OpenVPN client able to connect but no LAN access?



  • Hoping someone here can help me out with this.  I have configured an OpenVPN server and am able to connect from a vpn client successfully, in that the client receives the expected IP address, and is able to access the WAN via the vpn connection (confirmed by checking the external IP of the vpn client).  The vpn client is also able to access the pfsense gateway (192.168.xxx.1).  However, no other LAN addresses (192.168.xxx.yyy) are reachable via the vpn connection. Can I fix this?  And if so, how?



  • Is the pfSense box running the vpn server the default gateway at your LAN hosts?
    If it isn't you'll need to add route for vpn traffic or do NAT at pfSense.

    Also consider that software firewalls running on LAN hosts may block access from vpn.



  • Yes, the pfSense box is the default gateway for the LAN that I am connecting TO (not from).

    I am very new to this - not sure which rules might need to be configured to allow LAN access to IP addresses other than the gateway when connected via VPN - any help would be appreciated.



  • Since you have access to internet via vpn I assume you will have an any to any rule at openvpn interface. So access to LAN host should be permitted also by this rule.



  • Actually, I have no applicable rules at the openvpn interface at all.  (there is a rule there which applies to the openvpn client running on the pfSense box (connected to PIA as a client).  But no rules related to the open vpn clients connecting TO the pfSense box).  Which rules need to be there, if any?



  • The rule depends on what you want to permit to access from vpn clients. If you want internet access and internal subnets add an allow any rule from source vpn server tunnel network.



  • I added a rule to the tab for the VPN tunnel (not the "openVPN" tab, but the tab with the tunnel I created) that passes all IPV4 traffic (source any, destination any).  Now the VPN client cannot connect to anything via the VPN (no internet, no LAN).  Clearly I am doing something wrong here, but I am not sure what!



  • And as soon as I disable that rule, traffic flows again.



  • Replying to myself again (in case I need to refer back to this)…

    Adding a rule to the "OpenVPN" tab that passes all traffic with source of [IP address range assigned to VPN clients] allows the outside clients to access internal LAN addresses and the internet via the VPN (desired behavior).  I hope this does not result in any unexpected security holes though… Was this the right way to do this?



  • I do this in the Openvpn server tunnel settings. Specify my Local Network/s and check Allow communication between clients connected to this server.



  • I already had that box checked, and still had the problems I outlined.

    I have also noticed that when a client computer connects via VPN, even after the connection is indicated as having occurred successfully, it takes a very long time (1-2 minutes or more) before the client computer is able to get any traffic flowing through the VPN. I am not sure what is causing that either, but I suspect it may be related.



  • Hello! I'm new to the forum but am having a very similar problem as the OP.  I can connect to pfsense via openvpn, and can ping the pfsense local IP, however I cannot ping anything else on the local network.  I've found that if I set a device's (windows PC) primary gateway to pfsense then I can ping that device, but nothing else.  Is there a way to be able to access network devices that do not have pfsense set up as their primary gateway?  We have another gateway that does filtering and just want pfsense to be a vpn gateway into the network for road warriors.  Thanks and hopefully any responses to this will help the OP as well



  • pfsensory, so you run a OpenVPN server and client on one pfSense. So pfSense handles firewall rules by just one virtual vpn interface for both, server and client.
    To separate it you should add an particular interface for each. Go to Firewall > Interfaces > assign and at "Available network ports" select the server or client for "network port" (ovpns1, ovpnc1) and hit "+".
    Then click the new interface to configure it, check enable and give it a name, no further settings.
    Now you can assign different firewall rules to each, the server and the client. You also have to set up outbound NAT rules for both.



  • @viragomann:

    pfsensory, so you run a OpenVPN server and client on one pfSense. So pfSense handles firewall rules by just one virtual vpn interface for both, server and client.
    To separate it you should add an particular interface for each. Go to Firewall > Interfaces > assign and at "Available network ports" select the server or client for "network port" (ovpns1, ovpnc1) and hit "+".
    Then click the new interface to configure it, check enable and give it a name, no further settings.

    Yes, I run both a server and a client on 1 pfSense device.  I already have an interface for each assigned to network ports:  They are called VPNserver and VPNclient.

    @viragomann:

    Now you can assign different firewall rules to each, the server and the client. You also have to set up outbound NAT rules for both.

