Show Posts
1
Virtual private networks / OpenVPN can ping LAN, but no TCP response
« on: March 28, 2024, 11:05:58 pm »
I'm trying to migrate from pfsense to opnsense and setup a VPN for our off-site staff to be able to access internal servers on our LAN, but after many days of googling and reading all kinds of suggestions I'm about to throw the towel.
The weird part is that VPN users can ping LAN servers and I can ping them from the server. But TCP connections fail.
WAN: 10.0.0.20
LAN: 192.168.29.0/24
OpenVPN1: 192.168.28.0/24
OpenVPN2: 192.168.31.0/24 (not used yet)
and from the LAN server it looks like this:
I think some NAT rule might be missing, but I couldn't figure it out.
All possibly conflicting firewall rules have been resolved until no more blocking appeared.
what am I missing?
-edit: added vpn config. firewall rules are all pass. NAT tried out many different ways but no luck.
The weird part is that VPN users can ping LAN servers and I can ping them from the server. But TCP connections fail.
WAN: 10.0.0.20
LAN: 192.168.29.0/24
OpenVPN1: 192.168.28.0/24
OpenVPN2: 192.168.31.0/24 (not used yet)
Code: [Select]
derlhurgoyf@192.168.28.2:~$ ip a
[...]
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.28.2/24 brd 192.168.28.255 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::65b3:1efb:8f61:eb5b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
derlhurgoyf@192.168.28.2:~$ ping -c2 192.168.29.5
PING 192.168.29.5 (192.168.29.5) 56(84) bytes of data.
64 bytes from 192.168.29.5: icmp_seq=1 ttl=63 time=35.4 ms
64 bytes from 192.168.29.5: icmp_seq=2 ttl=63 time=35.3 ms
--- 192.168.29.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 35.340/35.371/35.402/0.031 ms
derlhurgoyf@192.168.28.2:~$ tracepath -n 192.168.29.5
1?: [LOCALHOST] pmtu 1500
1: 192.168.28.1 34.940ms
1: 192.168.28.1 34.396ms
2: 192.168.29.5 35.217ms reached
Resume: pmtu 1500 hops 2 back 2
derlhurgoyf@192.168.28.2:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.11.1 0.0.0.0 UG 100 0 0 enxe8ea6a8ee20e
10.10.11.0 0.0.0.0 255.255.255.0 U 100 0 0 enxe8ea6a8ee20e
10.10.11.1 0.0.0.0 255.255.255.255 UH 50 0 0 enxe8ea6a8ee20e
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enxe8ea6a8ee20e
190.95.11.92 10.10.11.1 255.255.255.255 UGH 50 0 0 enxe8ea6a8ee20e
192.168.28.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
192.168.29.0 192.168.28.1 255.255.255.0 UG 50 0 0 tun0
192.168.31.0 192.168.28.1 255.255.255.0 UG 50 0 0 tun0
and from the LAN server it looks like this:
Code: [Select]
derlhurgoyf@192.168.29.5:~# ip a
[...]
7: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:cc:53:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.29.11/24 brd 192.168.29.255 scope global dynamic enp7s0
valid_lft 6497sec preferred_lft 6497sec
inet6 fe80::5054:ff:fecc:5356/64 scope link
valid_lft forever preferred_lft forever
derlhurgoyf@192.168.29.5:~# ping -c2 192.168.28.2
PING 192.168.28.2 (192.168.28.2) 56(84) bytes of data.
64 bytes from 192.168.28.2: icmp_seq=1 ttl=63 time=35.5 ms
64 bytes from 192.168.28.2: icmp_seq=2 ttl=63 time=35.2 ms
--- 192.168.28.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 35.214/35.346/35.479/0.132 ms
derlhurgoyf@192.168.29.5:~# tracepath -n 192.168.28.2
1?: [LOCALHOST] pmtu 1500
1: 192.168.29.1 0.709ms
1: 192.168.29.1 0.580ms
2: no reply
I think some NAT rule might be missing, but I couldn't figure it out.
All possibly conflicting firewall rules have been resolved until no more blocking appeared.
what am I missing?
-edit: added vpn config. firewall rules are all pass. NAT tried out many different ways but no luck.