBS) is on the LAN.  nslookup from the client says it's using 127.0.1.1 as server.



  • I specified the DNS server on the lan with nslookup and it worked.  However, I had to specify pcname.domain.local in order for it to work.

    Could it have something to do with the General Setup page?  See attached




  • After some fiddling, I've managed to get it working on my iphone  ;D  However, both linux and windows clients still aren't resolving internal servers properly.  My iPhone is working great.  can pull up internal servers, check mail, etc..

    What could that be???



  • @Joschide:

    After some fiddling, I've managed to get it working on my iphone  ;D  However, both linux and windows clients still aren't resolving internal servers properly.  My iPhone is working great.  can pull up internal servers, check mail, etc..

    What could that be???

    I should add I can get around using IP addresses from the linux and windows clients.



  • I had a similar problem, I can get connected but can access LAN resources, this happend when the conection was made by a NAT, when the device had a public IP, I can reach local resources.

    The solution that worked for me, was set TCP as protocol for the VPN, the explanation its that some routers can´t give appropiate backward traffic for UDP, this its solved using TCP protocol, so can be solved adding a static route in the router (but I didnt do this, first tried the simplest solution  :))

    I suggest change the server configuration, export a new user and try again.



  • @ega:

    I had a similar problem, I can get connected but can access LAN resources, this happend when the conection was made by a NAT, when the device had a public IP, I can reach local resources.

    The solution that worked for me, was set TCP as protocol for the VPN, the explanation its that some routers can´t give appropiate backward traffic for UDP, this its solved using TCP protocol, so can be solved adding a static route in the router (but I didnt do this, first tried the simplest solution  :))

    I suggest change the server configuration, export a new user and try again.

    Thank you for your suggestion.  I will try that.


  • LAYER 8 Global Moderator

    "nslookup from the client says it's using 127.0.1.1 as server."

    Your clients said they were using loopback address as their dns?  Where they running any sort of dns server that forwarded.. That makes no sense at all..



  • @johnpoz:

    "nslookup from the client says it's using 127.0.1.1 as server."

    Your clients said they were using loopback address as their dns?  Where they running any sort of dns server that forwarded.. That makes no sense at all..

    This is from a linux client.  I have to specify nslookup someIP dnsIP and it works.

    My windows clients are now working correctly!


Log in to reply