OpenVPN works but no access to LAN
I'm trying to setup OpenVPN on my pfSense box, since I couldn't get IPsec to work, and need some help/advice. I've read all documentation and relevant forum messages, but no success.
My issue is that I have the VPN working and can login, but I can't ping/connect to any server in my LAN. I have 1 pfSense server which is the default route on the network. My servers on the private LAN get there addresses by DHCP leases on pfSense. The LAN ip of the pfSense server is 192.168.10.1 and the servers in the LAN are getting addresses like 192.168.10.11, etc. Everything works ok (HAproxy/snort).
I've setup the OpenVPN server with the wizard (following the pfSense docs).
My (relevant) setup is: Server Mode: Remote Access (SSL/TLS + User Auth)
Device mode: tun
IPv4 Tunnel Network: 192.168.200.0/24
Redirect Gateway: not checked
IPv4 Local Network/s: 192.168.10.0/24
Address Pool: checked
DNS Default Domain: set to same domain name in general setup Domain
DNS Servers: checked and first server set to 192.168.10.1 (LAN IP pfSense)
IPv4 UDP * * WAN address 1194 * none
IPv4 * LAN NET * * * * none
IPv4 * * * * * * none
NAT Outbound (Automatic outbound NAT rule generation)
192.168.200.0/24 * * * WAN address * NO
The client I'm testing with is Windows 10. I've installed the OpenVPN client by using client export, Windows Installer (x64-win6). Installed and run the client using admin privileges. IPconfig when connected:
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : pfacto.lcl
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-CB-BB-CB-39
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b0a2:836e:d869:83fd%30(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.200.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : dinsdag 15 december 2015 10:55:38
Lease Expires . . . . . . . . . . : woensdag 14 december 2016 10:55:38
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.200.254
DHCPv6 IAID . . . . . . . . . . . : 503381963
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-B2-31-15-F8-B1-56-CA-D2-EE
DNS Servers . . . . . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.15 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.15 266
192.168.1.15 255.255.255.255 On-link 192.168.1.15 266
192.168.1.255 255.255.255.255 On-link 192.168.1.15 266
192.168.10.0 255.255.255.0 192.168.200.1 192.168.200.2 20
192.168.200.0 255.255.255.0 On-link 192.168.200.2 276
192.168.200.2 255.255.255.255 On-link 192.168.200.2 276
192.168.200.255 255.255.255.255 On-link 192.168.200.2 276
126.96.36.199 240.0.0.0 On-link 127.0.0.1 306
188.8.131.52 240.0.0.0 On-link 192.168.1.15 266
184.108.40.206 240.0.0.0 On-link 192.168.200.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.15 266
255.255.255.255 255.255.255.255 On-link 192.168.200.2 276
If I try pinging a server in the LAN (192.168.10.11) on the pfSense box (Diagnostics, ping) and use the OpenVPN as the source address, it fails. Pinging with Default/LAN works fine.
I've tried all kinds of OpenVPN settings, rebooted, reinstalled the client, but all no success. I'm new to pfSense and out of ideas! Has anybody a suggestion on what could be the problem or what to test? If you need any more information, let me know!
Many thanks for looking in to this!
Have you checked the firewall rules on the Win Station and/or Server?
Very often the Win Firewall will block outside networks. I often disable it temporarily for testing purposes. Another good trick is to try and ping a non-Windows device (printer or other device) to bypass the firewall issue.
The other place to look is log files on the OpenVPN client and under Status->System logs->OpenVPN for any error messages.
Thanks for your reply! Yes, I've checked all firewall rules and have tested with the firewall(s) disabled, no change. The servers in the LAN are all Linux boxes and there's no firewall enabled on the private LAN addresses. I did check the logs and there are no errors or warnings or anything. I do think the source of this behavior is on my pfSense box since I can't ping using "Diagnostics" when using the OpenVPN interface. LAN interface works fine. So it seems that something, some setting or rule, is blocking this on the pfSense box itself.
At first glance your settings look OK, but if you could post a full screenshot of your OpenVPN Server, something might pop out.
Normally when testing a client I will establish a connection and ping (in order):
The pfSense OpenVPN tunnel endpoint - 192.168.200.1
The client's tunnel endpoint (not really necessary ) - 192.168.200.2
The pfSense router LAN interface - 192.168.10.1
An external LAN device without firewall (Linux box) - 192.168.10.200(???)
Normally this is a pretty foolproof and simple setup especially with the Wizard and Client Export pkg. Most issues are on the Win side such as firewall and Admin rights install.
Wooops, just noticed you're running Snort, have you checked the Snort logs to make sure that you're not tripping something there?
Checked the snort logs and nothing there. Tested with snort disabled, same result.
Ping 192.168.200.1 - success
Ping 192.168.200.2 - success
Ping 192.168.10.1 - success
Ping 192.168.10.15 - failed
Any additional ideas?
Print screens of OpenVPN pfSense config attached.
Is the pfSense LAN IP the default gateway at 192.168.10.15? If it isn't you need a route at this host for VPN subnet or you do NAT at pfSense.
Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP.