OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: BlackDex on September 08, 2016, 02:19:11 pm

Title: OpenVPN and access to LAN
Post by: BlackDex on September 08, 2016, 02:19:11 pm
Hello there,

I'm trying to setup a OpenVPN server with OPNsense.
While that seems to work, i can connect etc.. i have trouble reaching the network on the LAN port.

OPNsense is running on qemu/kvm with bridged interfaces. One interface is connected to the public internet (WAN). And the other is connected to the LAN network on the host.

Host: Ubuntu (14.04) with KVM/QEMU
 - br0: WAN public internet
 - br3: LAN - 172.18.10.10

Guest: OPNsense 16.7.3
 - WAN: bridged on br0
 - LAN: bridged on br3 - 172.18.10.11
 - VPN: 10.220.0.0/27

WAN is working. I Can connect to the VPN from the outside world, no problem. If i allow ICMP on the WAN i can ping the WAN.

During the VPN connection i'm able to ping the static LAN IP on the OPNsense system, which is 172.18.10.11.
If i try to ping 172.18.10.10 which is connected to the hypervisor i get no response. That is the same for other systems on that same network 172.18.10.x.

I know that this is because the requests go to the 172.18.10.x network from the VPN network and the host on 172.18.10.10 doesn't know how to return the package.

So, i created a NAT rule for outbound.
This has the following settings.
Interface: LAN
Source: 10.220.0.0/27
NAT Address: interface address

After applying this rule i'm able to ping to that host! BUT, when i try to SSH to it, it doesn't work.
What am i doing wrong?

What i want is to have an OpenVPN connection so that i can reach the local LAN from outside.

Thx in advanced.

BlackDex.
Title: Re: OpenVPN and access to LAN
Post by: djGrrr on September 10, 2016, 03:28:44 pm
Do you have a firewall rule allowing traffic from your VPN range on the OpenVPN rules tab?
Title: Re: OpenVPN and access to LAN
Post by: Zeitkind on September 11, 2016, 03:07:23 am
Does your VPN client know the route to the remote LAN? If not set to route all traffic through VPN you must push the route via the server and use dev tun.
See https://openvpn.net/index.php/open-source/documentation/howto.html#scope