• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN works but no access to LAN

OpenVPN
3
8
18.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    PierreR
    last edited by Dec 15, 2015, 10:51 AM

    Hi all,

    I'm trying to setup OpenVPN on my pfSense box, since I couldn't get IPsec to work, and need some help/advice. I've read all documentation and relevant forum messages, but no success.

    My issue is that I have the VPN working and can login, but I can't ping/connect to any server in my LAN. I have 1 pfSense server which is the default route on the network. My servers on the private LAN get there addresses by DHCP leases on pfSense. The LAN ip of the pfSense server is 192.168.10.1 and the servers in the LAN are getting addresses like 192.168.10.11, etc. Everything works ok (HAproxy/snort).

    I've setup the OpenVPN server with the wizard (following the pfSense docs).
    My (relevant) setup is: Server Mode: Remote Access (SSL/TLS + User Auth)
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    IPv4 Tunnel Network: 192.168.200.0/24
    Redirect Gateway: not checked
    IPv4 Local Network/s: 192.168.10.0/24
    Address Pool: checked
    Topology: checked
    DNS Default Domain: set to same domain name in general setup Domain
    DNS Servers: checked and first server set to 192.168.10.1 (LAN IP pfSense)

    WAN Rules:
    IPv4 UDP * * WAN address 1194 * none

    LAN Rules
    IPv4 * LAN NET * * * * none

    OpenVPN Rules
    IPv4 * * * * * * none

    NAT Outbound (Automatic outbound NAT rule generation)
    WAN 127.0.0.0/8
            192.168.10.0/24
            192.168.200.0/24  * * * WAN address * NO
            192.168.100.0/24

    The client I'm testing with is Windows 10. I've installed the OpenVPN client by using client export, Windows Installer (x64-win6). Installed and run the client using admin privileges. IPconfig when connected:

    Ethernet adapter Ethernet 2:
      Connection-specific DNS Suffix  . : pfacto.lcl
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-CB-BB-CB-39
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::b0a2:836e:d869:83fd%30(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.200.2(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : dinsdag 15 december 2015 10:55:38
      Lease Expires . . . . . . . . . . : woensdag 14 december 2016 10:55:38
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 192.168.200.254
      DHCPv6 IAID . . . . . . . . . . . : 503381963
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-B2-31-15-F8-B1-56-CA-D2-EE
      DNS Servers . . . . . . . . . . . : 192.168.10.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.15    10
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.1.0    255.255.255.0        On-link      192.168.1.15    266
        192.168.1.15  255.255.255.255        On-link      192.168.1.15    266
        192.168.1.255  255.255.255.255        On-link      192.168.1.15    266
        192.168.10.0    255.255.255.0    192.168.200.1    192.168.200.2    20
        192.168.200.0    255.255.255.0        On-link    192.168.200.2    276
        192.168.200.2  255.255.255.255        On-link    192.168.200.2    276
      192.168.200.255  255.255.255.255        On-link    192.168.200.2    276
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.1.15    266
            224.0.0.0        240.0.0.0        On-link    192.168.200.2    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.1.15    266
      255.255.255.255  255.255.255.255        On-link    192.168.200.2    276

    Persistent Routes:
      None

    If I try pinging a server in the LAN (192.168.10.11) on the pfSense box (Diagnostics, ping) and use the OpenVPN as the source address, it fails. Pinging with Default/LAN works fine.

    I've tried all kinds of OpenVPN settings, rebooted, reinstalled the client, but all no success. I'm new to pfSense and out of ideas! Has anybody a suggestion on what could be the problem or what to test? If you need any more information, let me know!

    Many thanks for looking in to this!

    Regards,
    Pierre

    1 Reply Last reply Reply Quote 0
    • D
      divsys
      last edited by Dec 15, 2015, 12:14 PM

      Have you checked the firewall rules on the Win Station and/or Server?

      Very often the Win Firewall will block outside networks.  I often disable it temporarily for testing purposes.  Another good trick is to try and ping a non-Windows device (printer or other device) to bypass the firewall issue.

      The other place to look is log files on the OpenVPN client and under Status->System logs->OpenVPN for any error messages.

      -jfp

      1 Reply Last reply Reply Quote 0
      • P
        PierreR
        last edited by Dec 15, 2015, 12:22 PM

        Thanks for your reply! Yes, I've checked all firewall rules and have tested with the firewall(s) disabled, no change. The servers in the LAN are all Linux boxes and there's no firewall enabled on the private LAN addresses. I did check the logs and there are no errors or warnings or anything. I do think the source of this behavior is on my pfSense box since I can't ping using "Diagnostics" when using the OpenVPN interface. LAN interface works fine. So it seems that something, some setting or rule, is blocking this on the pfSense box itself.

        1 Reply Last reply Reply Quote 0
        • D
          divsys
          last edited by Dec 15, 2015, 12:54 PM

          At first glance your settings look OK, but if you could post a full screenshot of your OpenVPN Server, something might pop out.

          Normally when testing a client I will establish a connection and ping (in order):

          The pfSense OpenVPN tunnel endpoint                    - 192.168.200.1
          The client's tunnel endpoint (not really necessary )  - 192.168.200.2
          The pfSense router LAN interface                              - 192.168.10.1
          An external LAN device without firewall (Linux box)  - 192.168.10.200(???)

          Normally this is a pretty foolproof and simple setup especially with the Wizard and Client Export pkg.  Most issues are on the Win side such as firewall and Admin rights install.

          Wooops, just noticed you're running Snort, have you checked  the Snort logs to make sure that you're not tripping something there?

          -jfp

          1 Reply Last reply Reply Quote 0
          • P
            PierreR
            last edited by Dec 15, 2015, 3:18 PM

            Checked the snort logs and nothing there. Tested with snort disabled, same result.
            Ping 192.168.200.1 - success
            Ping 192.168.200.2 - success
            Ping 192.168.10.1 - success
            Ping 192.168.10.15 - failed

            Any additional ideas?

            1 Reply Last reply Reply Quote 0
            • P
              PierreR
              last edited by Dec 15, 2015, 3:21 PM

              Print screens of OpenVPN pfSense config attached.

              General.png
              General.png_thumb
              Cryptographic.png
              Cryptographic.png_thumb
              Tunnel.png
              Tunnel.png_thumb
              Client.png
              Client.png_thumb
              Advanced.png
              Advanced.png_thumb

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by Dec 15, 2015, 7:40 PM

                Is the pfSense LAN IP the default gateway at 192.168.10.15? If it isn't you need a route at this host for VPN subnet or you do NAT at pfSense.

                1 Reply Last reply Reply Quote 0
                • P
                  PierreR
                  last edited by Dec 15, 2015, 8:48 PM

                  Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP.

                  Thanks all!!!

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.