Cannot access devices on LAN from VPN client
-
Hi,
I have probably overlooked something, because i've followed the simple guide on the wiki and I have searched the forum for an answer, but i can't get this to work. I can make the VPN connection, but i cannot access anything on the LAN from the client.
Server config:
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local ##.##.###.### (My IP assigned by my ISP) engine cryptodev tls-server server 10.0.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database'tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'DieguezVPNServer' 1 " lport 1194 management /var/etc/openvpn/server1.sock unix push "route 192.168.1.0 255.255.255.0" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnetClient config:
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote ##.##.###.### 1194 udp lport 0 verify-x509-name "DieguezVPNServer" name auth-user-pass pkcs12 pfSense-udp-1194-JohnDoe.p12 tls-auth pfSense-udp-1194-JohnDoe-tls.key 1 ns-cert-type server comp-lzo adaptiveI've added screenshots of the firewall and NAT rules
-
After adding```
route 192.168.1.0 255.255.255.0 -
Obviously you have a second internal subnet 192.168.2.0/24.
If you want to access this you will have to add a route for it also. But the subnets which you want to add a route over vpn to should be entered in the server config at "local networks". So the routes are pushed to the clients by the server when a connection is established. -
Hi, thanks for your suggestion.
However, I don't need the second internal subnet, I only need LAN on 192.168.1.0/24. That one is already entered in the server config (see attached screenshot).
-
Is there a default gateway configured at the devices you cannot access?
If not, access will only be possible if you nat the VPN clients. -
ipconfig /all on the client gives me this:
Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : ##-##-##-##-##-## DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.0.1.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : zondag 14 februari 2016 15:21:32 Lease Expires . . . . . . . . . . : maandag 13 februari 2017 15:21:32 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.0.1.254 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205 Physical Address. . . . . . . . . : ##-##-##-##-##-## DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : ####::####:####:####:####%2(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.157(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : zondag 14 februari 2016 15:21:09 Lease Expires . . . . . . . . . . : zondag 14 februari 2016 16:21:08 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : ######## DHCPv6 Client DUID. . . . . . . . : ##-##-##-##-##-##-##-##-##-##-##-##-##-## DNS Servers . . . . . . . . . . . : 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : EnabledFew (noob) observations:
- No gateway for TUN
- DHCP server IP for TUN I don't regognize
- IPv4 DHCP obtained IP address for LAN is not in the defined DHCP range of the LAN DHCP server.
- The gateway defined for LAN is the pfsense box, which i can access (GUI and ping) from the client
-
That's okay. Since you haven't set the VPN as default route, there should not be a default gateway for the TAP device.
But, the problem I can see, thanks you've posted your whole client network settings, is that your LAN behind the VPN server uses the same network address range as your wireless LAN your client resides. That won't work. You should change one of these networks to another IP range.
-
From what I can tell, your server1.conf is incomplete and missing the directives that will give you access to your LAN. Did you intentionally truncate your config? If not, that would be why nothing's working.
-
From what I can tell, your server1.conf is incomplete and missing the directives that will give you access to your LAN. Did you intentionally truncate your config? If not, that would be why nothing's working.
Ah yes correct. Copy-paste error I think. I've updated the original post, thanks.
-
That's okay. Since you haven't set the VPN as default route, there should not be a default gateway for the TAP device.
But, the problem I can see, thanks you've posted your whole client network settings, is that your LAN behind the VPN server uses the same network address range as your wireless LAN your client resides. That won't work. You should change one of these networks to another IP range.
Isn't the wireless LANs IP assigned when i connect to the VPN? I connected via my 4G phone connection, which is of course not in a private network and i also tried from the office, which is also in another network range. So i'm not sure what you are suggesting actually ???
-
Any other ideas anyone?
-
It's already been said, but your tunnel network is the same as the LAN on the remote end and the LAN on your end is the same as the wireless subnet on the remote end. That is not going to work reliably. In a routed solution, all of the subnets on both ends have to be unique.
-
First order of business, make sure everything you want to connect to is using PFsense as the default gateway.
