OpenVPN WAN cannot reach LAN
-
Hi,
Sorry I am sure this question has been asked few times already but I am a total beginner in this "field".
I created this pfsense on a VMware.
I setup finally a pfsense with a WAN = 83.x.x.x.x Public IP and a LAN =10.x.x.x.
The LAN is capable to reach all the network under 10.0.0.0/8 and I am quite happy about it.So i created a VPN with the WAN, but once connected (and the VPN works well) I cannot reach LAN network /8, i can ping actually the LAN interface but I cannot reach the rest of the network what i can do from pfsense.
Do you know what I need to do from pfsense ? a routing ? or something else ?
my client configuration :
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 83.x.x.x 1194 udp
lport 0
verify-x509-name "pfsenseSCA" name
auth-user-pass
pkcs12 pfSense-udp-1194-guilhem.p12
tls-auth pfSense-udp-1194-guilhem-tls.key 1
ns-cert-type serverThanks you !
-
Add a rule to OpenVPN interface to permit access to LAN.
-
Hi,
Thanks for your reply.
I have aleady this rule there :
ID Proto Source Port Destination Port Gateway Queue Schedule Description
delete selected rules add
icon IPv4 * * * * * * none OpenVPN wizardIts not supposed to allow everything ? How should be this new rule ?
if not here are my rules in other interface :
LAN
ID Proto Source Port Destination Port Gateway Queue Schedule Description
delete selected rules add
pass * * * LAN Address 80 * * Anti-Lockout Rule
move edit
add
icon IPv4 * LAN net * * * * none Default allow LAN to any ruleWAN :
ID Proto Source Port Destination Port Gateway Queue Schedule Description
delete selected rules add
icon IPv4 UDP * * WAN address 1194 (OpenVPN) * none OpenVPN wizard
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP * * * 80 (HTTP) * none allow 80 to wan
-
The rule is okay, it allow any traffic from OpenVPN.
Ensure that the pfSense LAN interface IP is the default gateway at your LAN hosts, otherwise you have to add a route for OpenVPN response or use NAT.
-
I cannot change yet the hosts to have my gateway, this is not yet planned.
But I don't understand why I am able to ping (reach) the others hosts from pfsense (Diagnosis > Ping) but once logged in the OpenVPN I cannot reach them myself from my client.
So, how could I add a route for OpenVPN response or use NAT, what will be the easier solution ?
Thanks a lot, sorry for so many questions and how-to…
-
I add few screens, maybe it could help to understand
-
pfSense is a router sitting between different subnets like WAN, LAN, VPN,etc.
If you access a LAN host with your VPN client the packet arrives at the host with the source address of the client (which belongs to VPN subnet). The LAN host will respond to the source address, however, since the subnet is unknown, the respond packet is sent to its default gateway.The easiest solution in to use NAT, but this has the disadvantage that you are not able to differ the VPN client if you have more than one. The packets will arrive with source address = LAN address of pfSense.
To set up this go to Firewall > NAT > Outbound, check "Hybrid Outbound NAT rule generation" and click save. Then add a rule by clicking +:
Interface=LAN
Source=192.168.99.0/24 <your vpn="" tunnel="" network="">Let Destination at "any" and Translation at "interface address", enter a description an click save.
That's it.If you use routing you have to add a static route to VPN tunnel network at you default gateway or at each host you want to access.</your>
-
viragomann , the NAT as you asked me to do works.
You are my rockstar!
Thanks so much !