Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN WAN cannot reach LAN

    OpenVPN
    2
    8
    874
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      metalraiden last edited by

      Hi,

      Sorry I am sure this question has been asked few times already but I am a total beginner in this "field".

      I created this pfsense on a VMware.

      I setup finally a pfsense with a WAN = 83.x.x.x.x Public IP and a LAN =10.x.x.x.
      The LAN is capable to reach all the network under 10.0.0.0/8 and I am quite happy about it.

      So i created a VPN with the WAN, but once connected (and the VPN works well) I cannot reach LAN network /8, i can ping actually the LAN interface but I cannot reach the rest of the network what i can do from pfsense.

      Do you know what I need to do from pfsense ? a routing ? or something else ?

      my client configuration :

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA256
      tls-client
      client
      resolv-retry infinite
      remote 83.x.x.x 1194 udp
      lport 0
      verify-x509-name "pfsenseSCA" name
      auth-user-pass
      pkcs12 pfSense-udp-1194-guilhem.p12
      tls-auth pfSense-udp-1194-guilhem-tls.key 1
      ns-cert-type server

      Thanks you !

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        Add a rule to OpenVPN interface to permit access to LAN.

        1 Reply Last reply Reply Quote 0
        • M
          metalraiden last edited by

          Hi,

          Thanks for your reply.

          I have aleady this rule there :

          ID Proto Source Port Destination Port Gateway Queue Schedule Description
          delete selected rules add
          icon IPv4 * * * * * * none OpenVPN wizard

          Its not supposed to allow everything ? How should be this new rule ?

          if not here are my rules in other interface :

          LAN

          ID Proto Source Port Destination Port Gateway Queue Schedule Description
          delete selected rules add
          pass * * * LAN Address 80 * * Anti-Lockout Rule
          move edit
          add
          icon IPv4 * LAN net * * * * none Default allow LAN to any rule

          WAN :

          ID Proto Source Port Destination Port Gateway Queue Schedule Description
          delete selected rules add
          icon IPv4 UDP * * WAN address 1194 (OpenVPN) * none OpenVPN wizard
          move selected rules before this rule edit
          delete add
          icon IPv4 TCP/UDP * * * 80 (HTTP) * none allow 80 to wan

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            The rule is okay, it allow any traffic from OpenVPN.

            Ensure that the pfSense LAN interface IP is the default gateway at your LAN hosts, otherwise you have to add a route for OpenVPN response or use NAT.

            1 Reply Last reply Reply Quote 0
            • M
              metalraiden last edited by

              I cannot change yet the hosts to have my gateway, this is not yet planned.

              But I don't understand why I am able to ping (reach) the others hosts from pfsense (Diagnosis > Ping) but once logged in the OpenVPN I cannot reach them myself from my client.

              So, how could I add a route for OpenVPN response or use NAT, what will be the easier solution ?

              Thanks a lot, sorry for so many questions and how-to…

              1 Reply Last reply Reply Quote 0
              • M
                metalraiden last edited by

                I add few screens, maybe it could help to understand




















                1 Reply Last reply Reply Quote 0
                • V
                  viragomann last edited by

                  pfSense is a router sitting between different subnets like WAN, LAN, VPN,etc.
                  If you access a LAN host with your VPN client the packet arrives at the host with the source address of the client (which belongs to VPN subnet). The LAN host will respond to the source address, however, since the subnet is unknown, the respond packet is sent to its default gateway.

                  The easiest solution in to use NAT, but this has the disadvantage that you are not able to differ the VPN client if you have more than one. The packets will arrive with source address = LAN address of pfSense.
                  To set up this go to Firewall > NAT > Outbound, check "Hybrid Outbound NAT rule generation" and click save. Then add a rule by clicking +:
                  Interface=LAN
                  Source=192.168.99.0/24 <your vpn="" tunnel="" network="">Let Destination at "any" and Translation at "interface address", enter a description an click save.
                  That's it.

                  If you use routing you have to add a static route to VPN tunnel network at you default gateway or at each host you want to access.</your>

                  1 Reply Last reply Reply Quote 0
                  • M
                    metalraiden last edited by

                    viragomann , the NAT as you asked me to do works.

                    You are my rockstar!

                    Thanks so much !

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post