VPN clients with no response from LAN due to routing

Mc128k

Hi all
I am using a PFSense firewall in my company and I am facing a problem with OpenVPN. The setup is the following:

LAN: 10.10.10.0/24
VPN: 10.10.50.0/24

The VPN tun server is bound to Active Directory for authentication. VLANs are used.

Problem:
VPN does not work for some users

Details:
If an user connects everything is fine (address 10.10.50.2 is assigned), if another user connects it doesn't get responses from other networks (has address 10.10.50.3).
Moreover if the server is restarted and the second user connects first it works because the 10.10.50.2 address is assigned. If this address is used the client works (no matter the login), if other addresses are used it doesn't.

I see in the routing table that an entry is always present for 10.10.50.2 but not one for 10.10.50.3. The VPN server says it's routing both, but it's not true. The packets arrive in the LAN but do not get routed correctly when going back. Also it's possible to ping the VPN computers from inside the firewall.

What I already tried:

Reconfigure everything with the wizard
Check rules
Check and change vpn server settings
Enable debug logs and inspect, nothing
Check system logs, nothing

At this point I kindly ask for help from users that are far more experienced on networking than me. Thanks a lot : )
![Screenshot 2015-12-04 11.02.20.png](/public/imported_attachments/1/Screenshot 2015-12-04 11.02.20.png)
![Screenshot 2015-12-04 11.02.20.png_thumb](/public/imported_attachments/1/Screenshot 2015-12-04 11.02.20.png_thumb)

viragomann

Your VPN subnet 10.10.50.0/24 is assigned to a VLAN???

What is your VPN server config?

Mc128k

No, it's not assigned to a VLAN, in fact it's not even assigned to an interface.


- <openvpn-server><vpnid>1</vpnid>

<mode>server_user</mode>

<authmode>Active Directory</authmode>

<protocol>UDP</protocol>

<dev_mode>tun</dev_mode>

 <ipaddr><interface>wan</interface>

<local_port>12135</local_port>

-

 <custom_options><tls>lol</tls>

<caref>53347d2ac8aag</caref>

 <crlref><certref>533675949a8cg</certref>

<dh_length>2048</dh_length>

<cert_depth>1</cert_depth>

<crypto>AES-256-CBC</crypto>

<digest>SHA1</digest>

<engine>none</engine>

<tunnel_network>10.10.50.0/24</tunnel_network>

 <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>10.10.10.0/24</local_network>

 <local_networkv6><maxclients>8</maxclients>

 <compression><passtos><client2client>yes</client2client>

<dynamic_ip>yes</dynamic_ip>

<pool_enable>yes</pool_enable>

<topology_subnet>yes</topology_subnet>

 <serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>

 <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>my.lan</dns_domain>

<dns_server1>10.10.10.110</dns_server1>

 <dns_server2><dns_server3><dns_server4><push_register_dns>yes</push_register_dns>

 <netbios_enable><netbios_ntype>0</netbios_ntype>

 <netbios_scope><no_tun_ipv6>yes</no_tun_ipv6>

<verbosity_level>3</verbosity_level></netbios_scope></netbios_enable></dns_server4></dns_server3></dns_server2></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></compression></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></crlref></custom_options></ipaddr></openvpn-server>

viragomann

Your routing table shows your VPN subnet 10.10.50.0/24 is assigned to em0_vlan30. So please check your interface configuration or post the output of Status > Interfaces here (as screenshot!).

Mc128k

My god, you're right! I assigned the same subnet to the guest network and the VPN! I will check that again, thank you very much.