OpenVPN WAN cannot reach LAN



  • Hi,

    Sorry I am sure this question has been asked few times already but I am a total beginner in this "field".

    I created this pfsense on a VMware.

    I setup finally a pfsense with a WAN = 83.x.x.x.x Public IP and a LAN =10.x.x.x.
    The LAN is capable to reach all the network under 10.0.0.0/8 and I am quite happy about it.

    So i created a VPN with the WAN, but once connected (and the VPN works well) I cannot reach LAN network /8, i can ping actually the LAN interface but I cannot reach the rest of the network what i can do from pfsense.

    Do you know what I need to do from pfsense ? a routing ? or something else ?

    my client configuration :

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 83.x.x.x 1194 udp
    lport 0
    verify-x509-name "pfsenseSCA" name
    auth-user-pass
    pkcs12 pfSense-udp-1194-guilhem.p12
    tls-auth pfSense-udp-1194-guilhem-tls.key 1
    ns-cert-type server

    Thanks you !



  • Add a rule to OpenVPN interface to permit access to LAN.



  • Hi,

    Thanks for your reply.

    I have aleady this rule there :

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    delete selected rules add
    icon IPv4 * * * * * * none OpenVPN wizard

    Its not supposed to allow everything ? How should be this new rule ?

    if not here are my rules in other interface :

    LAN

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    delete selected rules add
    pass * * * LAN Address 80 * * Anti-Lockout Rule
    move edit
    add
    icon IPv4 * LAN net * * * * none Default allow LAN to any rule

    WAN :

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    delete selected rules add
    icon IPv4 UDP * * WAN address 1194 (OpenVPN) * none OpenVPN wizard
    move selected rules before this rule edit
    delete add
    icon IPv4 TCP/UDP * * * 80 (HTTP) * none allow 80 to wan



  • The rule is okay, it allow any traffic from OpenVPN.

    Ensure that the pfSense LAN interface IP is the default gateway at your LAN hosts, otherwise you have to add a route for OpenVPN response or use NAT.



  • I cannot change yet the hosts to have my gateway, this is not yet planned.

    But I don't understand why I am able to ping (reach) the others hosts from pfsense (Diagnosis > Ping) but once logged in the OpenVPN I cannot reach them myself from my client.

    So, how could I add a route for OpenVPN response or use NAT, what will be the easier solution ?

    Thanks a lot, sorry for so many questions and how-to…



  • I add few screens, maybe it could help to understand






















  • pfSense is a router sitting between different subnets like WAN, LAN, VPN,etc.
    If you access a LAN host with your VPN client the packet arrives at the host with the source address of the client (which belongs to VPN subnet). The LAN host will respond to the source address, however, since the subnet is unknown, the respond packet is sent to its default gateway.

    The easiest solution in to use NAT, but this has the disadvantage that you are not able to differ the VPN client if you have more than one. The packets will arrive with source address = LAN address of pfSense.
    To set up this go to Firewall > NAT > Outbound, check "Hybrid Outbound NAT rule generation" and click save. Then add a rule by clicking +:
    Interface=LAN
    Source=192.168.99.0/24 <your vpn="" tunnel="" network="">Let Destination at "any" and Translation at "interface address", enter a description an click save.
    That's it.

    If you use routing you have to add a static route to VPN tunnel network at you default gateway or at each host you want to access.</your>



  • viragomann , the NAT as you asked me to do works.

    You are my rockstar!

    Thanks so much !


Log in to reply