First OpenVPN Setup - Can Get Connected But No Traffic to LAN
-
Hello all,
I'm attempting to set up my first OpenVPN server on pfSense to allow "road warriors" to connect to our office network. Currently I am using a test environment using our office LAN as the "WAN" on pfSense.
I followed the OpenVPN guide from the docs/Wiki (https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server). I installed OpenVPN using the Client Export Windows Installers package. Here are my network details:
"WAN" Network (really my office LAN): 192.168.1.0/24
OpenVPN Tunnel Network: 10.255.255.0/24
OpenVPN Local Network: 10.0.0.0/24Using a PC on my office LAN (IP 192.168.1.50), I can successfully connect the OpenVPN Client and it says I have a virtual IP address of 10.255.255.2. I am able to access the pfSense login page by going to 10.255.255.1 in a web browser. When I attempt to access an IP camera at 10.0.0.101, the page times out (Chrome gives a "The connection was reset." error). I suspect it is related to firewall configuration, but I am not seeing any blocked entries in the log so I'm not positive.
I used the default firewall rules created by the OpenVPN wizard (allow from any to WAN address port 1194 under the WAN Firewall Rules, and allow to/from any on the OpenVPN Firewall Rules).
I do have 2 IPSec VPN's enabled for site-to-site VPN's along with a firewall rule under the IPSec Rules to allow from any to 10.0.0.101. During my testing of the OpenVPN, the IPSec VPN's have remained disconnected. Not sure if that would affect anything but just wanted to throw it out there just in case.
-
Is the pfSense LAN address set as default gateway at the hosts you want to reach, the cam here?
-
Yep, the cam is set to be configured via DHCP, and has the following info:
IP: 10.0.0.101
Subnet: 255.255.255.0
GW: 10.0.0.1I have also attempted to ping the pfSense at 10.0.0.1 with no success. Ping 10.255.255.1 does work fine though.
-
The ping to LAN address could only be prohibited by firewall rule.
If your rule at OpenVPN interface is okay, as you say, check the route at client side (route print) and post the output, please.
Consider that OpenSSL must be run with admin privileges at client host to get the route set. -
Yes, sounds like your office computer did not run the OpenVPN client software with admin rights.
Also, the .255 namespace can be funny on some networks. Safer to use .254 (for you, that would be 10.254.254.0/24)
-
That was it - changing it to 10.254.254.0/24 worked!
Thank you all!