Can't reach OpenVPN clients from LAN

Started by danb35, August 22, 2020, 11:54:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 22, 2020, 11:54:52 AM
tl;dr: Clients on my LAN can't connect to OpenVPN clients through OPNsense, but OpenVPN clients can reach hosts on my LAN.  I can reach OpenVPN clients (i.e., ping them) from OPNsense itself.  This started around the time I configured multi-WAN failover and upgraded to 20.7.1.

Networks:

LAN: 192.168.1.0/24
OpenVPN: 192.168.3.0/24
WAN: static IP
WAN2: 192.168.5.something (assigned by DHCP, but in that subnet)

I'm running an OpenVPN server on my OPNsense box, primarily for the sake of two remote hosts that need to be able to access services on my LAN.  At the same time, some devices on my LAN need to be able to access one of those remote hosts.

This all worked well for quite a while--on pfSense before I moved to OPNsense, then it worked under 20.1.8 and 20.1.9, and when I upgraded to 20.7 it continued to work.  Around a week ago, though, following my fourth multi-hour Internet outage in several weeks, I set up multi-WAN failover with a cellular modem (following the instructions at https://docs.opnsense.org/manual/how-tos/multiwan.html), and I also updated to 20.7.1.  And since about that time (I can't say for certain if the problem started with one or the other of these changes, but it started about the time I made them), clients on my LAN aren't able to reach the remote host via the VPN.

Specifically, the remote host is at 192.168.3.100.  If I ping that IP from my OPNsense box itself, it reaches it just fine.  But if I ping it from anywhere else on my LAN, I just get timeouts.  My Google-fu is apparently weak here; I get lots of hits about routing from VPN clients to the LAN (which already works), but nothing about routing from the LAN to those clients.  Any ideas on where to start looking?  Settings attached if they help.  I tried adding the "IPv4 remote network" as you see in those settings, but it didn't help--I'm getting the same results.

August 22, 2020, 03:48:58 PM #1
since vpn client can access internal resources
I you sure firewall on vpn client allow connection from main lan?
and afaik openvpn recommends switch to "topology subnet"
August 22, 2020, 04:57:18 PM #2
Thanks for the reply.  Yes, 192.168.1.0/24 is defined as a local, trusted network on the client system.  I'll try setting topology subnet and see what that does.
October 07, 2020, 11:04:34 PM #3
Did you manage to solve your issue? I've the same problem in a customer setup.

What puzzles me is that in my own office I can ping from LAN to OpenVPN clients. Our config is much simpler, tough. The non-working one has VLANs and dual WAN, even tough it should not matter. The routes are configured correctly (all automatic, no custom ones), OpenVPN server setup is the same, firewall the same, NAT the same. I don't know where to look at. If I traceroute from LAN to OpenVPN's .2 IP the packet goes to OPNsense default gw instead of the OpenVPN gw.
YetOpen S.r.l.
October 07, 2020, 11:07:00 PM #4
Quote
Did you manage to solve your issue?
No, I gave up on OPNsense and went back to pfSense.  It's working perfectly there.
May 15, 2021, 04:43:30 PM #5
The same issue here with version 21.1.5. Did anybody have the solution in the meantime? Do I have to switch to pfsense?
Print
Go Up Pages1
User actions