The pfSense Store

Author Topic: OpenVPN cannot browse lan  (Read 2261 times)

0 Members and 1 Guest are viewing this topic.

Offline mewhalen

  • Newbie
  • *
  • Posts: 2
    • View Profile
OpenVPN cannot browse lan
« on: October 02, 2012, 01:16:55 pm »
I configured what I believe to be a correct vpn solution.  The client connects fine, however from my client i cannot ping or browse my lan.  here is my client config:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194   
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca nvc_ca.crt
cert NVC.crt
key NVC.key
comp-lzo
pull
verb 3

Server config:
Remote access SSL/TLS
UDP
tun
wan
1194
Cryptographic Settings_____________
nvc_ca
nvc
1024
BF-CBD(128)
no hardware crypto
One(client+server)
Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.
Client Settings_____________
Provide a virtual adapter IP address to clients (see Tunnel Network)

Any guidance would be greatly appreciated.

Eric

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: OpenVPN cannot browse lan
« Reply #1 on: October 02, 2012, 01:24:36 pm »
You must set the correct firewall rules for your client on the FIREWALL -> OpenVPN tab
Best way: Create one allow any to any rule in the firewall

Your hosts on the LAN behind pfsense must allow traffic (firewall) from the OpenVPN network.
Best way: Disable firewall on the destination host for testing.
Test if you can do RDP if ping does not work.

Offline mewhalen

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: OpenVPN cannot browse lan
« Reply #2 on: October 02, 2012, 02:45:50 pm »
I confirmed my firewall rules;
OpenVPN Interface
Action - pass
disabled - false
interface - openvpn
protocol - any
source - any
destination - any

WAN interface (Static2)
action - pass
disabled - false
interface - Static2
protocol - udp
source - any
destination - and
destination port - 1194

I can ping the pfsense box from the client, but I cannot ping or browse the lan.

Thanks.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: OpenVPN cannot browse lan
« Reply #3 on: October 02, 2012, 03:12:19 pm »
And where do you push the route to your lan?  And your tunnel is part of your lan network.. Why in the world would you set your lan for 10.0.0.0/8 ??  Or in your client tell it default route is down the tunnel

redirect-gateway def1

here is config from my server from /var/etc/openvpn/server1.conf
Code: [Select]
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.13.xx.xx
tls-server
server 10.0.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN local.lan"
push "dhcp-option DNS 192.168.1.253"
push "dhcp-option NTP 192.168.1.40"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float

Only thing that needs to be hidden is my public IP there.

here is client
Code: [Select]
dev tun
persist-tun
persist-key
proto tcp-client
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 24.13.xx.xx 443
#tls-remote pfsense-openvpn
pkcs12 pfsense-TCP-443.p12
tls-auth pfsense-TCP-443-tls.key 1
remote-cert-tls server
comp-lzo
verb 3

Notice in the server were I push the route

I can access anything on my lan without any issues.  And even can resolve them by name because I push my local dns to my clients.

D:\>ping i5-w7.local.lan

Pinging i5-w7.local.lan [192.168.1.100] with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=127ms TTL=127
Reply from 192.168.1.100: bytes=32 time=118ms TTL=127

I use tcp 443, because udp 1194 is rarely open at a remote location outbound, and if there is internet 443 is going to be open.  I also bounce this access off my http proxy at work, because they don't allow direct internet access.
« Last Edit: October 02, 2012, 03:16:19 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline marvosa

  • Sr. Member
  • ****
  • Posts: 337
    • View Profile
Re: OpenVPN cannot browse lan
« Reply #4 on: October 02, 2012, 10:45:51 pm »
Here's one issue:

Quote
Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.

Your tunnel needs to be outside of your LAN.