OpenVPN works but no access to LAN



  • Hi all,

    I'm trying to setup OpenVPN on my pfSense box, since I couldn't get IPsec to work, and need some help/advice. I've read all documentation and relevant forum messages, but no success.

    My issue is that I have the VPN working and can login, but I can't ping/connect to any server in my LAN. I have 1 pfSense server which is the default route on the network. My servers on the private LAN get there addresses by DHCP leases on pfSense. The LAN ip of the pfSense server is 192.168.10.1 and the servers in the LAN are getting addresses like 192.168.10.11, etc. Everything works ok (HAproxy/snort).

    I've setup the OpenVPN server with the wizard (following the pfSense docs).
    My (relevant) setup is: Server Mode: Remote Access (SSL/TLS + User Auth)
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    IPv4 Tunnel Network: 192.168.200.0/24
    Redirect Gateway: not checked
    IPv4 Local Network/s: 192.168.10.0/24
    Address Pool: checked
    Topology: checked
    DNS Default Domain: set to same domain name in general setup Domain
    DNS Servers: checked and first server set to 192.168.10.1 (LAN IP pfSense)

    WAN Rules:
    IPv4 UDP * * WAN address 1194 * none

    LAN Rules
    IPv4 * LAN NET * * * * none

    OpenVPN Rules
    IPv4 * * * * * * none

    NAT Outbound (Automatic outbound NAT rule generation)
    WAN 127.0.0.0/8
            192.168.10.0/24
            192.168.200.0/24  * * * WAN address * NO
            192.168.100.0/24

    The client I'm testing with is Windows 10. I've installed the OpenVPN client by using client export, Windows Installer (x64-win6). Installed and run the client using admin privileges. IPconfig when connected:

    Ethernet adapter Ethernet 2:
      Connection-specific DNS Suffix  . : pfacto.lcl
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-CB-BB-CB-39
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::b0a2:836e:d869:83fd%30(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.200.2(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : dinsdag 15 december 2015 10:55:38
      Lease Expires . . . . . . . . . . : woensdag 14 december 2016 10:55:38
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 192.168.200.254
      DHCPv6 IAID . . . . . . . . . . . : 503381963
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-B2-31-15-F8-B1-56-CA-D2-EE
      DNS Servers . . . . . . . . . . . : 192.168.10.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.15    10
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.1.0    255.255.255.0        On-link      192.168.1.15    266
        192.168.1.15  255.255.255.255        On-link      192.168.1.15    266
        192.168.1.255  255.255.255.255        On-link      192.168.1.15    266
        192.168.10.0    255.255.255.0    192.168.200.1    192.168.200.2    20
        192.168.200.0    255.255.255.0        On-link    192.168.200.2    276
        192.168.200.2  255.255.255.255        On-link    192.168.200.2    276
      192.168.200.255  255.255.255.255        On-link    192.168.200.2    276
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.1.15    266
            224.0.0.0        240.0.0.0        On-link    192.168.200.2    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.1.15    266
      255.255.255.255  255.255.255.255        On-link    192.168.200.2    276

    Persistent Routes:
      None

    If I try pinging a server in the LAN (192.168.10.11) on the pfSense box (Diagnostics, ping) and use the OpenVPN as the source address, it fails. Pinging with Default/LAN works fine.

    I've tried all kinds of OpenVPN settings, rebooted, reinstalled the client, but all no success. I'm new to pfSense and out of ideas! Has anybody a suggestion on what could be the problem or what to test? If you need any more information, let me know!

    Many thanks for looking in to this!

    Regards,
    Pierre



  • Have you checked the firewall rules on the Win Station and/or Server?

    Very often the Win Firewall will block outside networks.  I often disable it temporarily for testing purposes.  Another good trick is to try and ping a non-Windows device (printer or other device) to bypass the firewall issue.

    The other place to look is log files on the OpenVPN client and under Status->System logs->OpenVPN for any error messages.



  • Thanks for your reply! Yes, I've checked all firewall rules and have tested with the firewall(s) disabled, no change. The servers in the LAN are all Linux boxes and there's no firewall enabled on the private LAN addresses. I did check the logs and there are no errors or warnings or anything. I do think the source of this behavior is on my pfSense box since I can't ping using "Diagnostics" when using the OpenVPN interface. LAN interface works fine. So it seems that something, some setting or rule, is blocking this on the pfSense box itself.



  • At first glance your settings look OK, but if you could post a full screenshot of your OpenVPN Server, something might pop out.

    Normally when testing a client I will establish a connection and ping (in order):

    The pfSense OpenVPN tunnel endpoint                    - 192.168.200.1
    The client's tunnel endpoint (not really necessary )  - 192.168.200.2
    The pfSense router LAN interface                              - 192.168.10.1
    An external LAN device without firewall (Linux box)  - 192.168.10.200(???)

    Normally this is a pretty foolproof and simple setup especially with the Wizard and Client Export pkg.  Most issues are on the Win side such as firewall and Admin rights install.

    Wooops, just noticed you're running Snort, have you checked  the Snort logs to make sure that you're not tripping something there?



  • Checked the snort logs and nothing there. Tested with snort disabled, same result.
    Ping 192.168.200.1 - success
    Ping 192.168.200.2 - success
    Ping 192.168.10.1 - success
    Ping 192.168.10.15 - failed

    Any additional ideas?



  • Print screens of OpenVPN pfSense config attached.












  • Is the pfSense LAN IP the default gateway at 192.168.10.15? If it isn't you need a route at this host for VPN subnet or you do NAT at pfSense.



  • Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP.

    Thanks all!!!


Log in to reply