VPN clients with no response from LAN due to routing



  • Hi all
    I am using a PFSense firewall in my company and I am facing a problem with OpenVPN. The setup is the following:

    LAN: 10.10.10.0/24
    VPN: 10.10.50.0/24

    The VPN tun server is bound to Active Directory for authentication. VLANs are used.

    Problem:
    VPN does not work for some users

    Details:
    If an user connects everything is fine (address 10.10.50.2 is assigned), if another user connects it doesn't get responses from other networks (has address 10.10.50.3).
    Moreover if the server is restarted and the second user connects first it works because the 10.10.50.2 address is assigned. If this address is used the client works (no matter the login), if other addresses are used it doesn't.

    I see in the routing table that an entry is always present for 10.10.50.2 but not one for 10.10.50.3. The VPN server says it's routing both, but it's not true. The packets arrive in the LAN but do not get routed correctly when going back. Also it's possible to ping the VPN computers from inside the firewall.

    What I already tried:

    • Reconfigure everything with the wizard
    • Check rules
    • Check and change vpn server settings
    • Enable debug logs and inspect, nothing
    • Check system logs, nothing

    At this point I kindly ask for help from users that are far more experienced on networking than me. Thanks a lot : )
    ![Screenshot 2015-12-04 11.02.20.png](/public/imported_attachments/1/Screenshot 2015-12-04 11.02.20.png)
    ![Screenshot 2015-12-04 11.02.20.png_thumb](/public/imported_attachments/1/Screenshot 2015-12-04 11.02.20.png_thumb)



  • Your VPN subnet 10.10.50.0/24 is assigned to a VLAN???

    What is your VPN server config?



  • No, it's not assigned to a VLAN, in fact it's not even assigned to an interface.

    
    - <openvpn-server><vpnid>1</vpnid>
    
    <mode>server_user</mode>
    
    <authmode>Active Directory</authmode>
    
    <protocol>UDP</protocol>
    
    <dev_mode>tun</dev_mode>
    
     <ipaddr><interface>wan</interface>
    
    <local_port>12135</local_port>
    
    -
    
     <custom_options><tls>lol</tls>
    
    <caref>53347d2ac8aag</caref>
    
     <crlref><certref>533675949a8cg</certref>
    
    <dh_length>2048</dh_length>
    
    <cert_depth>1</cert_depth>
    
    <crypto>AES-256-CBC</crypto>
    
    <digest>SHA1</digest>
    
    <engine>none</engine>
    
    <tunnel_network>10.10.50.0/24</tunnel_network>
    
     <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>10.10.10.0/24</local_network>
    
     <local_networkv6><maxclients>8</maxclients>
    
     <compression><passtos><client2client>yes</client2client>
    
    <dynamic_ip>yes</dynamic_ip>
    
    <pool_enable>yes</pool_enable>
    
    <topology_subnet>yes</topology_subnet>
    
     <serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
    
     <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>my.lan</dns_domain>
    
    <dns_server1>10.10.10.110</dns_server1>
    
     <dns_server2><dns_server3><dns_server4><push_register_dns>yes</push_register_dns>
    
     <netbios_enable><netbios_ntype>0</netbios_ntype>
    
     <netbios_scope><no_tun_ipv6>yes</no_tun_ipv6>
    
    <verbosity_level>3</verbosity_level></netbios_scope></netbios_enable></dns_server4></dns_server3></dns_server2></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></compression></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></crlref></custom_options></ipaddr></openvpn-server> 
    
    


  • Your routing table shows your VPN subnet 10.10.50.0/24 is assigned to em0_vlan30. So please check your interface configuration or post the output of Status > Interfaces here (as screenshot!).



  • My god, you're right! I assigned the same subnet to the guest network and the VPN! I will check that again, thank you very much.


Log in to reply