The pfSense Store

Author Topic: OpenVPN: connecting to LAN subnet  (Read 3356 times)

0 Members and 1 Guest are viewing this topic.

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
OpenVPN: connecting to LAN subnet
« on: July 04, 2012, 04:33:01 pm »
Hey Folks,

I have built an ESXi box and am running Pfsense as a virtual machine (among others). I followed many guides on setting up OpenVPN and I can connect remotely. However, I cannot reach any LAN resources other than the pfsense router itself. The LAN is on the 10.0.0.0/24 subnet and the OpenVPN connections are on the 10.0.10.0/24 subnet. From a remotely connected client I can ping 10.0.0.1 (pfsense) with an IP of 10.0.10.6 but I can't ping any of my other servers on the 10.0.0.0 subnet.

Is there anything I should check?
Thanks.

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #1 on: July 04, 2012, 04:36:19 pm »
The OpenVPN server needs to push the rout of the LAn subnet to the client.

Code: [Select]
push "Route 10.0.0.0 255.255.255.0";
The Firewall rule on OpenVPN tab must be setup correct.

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #2 on: July 04, 2012, 05:04:52 pm »
I have the push "route 10.0.0.0 255.255.255.0" created on the server, although I think this is already created through the wizard. There is also a pass firewall rule under the openvpn tab, which was also created with the wizard.

Actually, when I connect the remote client without the "push route...." there are no errors on the OpenVPN client dialog, but when I add it, it says "route addition failed... : the object already exists" and connects successfully. This is why I assumed that PFsense created that route automatically.

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #3 on: July 04, 2012, 05:20:12 pm »
Didn't use the wizard for that so I had to manually add these routes in my environment.
If the route exists and the firewall rule allows the traffic then there is another problem.

Check the firewall on the destination host on LAN subnet - better disable the firewall for testing.

Do you run the OpenVPN client on a Windows 7 machine ? If yes - run it "As administrator". But you probably did that because it added the route.

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #4 on: July 04, 2012, 05:22:52 pm »
Here is a copy of my route table. I'm not sure if this is right or not.

IPv4
Destination   Gateway           Netif
default   142.177.*.*   em0
10.0.0.0/24   link#2                   em1
10.0.0.1   link#2                   lo0
10.0.10.0/24   10.0.10.2   ovpns1
10.0.10.1   link#8            lo0
10.0.10.2   link#8            ovpns1
127.0.0.1   link#4            lo0
142.177.*.*/22   link#1    em0
142.177.*.*   link#1    lo0
« Last Edit: July 04, 2012, 05:31:50 pm by KM »

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #5 on: July 04, 2012, 06:46:37 pm »
While playing around I found something interesting. As I mentioned pfsense is running as a VM inside an ESXi host. From the VPN connected computer (10.0.10.6) I can ping 10.0.0.1 which is pfsense, but I can also ping 10.0.0.2, which is the esxi host, but none of the machines past that. I just thought this was odd.

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #6 on: July 04, 2012, 07:06:37 pm »
Some more interesting things:
On a hunch I decided to add a route from one of the devices on the 10.0.0.0 subnet to the 10.0.10.0 subnet to see if that would help. Previously a ping from 10.0.10.6 to 10.0.0.5 (for example) resulted in a request timeout and a ping from 10.0.0.9 to 10.0.10.6 resulted in a destination unreachable reply.

So, on my 10.0.0.9 machine I opened a command prompt with the following command: route ADD 10.0.10.0 MASK 255.255.255.0 10.0.0.1 METRIC 266
To my surprise this allowed pings to pass both ways. I'll keep you updated, but I'm not really sure why this would make a difference given the routes already present on the machines.

Offline marvosa

  • Sr. Member
  • ****
  • Posts: 337
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #7 on: July 05, 2012, 12:47:34 am »
Post server config and post client routing table once connected.

A screen shot of the firewall rule from openvpn tab would also be helpful.
« Last Edit: July 05, 2012, 12:52:55 am by marvosa »

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #8 on: July 05, 2012, 05:42:26 am »
@KM:
As marvosa said, please post the client routing tabel. On Windows you can find this with "netstat -rn"

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #9 on: July 05, 2012, 06:11:54 am »
or with
Code: [Select]
route print

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #10 on: July 05, 2012, 08:42:24 am »
This is after a reboot of the machine. The route is gone because I didn't add it as persistent. The default gateway is set as 10.0.0.1 on this machine in the adapter config settings.

>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1         10.0.0.9    266
         10.0.0.0        255.0.0.0         On-link          10.0.0.9    266
         10.0.0.9  255.255.255.255         On-link          10.0.0.9    266
   10.255.255.255  255.255.255.255         On-link          10.0.0.9    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.0.9    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.0.9    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         10.0.0.1  Default
===========================================================================

Offline KM

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #11 on: July 05, 2012, 08:47:10 am »
This is after OpenVPN client is connected:


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1         10.0.0.9    266
         10.0.0.0        255.0.0.0         On-link          10.0.0.9    266
         10.0.0.0    255.255.255.0        10.0.10.5        10.0.10.6     30
         10.0.0.9  255.255.255.255         On-link          10.0.0.9    266
        10.0.10.1  255.255.255.255        10.0.10.5        10.0.10.6     30
        10.0.10.4  255.255.255.252         On-link         10.0.10.6    286
        10.0.10.6  255.255.255.255         On-link         10.0.10.6    286
        10.0.10.7  255.255.255.255         On-link         10.0.10.6    286
   10.255.255.255  255.255.255.255         On-link          10.0.0.9    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.10.6    286
        224.0.0.0        240.0.0.0         On-link          10.0.0.9    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.0.10.6    286
  255.255.255.255  255.255.255.255         On-link          10.0.0.9    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         10.0.0.1  Default
===========================================================================

Offline marvosa

  • Sr. Member
  • ****
  • Posts: 337
    • View Profile
Re: OpenVPN: connecting to LAN subnet
« Reply #12 on: July 06, 2012, 08:18:49 am »
Please post your tunnel settings.  Are you routed or bridged?

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 2312
    • View Profile
    • International Nepal Fellowship
Re: OpenVPN: connecting to LAN subnet
« Reply #13 on: July 06, 2012, 09:45:34 am »
This line looks like a problem:
Code: [Select]
10.0.0.0        255.0.0.0         On-link          10.0.0.9    266Your 10.0.0.9 interface (on your server, if I understood the descriptions correctly) is thinking that it is sitting on a 10.0.0.0/8 network. So when it replies to any 10.n.n.n addresses, it will think it can reach them directly on its local LAN. It should be in the 10.0.0.0/24 network. Then it will send packets for 10.0.10.0/24 network addresses to the router.
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/