OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: MrCCL on July 29, 2016, 10:03:12 pm
-
I've followed the guide (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html) "Setup SSL VPN Road Warrior" but my VPN client don't have access to the LAN network.
Well, it does have access to the router's LAN interface, which is on the LAN network of course.
I did have the exact same problem using OpenVPN on OpenWRT...to make it work I had to create a so called "Source NAT" rule.
Do I need something similar in OPNsense?
Can someone confirm that using the above guide will work in regards to access to the LAN network or do I need some additional configuration? I'm surprised to see the guide do not enable "topology subnet"...I thought that was necessary to get LAN network access.
The VPN client do get a route to the LAN network from the VPN server.
Route table from VPN client (Win 7):
Network Destination Netmask Gateway Interface Metric
10.0.0.0 255.255.255.0 192.168.2.1 192.168.2.2 20
10.0.1.0 255.255.255.0 On-link 10.0.1.2 266
10.0.1.2 255.255.255.255 On-link 10.0.1.2 266
10.0.1.255 255.255.255.255 On-link 10.0.1.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.2 276
192.168.2.2 255.255.255.255 On-link 192.168.2.2 276
192.168.2.255 255.255.255.255 On-link 192.168.2.2 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.1.2 266
224.0.0.0 240.0.0.0 On-link 192.168.2.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.1.2 266
255.255.255.255 255.255.255.255 On-link 192.168.2.2 276
My networks:
Local LAN network: 10.0.0.0/24 (router's LAN 10.0.0.15)
VPN network: 192.168.2.0/24 (router's TUN 192.168.2.1 / VPN client 192.168.2.2)
WAN network: 10.0.1.0/24 (router's WAN 10.0.1.1 / VPN client 10.0.1.2)
-
One solution seems to be to create an outbound NAT rule...see attachment.
But I have some strange behaviour in regards to pinging from both sides.
If I first ping from VPN client to a host on LAN network (it works), then I cannot ping from LAN network to VPN client. Only if I wait some time.
And when I ping from LAN to VPN (and it work), then I cannot ping from VPN to LAN, until I wait some time.
But no matter what, I can access the network share on the LAN network from VPN all the time.
How can I optimize this?
-
This sounds a bit similar to the issue I'm having, though I'm trying to do a site-site connection. Client-side the network can see and ping everything server side, but server side can't see or ping anything client side.
The weird thing is that I can't even ping the virtual/tunnel addresses from the server side. Ill stick it on its own thread, but I'll also keep watching yours!
-
Okay....sometimes it help to think "out-of-box" and use what's left of your brain!
Everything works perfectly out-of-the-box....why I had problems was because I forgot I only allowe my local lan client to answer ping and SMB-share packets from the local subnet in the Windows firewall.
And when I ping from the VPN client, which is located on another subnet, it didn't get any reply.
Dammit! I wasted a lot of time because I thought it was related to the OpenVPN configuration :-(
Forget everything I wrote in this thread :-P