How to reach another network from my OpenVPN connection



  • Hi!

    I have a LAN on a remote location: 192.168.30.0/24

    On the same network I've installed XenServer and an additional (virtual, inside XenServer) pfsense with two subnets. So for this second pfsense:

    WAN: 192.168.30.105
    LAN: 192.168.40.0/24 (dhcp-enabled)
    OPT: 192.168.50.0/24 (dhcp-enabled)

    My OpenVPN can connect to both pfSenses at 192.168.30.1 and 192.168.30.105 and reach both web-ui:s

    Now, I want to reach a specific host: 192.168.50.100 (a web page, port 80)

    I found the route command on my windows PC.
    I added a route similiar to the OpenVPN interface I have, so the entries look like:

    
     192.168.30.0    255.255.255.0         10.0.8.1         10.0.8.2     20
         192.168.40.0    255.255.255.0         10.0.8.1         10.0.8.2     40
         192.168.50.0    255.255.255.0         10.0.8.1         10.0.8.2     40
    
    

    (I'm not sure about the metric command "40". I typed 20 but my pc set it to 40 anyway)

    But I can't reach any of the 192.168.40 or 50 networks.

    Neither can pfsense at 192.168.30.1 (tried pinging) - so I'm thinking I need to add two routes here as well.
    My guess is System - Routing - Static routes.

    And enter the 2 networks 192.168.40/24 and 192.168.50.0/24 with 192.168.30.105 as gateway.

    However the help page is warning me (https://doc.pfsense.org/index.php/Static_Routes):

    Routes do not need to be added for networks which are directly connected to any interface of the firewall, and doing so may cause problems.

    Never add static routes for networks reachable via OpenVPN

    I guess this doesn't apply in this case. But I'm worried I'll mess something up. I really don't want my vpn to go down.

    Am I on the right track?
    Can I add the 2 routes in pfsense and it will start working, and without breaking anything? (I think I also have to do a port forward of port 80 on my virtual pfsense at 192.168.30.105)



  • The routes for your networks are already set by OpenVPN. There are no more routes necessary to access your LAN hosts.

    Are there firewall rules in place on OpenVPN tab, which allow access to your networks?

    And, I don't know if this is the cause, but why have you set the check at Topology in server config?? If you have no particular reason, uncheck it.



  • @viragomann:

    The routes for your networks are already set by OpenVPN. There are no more routes necessary to access your LAN hosts.

    Are there firewall rules in place on OpenVPN tab, which allow access to your networks?

    And, I don't know if this is the cause, but why have you set the check at Topology in server config?? If you have no particular reason, uncheck it.

    Thank you viragomann for your reply.

    I think I might have been a bit undescriptive. I can't write nice network maps as some people. It does't come out good whenever I try :/

    I can reach the LAN fine on my VPN-connection. I want to reach another network.

    I have 3 routers on the physical network.

    Random router I can not get rid of: 192.168.1.1
    pfsense#1: 192.168.1.2(DMZ:d) with 2 subnets: 192.168.20.0/24 and 192.168.30.0/24  (this physical machine has 3 NICs)
    OpenVPN goes against 192.168.30.0/24 - and accessing hosts on this network works fine. Including pfsense#2

    Then I have pfsense#2 at 192.168.30.105 with 2 additional subnets: 192.168.40.0/24 and 192.168.50.0/24 (this physical machine only has 1 NIC. This is my XenServer. pfSense#2 is virtual, as is its subnets).

    All of the subnets have internet access.

    Now I want to reach a web site on 192.168.50.100 over my VPN, from my vpnIP 10.0.8.2

    I went ahead an added a route on my local PC:

    
    route ADD 192.168.50.0 MASK 255.255.255.0 10.0.8.1 METRIC 20 IF 14
    
    

    Then I added a gateway on pfsense#1 with IP 192.168.30.105 with interface OPT1

    Then I added a static route:

    
    	Network	Gateway	Interface	Description	Actions
    192.168.50.0/24	virtualpfSense_50 - 192.168.30.105	OPT1  	route to 192.168.50.0	   
    
    

    Now I think I kind of reached my destination. I could see my attempt to reach desired host was blocked by the firewall on pfsense#2 in my firewall system log
    So I added a rule from the firewall by choosing "Easy rule. Pass this traffic".