    This is where I am not sure what I doing is correct (being a complete newb at this), and I would really value some specific guidance (i.e. step by step instructions).

    Under firewall rules, I have tabs for (apart from Floating, WAN, LAN): VPNserver , VPNclient , and OpenVPN (interface for Open VPN in general I guess). What specific rules go under which specific tabs?  And which rules do I need under NAT?

    I am guessing this seems pretty basic to most other people, but being completely new at this and trying to set up what seems (for me) to be a fairly complicated arrangement, I am worried that if I put the wrong rule in the wrong place, I am going to open up a security hole to the outside.  So your guidance is very much appreciated!



  • You need just to set the appropriate rule like on other interfaces. That are firewall basics:
    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    Yes, the OpenVPN tab is for both, server and client. You'll need no rule at this tab.
    You also need no rule on the clients interface, unless you want to permit access from outside over the clients public IP.
    But as I understood your post, you use the client just to access internet via PIA. So you will have a firewall rule at LAN interface which directs traffic over the vpn.

    On vpn servers tab you add rule to allow your vpn clients to access you internal PCs. If you want you can add an allow any to any rule here. This will only permit the vpn client to access any host inside your LAN and other subnets as well as the internet, but it will permit nothing coming in through your pfSense vpn client connection.

    You will also have to add outbound NAT rules for vpn. For your client you will have already one as you said, it's already working. But since you now have a particular vpn client interface, ensure its inteface is set correctly.
    If you want to access internet from your vpn clients connected to your server, you will also need an outbound NAT rule for this with interface WAN, source = vpn server tunnel network, destination = any an NAT address = interface address.

    For better understanding you should post screenshots of the rules you actually have. Firewall and outbound NAT rules.



  • What I decided to do was revert my pfSense box to a backup (before I started messing around with this), and redo everything again.  Now everything is working great.

    One question though - I am using a tun connection, which is working fine for my purposes except for one issue.  I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN.  However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other.  Is there some way I can get these to connect?

    And one more question - this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?



  • @pfsensory:

    I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN.  However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other.  Is there some way I can get these to connect?

    You want to sync file between vpn server and client side, or between to clients?
    A drawing would be helpful for understanding your aims.

    @pfsensory:

    this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?

    The interfaces are not created by the wizard and are not essential in any circumstances.
    However, if you setup a PIA client, a client interface will be needed.



  • I want the computer connecting to my LAN via VPN (let's call it "external computer") to be able to sync with other computers on my LAN (not the pfSense box) (let's call these "internal computers").

    external computer 10.0.xxx.yyy
        |
        |
    modem (WAN address)
        |
        |
    pfSense (LAN 192.168.aaa.0/24) (OpenVPN server)
        |
        |
    internal computer 192.168.aaa.bbb

    As for my prior post, I was only referring to setting up the VPN server.  I still have VPN client running as well (as a client of PIA Open VPN).  Connections coming into my pfSense OpenVPN server are not to be routed out the PIA gateway - they get routed out from my ISP gateway.



  • Somehow my problem getting Syncthing clients seems to have fixed itself, with no apparent intervention on my part.  A strange (but welcome) development.



  • Are you talking about redirecting all traffic indented for local networks to the VPN?  the source local networks are conflicting with your host (pfSense) local networks.

    your external computer (10.0.xxx.yyy) is connected via a LAN (192.168.1.xxxx) of a router -> Internet -> modem->pfSense (OpenVPN Server) -> internal computer (LAN 192.168.1.xxxx)

    What I did was adding: push "route 192.168.1.0 255.255.255.0"  at the Advanced Configuration of OpenVPN Server



  • I don't think it was an IP address conflict, because the LAN addresses on my pfSense use an unusual address that is not likely to be used on other networks (192.168.107.0/24)

    At any rate, syncthing has kept working over the VPN since my last post, so problem apparently solved.



  • @pfsensory:

    What I decided to do was revert my pfSense box to a backup (before I started messing around with this), and redo everything again.  Now everything is working great.

    One question though - I am using a tun connection, which is working fine for my purposes except for one issue.  I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN.  However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other.  Is there some way I can get these to connect?

    And one more question - this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?

    Hello.
    We have a similar setup running both OpenvPn Server and a PIA client and I was hoping you could share your settings as I can't get them to work together…. That would be greatly appreciated as it seems I'm not getting any support from anywhere for such a common thing.


Log in to reply