OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: nle on March 28, 2018, 08:43:34 pm
-
Hi, I'm new here and to OPNsense. I have OPNsense installed on a Dell R210 II and are trying to set up an OpenVPN server, but are facing some issues.
Problem:
I can only ping some of my LAN devices from my VPN client.
- I can connect fine to the VPN from outside, but I can only ping 10.0.0.1 (OPNsense), 10.0.0.2 (router 1) and 10.0.0.3 (router 3). I can not ping ie. VMs that are located on 10.0.0.5X (static IPs) or i.e my laptop 10.0.0.110 (DHCP)
- But since I can ping 10.0.0.2 and 10.0.0.3 shouldn't I be able to ping all other devices as well?
- From OPNsense cli I can ping all devices, both the VPN client and all local devices.
- I've read around and tested quite a bit of configuration changes, but I can't seem to figure this out.
Setup/Facts:
- OPNsense 18.1.5-amd64
- Lan ports 1 to 3 bridged as the LAN interface (ie. a switch)
- 1 x port WAN
- 2 x old routers as switches (connected to two of the three lan ports mentioned above. Both running Tomato firmware with DNS server off and static ip set) [not gotten around to buying a proper switch]
Network:
- Opnsense IP: 10.0.0.1/16
- VPN network: 10.0.8.0/24
- OpenVPN default firewall rule is enabled
dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
local <removed public ip>
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/2
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server2'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls '<removed>' 1"
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 5
push "route 10.0.0.0 255.255.0.0"
push "dhcp-option DNS 10.0.0.1"
duplicate-cn
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /usr/local/etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
Any input on this would be appreciated!
EDIT:
nmap -sP 10.0.0.0/16
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-28 22:06 CEST
Nmap scan report for 10.0.0.1
Host is up (0.11s latency).
Nmap scan report for 10.0.0.2
Host is up (0.048s latency).
Nmap scan report for 10.0.0.3
Host is up (0.040s latency).
Nmap scan report for 10.0.8.1
Host is up (0.045s latency).
Nmap scan report for 10.0.8.6
Host is up (0.094s latency).
-
My guess is you need to add a firewall rule for your openvpn interface to allow traffic through.
Wait I see now that you have a firewall rule.
When you say your opnsense ip is 10.0.0.1/16 is the 16 the net mask? because that network would overlap 10.0.8.0/24.
-
Yep, agree, you should definitely not overlap the two networks. Why not assign something like 10.10.0.0/24 for the OpenVPN network? Also make sure the local firewalls of your LAN clients allow ping requests coming from other subnets.
-
Thanks a lot! The overlapping networks was the issue, assigning 10.10.0.0/24 to the VPN solved it.
I have 10.0.0.0/16 on my local network. Probably not "best practice", but I wanted to use 10.0.100.X for my iDrac management (And this is only a small "homelab" type of thing, so I'm not running out of IPs any time soon)
Again, thanks for the help! I'll probably be back with more questions at some point.
I'm pretty new to all this, so any input/advice is appreciated (VPN related or not) :)
-
You're welcome, glad it worked :)