    I think the traffic is passed. I can see trying to access port 8080 on the host being blocked, but not 80.

    I'm still stuck though, because my browswer still tells me:

    This site can’t be reached

    The connection was reset.

    Also tried to port forward 80. No luck

    
    WAN	TCP	*	*	WAN address	80 (HTTP)	192.168.50.100	80 (HTTP)
    
    

    EDIT:
    Found a packet capture utilityunder diagnostics (very cool!)
    Downloaded to and exported from wireshark:

    
          1 0.000000    10.0.8.2              192.168.50.100        TCP      66     52185→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
          2 0.000206    192.168.50.100        10.0.8.2              TCP      66     80→52185 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
          3 0.001687    10.0.8.2              192.168.50.100        TCP      66     52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
          4 0.001747    192.168.50.100        10.0.8.2              TCP      66     80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
          5 0.032244    10.0.8.2              192.168.50.100        TCP      60     52185→80 [ACK] Seq=1 Ack=1 Win=66048 Len=0
          6 0.038007    10.0.8.2              192.168.50.100        HTTP     479    GET / HTTP/1.1 
          7 0.038069    192.168.50.100        10.0.8.2              TCP      54     80→52185 [ACK] Seq=1 Ack=426 Win=65856 Len=0
          8 0.042431    192.168.50.100        10.0.8.2              HTTP     339    HTTP/1.1 302 FOUND  (text/html) (text/html)
          9 0.339956    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         10 0.340037    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#1] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         11 0.937677    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         12 0.937750    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#2] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         13 2.137039    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         14 2.137121    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#3] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         15 3.000946    10.0.8.2              192.168.50.100        TCP      66     [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
         16 3.001026    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         17 3.055443    192.168.50.100        10.0.8.2              HTTP     339    [TCP Retransmission] HTTP/1.1 302 FOUND  (text/html) (text/html)
         18 4.540066    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         19 4.540147    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#4] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         20 6.034321    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         21 9.001611    10.0.8.2              192.168.50.100        TCP      62     [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 SACK_PERM=1
         22 9.001692    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         23 9.272365    192.168.50.100        10.0.8.2              HTTP     339    [TCP Retransmission] HTTP/1.1 302 FOUND  (text/html) (text/html)
         24 9.340771    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         25 9.340838    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#5] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         26 12.047404   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         27 15.047443   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         28 18.074502   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         29 18.934130   10.0.8.2              192.168.50.100        TCP      60     52185→80 [RST, ACK] Seq=426 Ack=1 Win=0 Len=0
    
    

    Does this tell anyone anything?



  • @Damned:

    I went ahead an added a route on my local PC:

    
    route ADD 192.168.50.0 MASK 255.255.255.0 10.0.8.1 METRIC 20 IF 14
    
    

    The correct way is to add the subnet you want to reach over vpn in the vpn server setting at "IPv4 Locale Network/s". So it will be pushed to the client, when vpn connection is established.

    @Damned:

    EDIT:
    Found a packet capture utilityunder diagnostics (very cool!)
    Downloaded to and exported from wireshark:

    
          1 0.000000    10.0.8.2              192.168.50.100        TCP      66     52185→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
          2 0.000206    192.168.50.100        10.0.8.2              TCP      66     80→52185 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
          3 0.001687    10.0.8.2              192.168.50.100        TCP      66     52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
          4 0.001747    192.168.50.100        10.0.8.2              TCP      66     80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
          5 0.032244    10.0.8.2              192.168.50.100        TCP      60     52185→80 [ACK] Seq=1 Ack=1 Win=66048 Len=0
          6 0.038007    10.0.8.2              192.168.50.100        HTTP     479    GET / HTTP/1.1 
          7 0.038069    192.168.50.100        10.0.8.2              TCP      54     80→52185 [ACK] Seq=1 Ack=426 Win=65856 Len=0
          8 0.042431    192.168.50.100        10.0.8.2              HTTP     339    HTTP/1.1 302 FOUND  (text/html) (text/html)
          9 0.339956    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         10 0.340037    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#1] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         11 0.937677    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         12 0.937750    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#2] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         13 2.137039    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         14 2.137121    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#3] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         15 3.000946    10.0.8.2              192.168.50.100        TCP      66     [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1
         16 3.001026    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         17 3.055443    192.168.50.100        10.0.8.2              HTTP     339    [TCP Retransmission] HTTP/1.1 302 FOUND  (text/html) (text/html)
         18 4.540066    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         19 4.540147    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#4] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         20 6.034321    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         21 9.001611    10.0.8.2              192.168.50.100        TCP      62     [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 SACK_PERM=1
         22 9.001692    192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         23 9.272365    192.168.50.100        10.0.8.2              HTTP     339    [TCP Retransmission] HTTP/1.1 302 FOUND  (text/html) (text/html)
         24 9.340771    10.0.8.2              192.168.50.100        HTTP     479    [TCP Retransmission] GET / HTTP/1.1 
         25 9.340838    192.168.50.100        10.0.8.2              TCP      54     [TCP Dup ACK 7#5] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0
         26 12.047404   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         27 15.047443   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         28 18.074502   192.168.50.100        10.0.8.2              TCP      66     [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1
         29 18.934130   10.0.8.2              192.168.50.100        TCP      60     52185→80 [RST, ACK] Seq=426 Ack=1 Win=0 Len=0
    
    

    Does this tell anyone anything?

    On which interface is this taken? At pfSense2 take a packet capture on WAN interface.

    pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?



  • @viragomann:

    On which interface is this taken? At pfSense2 take a packet capture on WAN interface.

    pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?

    This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100

    I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term

    Basically it goes:

    Internet -> Router#1 ->(DMZ)pfSense#1 -> pfSense#2

    EDIT: Corrected wrongly typed IP for pfsense#2



  • @Damned:

    @viragomann:

    On which interface is this taken? At pfSense2 take a packet capture on WAN interface.

    pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?

    This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100

    I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term

    So you should also see this if you take a packet capture at pfSense 1 on DMZ and OpenVPN, right?



  • @viragomann:

    @Damned:

    @viragomann:

    On which interface is this taken? At pfSense2 take a packet capture on WAN interface.

    pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?

    This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100

    I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term

    So you should also see this if you take a packet capture at pfSense 1 on DMZ and OpenVPN, right?

    Yes I should. The capture is from the WAN-side of pfSense2

    It has interfaces:

    
     WAN		manual	192.168.30.105
     LAN		manual	192.168.40.1
     OPT1		manual	192.168.50.1
    
    

    And pfsense1 looks like:

    
     WAN		1000baseT <full-duplex>192.168.1.2
     LAN		100baseTX <full-duplex>192.168.20.1
     OPT1		1000baseT <full-duplex,flowcontrol,rxpause,txpause>192.168.30.1</full-duplex,flowcontrol,rxpause,txpause></full-duplex></full-duplex> 
    

    EDIT:
    Packet capture looks exactly the same when running on pfSense#1 (192.168.30.1) for OpenVPN interface

    EDIT#2:

    I'm starting to believe it is either a pfSense2 issue, or a XenServer issue.

    In XenServer I've simply created 2 VLANs, 1 and 2.

    My previous statement that the VMs under pfsense2 have internet access only seems to be half truth.
    Pinging works fine. I get decent latency I think ~10ms to hosts in my country, ~150ms for pfsense.org with no package loss.

    Tried accessing a host over ssh. I can see in the host's auth.log that I'm trying to connect. Then my ssh-client on my PC just disconnects. Something about a socket, afraid I can't remember the exact message

    However when I tried a wget, it got stuck on waiting for HTTP response. I had to cancel it.
    Tried a netinstall of debian - it took forever. Eventually it said it could not reach the mirror.

    Went ahead and did a netinstall on the same network as the XenServer host (pfSense1) - no issues at all. wget works fine, getting 27MB/s.

    Guess I'll have to search around for XenServer VLAN performance a bit…

    EDIT#3:
    Well this looks like it!
    https://forum.pfsense.org/index.php?topic=85797.0

    I'll give it a try next time i can.


Log in to reply