-
Second, change the subnets on whichever side is easiest to change. Also, I would stay away from 192.168.1.1/24 on either side… it's too common and will break your routing at some point
So, provided you have the firewalll rules in place to allow the traffic, once your subnets are unique and you modify the server-side openvpn config accordingly, I don't see anything would prevent traffic from getting to it's destination at that point.
-
-
Agreeing with everything suggested so far (especially - get off of 192.168.1.x ).
One other potential issue - check the devices you're attempting to access don't have firewall(s)/filtering enabled that prevents access from the OpenVPN tunnel (10.0.1.0/24).Happens very often with the Windoze builtin firewall, but I've seen similar issues with managed switches and other servers.
Worth a look
-
-
Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.
Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.
Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.
-
Every time a packet has to leave pfSense, there has to be a route directing it. With OpenVPN this means a pfSense route directing traffic into OpenVPN and an OpenVPN iroute directing traffic to a particular tunnel.
Every time a packet enters pfSense, there has to be a firewall rule permitting it. With OpenVPN traffic entering pfSense is permitted by rules on the OpenVPN tab or the OpenVPN assigned interface.
Go hop by hop from the source of the connection to the destination until you find where one of those things is missing and fix it.
I've posted all screenshots and config files, as far as I can see, everything mentioned above is in there. Everything in there is correct, right? Or not? I have no other firewall or gateway in place, and I CAN connect to 192.168.1.1 which is the pfsense box. So I would think I should be able to reach the other devices in that subnet too. I also see nothing blocking in the firewall logs.
I just can't wrap my head around this somehow… -
If it was all there it would be working. Look again, hop by hop.
AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.
-
If it was all there it would be working. Look again, hop by hop.
Apparently I'm overlooking something, you see something I don't. That's why I came here ;)
AND CHECK THE LOCAL FIREWALLS ON THE HOSTS YOU CANNOT CONNECT TO. CHECK AGAIN.
I have no firewall on my phone, no firewall on the NAS, switch, APs, RPIs, etc., etc. Can't connect to any of them :o
-
You said up there (quoted below) you could get to your NAS, so which is it?
You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.
I also suspect that:
to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)
Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.
This is not extremely difficult but there is some complexity to get everything working.
-
You said up there (quoted below) you could get to your NAS, so which is it?
Yeah, that seemed to work just once :(
You seem to be completely ignoring everyone saying you should run away from 192.168.1.0/24 and anything in 10.0.0.0/8 and that you need to renumber your networks to make all this work.
I've tested it from a totally different subnet, 100.96.xxx.xxx so how can that be the issue here?
I will change that, and all the devices configured in my network when i'm sure everything else works, since i have to reconfigure a lot then (shares on all client devices, static IPs for quite some devices, virtual appliances, etc.)I also suspect that:
to the client config, i got access to the pfSense GUI, to my FreeNAS GUI, shares and jails, but not to my switch management or APs mamagement interfaces. I can't even ping them. They are all in the same subnet and VLAN (VLANs managed on the switch)
Your switch management and your "AP"s don't have pfSense as the default gateway as viragomann suggested a few posts ago.
Good point there. My Access Points indeed don't have a default gateway configered. Heck, i found out it's not even possible to do so on them ???
Somehow i left the default gateway field in the switch empty facepalm
However, the NAS was configured correctly, but i still couldn't access that.Now, what I did found out was this: Even though you set the "IPv4 Local Network/s" field correctly, the route to that network is not (always) pushed to the client. In the client export tab (if you have installed the package), you have to ad an entry for the route in the "Additional configuration options" field. My suggestion would be to make it default, if the route is configured in the OpenVPN server.
I did add this maually in the client settings of the laptop earlier, but i was connected via the phone's "Personal Wifi Hotspot", which turned out to be in the 192.1.1.0/24 subnet (despite android documentation telling its in the 192.168.43.xxx range). When i tested with my phone only earlier (on network 100.96.xxx.xxx), i hadn't updated the config file to push the route yet.
Now that i updated all of the above, i can access at least my pfSense box, NAS and Switch management, so from my phone everything seems to work fine now ;D
Now i can change my whole network's subnet… The joy...
