OpenVPN works but no access to LAN

PierreR

Hi all,

I'm trying to setup OpenVPN on my pfSense box, since I couldn't get IPsec to work, and need some help/advice. I've read all documentation and relevant forum messages, but no success.

My issue is that I have the VPN working and can login, but I can't ping/connect to any server in my LAN. I have 1 pfSense server which is the default route on the network. My servers on the private LAN get there addresses by DHCP leases on pfSense. The LAN ip of the pfSense server is 192.168.10.1 and the servers in the LAN are getting addresses like 192.168.10.11, etc. Everything works ok (HAproxy/snort).

I've setup the OpenVPN server with the wizard (following the pfSense docs).
My (relevant) setup is: Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Device mode: tun
Interface: WAN
IPv4 Tunnel Network: 192.168.200.0/24
Redirect Gateway: not checked
IPv4 Local Network/s: 192.168.10.0/24
Address Pool: checked
Topology: checked
DNS Default Domain: set to same domain name in general setup Domain
DNS Servers: checked and first server set to 192.168.10.1 (LAN IP pfSense)

WAN Rules:
IPv4 UDP * * WAN address 1194 * none

LAN Rules
IPv4 * LAN NET * * * * none

OpenVPN Rules
IPv4 * * * * * * none

NAT Outbound (Automatic outbound NAT rule generation)
WAN 127.0.0.0/8
        192.168.10.0/24
        192.168.200.0/24  * * * WAN address * NO
        192.168.100.0/24

The client I'm testing with is Windows 10. I've installed the OpenVPN client by using client export, Windows Installer (x64-win6). Installed and run the client using admin privileges. IPconfig when connected:

Ethernet adapter Ethernet 2:
  Connection-specific DNS Suffix  . : pfacto.lcl
  Description . . . . . . . . . . . : TAP-Windows Adapter V9
  Physical Address. . . . . . . . . : 00-FF-CB-BB-CB-39
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b0a2:836e:d869:83fd%30(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.200.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : dinsdag 15 december 2015 10:55:38
  Lease Expires . . . . . . . . . . : woensdag 14 december 2016 10:55:38
  Default Gateway . . . . . . . . . :
  DHCP Server . . . . . . . . . . . : 192.168.200.254
  DHCPv6 IAID . . . . . . . . . . . : 503381963
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-B2-31-15-F8-B1-56-CA-D2-EE
  DNS Servers . . . . . . . . . . . : 192.168.10.1
  NetBIOS over Tcpip. . . . . . . . : Enabled

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.15    10
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      192.168.1.0    255.255.255.0        On-link      192.168.1.15    266
    192.168.1.15  255.255.255.255        On-link      192.168.1.15    266
    192.168.1.255  255.255.255.255        On-link      192.168.1.15    266
    192.168.10.0    255.255.255.0    192.168.200.1    192.168.200.2    20
    192.168.200.0    255.255.255.0        On-link    192.168.200.2    276
    192.168.200.2  255.255.255.255        On-link    192.168.200.2    276
  192.168.200.255  255.255.255.255        On-link    192.168.200.2    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.1.15    266
        224.0.0.0        240.0.0.0        On-link    192.168.200.2    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.1.15    266
  255.255.255.255  255.255.255.255        On-link    192.168.200.2    276

Persistent Routes:
  None

If I try pinging a server in the LAN (192.168.10.11) on the pfSense box (Diagnostics, ping) and use the OpenVPN as the source address, it fails. Pinging with Default/LAN works fine.

I've tried all kinds of OpenVPN settings, rebooted, reinstalled the client, but all no success. I'm new to pfSense and out of ideas! Has anybody a suggestion on what could be the problem or what to test? If you need any more information, let me know!

Many thanks for looking in to this!

Regards,
Pierre

divsys

Have you checked the firewall rules on the Win Station and/or Server?

Very often the Win Firewall will block outside networks.  I often disable it temporarily for testing purposes.  Another good trick is to try and ping a non-Windows device (printer or other device) to bypass the firewall issue.

The other place to look is log files on the OpenVPN client and under Status->System logs->OpenVPN for any error messages.

PierreR

Thanks for your reply! Yes, I've checked all firewall rules and have tested with the firewall(s) disabled, no change. The servers in the LAN are all Linux boxes and there's no firewall enabled on the private LAN addresses. I did check the logs and there are no errors or warnings or anything. I do think the source of this behavior is on my pfSense box since I can't ping using "Diagnostics" when using the OpenVPN interface. LAN interface works fine. So it seems that something, some setting or rule, is blocking this on the pfSense box itself.

divsys

At first glance your settings look OK, but if you could post a full screenshot of your OpenVPN Server, something might pop out.

Normally when testing a client I will establish a connection and ping (in order):

The pfSense OpenVPN tunnel endpoint                    - 192.168.200.1
The client's tunnel endpoint (not really necessary )  - 192.168.200.2
The pfSense router LAN interface                              - 192.168.10.1
An external LAN device without firewall (Linux box)  - 192.168.10.200(???)

Normally this is a pretty foolproof and simple setup especially with the Wizard and Client Export pkg.  Most issues are on the Win side such as firewall and Admin rights install.

Wooops, just noticed you're running Snort, have you checked  the Snort logs to make sure that you're not tripping something there?

PierreR

Checked the snort logs and nothing there. Tested with snort disabled, same result.
Ping 192.168.200.1 - success
Ping 192.168.200.2 - success
Ping 192.168.10.1 - success
Ping 192.168.10.15 - failed

Any additional ideas?

PierreR

Print screens of OpenVPN pfSense config attached.

viragomann

Is the pfSense LAN IP the default gateway at 192.168.10.15? If it isn't you need a route at this host for VPN subnet or you do NAT at pfSense.

PierreR

Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP.

Thanks all!!!