OpenVPN, can't reach LAN

[bastimm]

Hello,

since some weeks I am trying to connect my new OpnSense via OpenVPN.
OpenVPN-connection works fine, but I only can reach WebGUI via OpenVPN.

Internal traffic to my LAN is not possible also my Firewall rules are open/allowed and firewall-log is all green

OpnSense IP: 10.10.10.99
my internal Network: 10.10.0.0/16

current OpenVPN config:
protocol:UDP
DeviceMode: tun
LocalPort 1194
IPv4 Tunnel network:
- 10.10.102.0/24

IPv4 LocalNetzwerk:
- 10.10.0.0/16


I can connect to my OpenVPN but only have access to WebGui/Opensense.
All other connections via Web/ssh/ping to 10.10.0.0/16 are blocked or not possible.
But I can't find a solution/rule which blocks the traffic.

perhaps somebody can help to find my error,
thanks in advance!!!

[zerwes]

10.10.102.0/24 is part of 10.10.0.0/16 ...
devices in your LAN in the network 10.10.0.0/16 think they can reach 10.10.102.0/24 directly, thus they do not send the packages to the opn box.
your vpn network should be outside the lan network.
or you setup a route on each device setting the opn boy as gateway for the 10.10.102.0/24 network ...

[bastimm]

just changed my "IPv4 Tunnel Network" => 192.168.102.0/24

But same effect as before.

From OpenVPN I can ping/reach WebGUI (10.10.10.99) but all other internal IPs are not reachable (e.g. ping/ssh => 10.10.10.130)
Firewall log is still empty, btw. no red entries to this interfaces....

[zerwes]

try setting the tunnel network in
    VPN: OpenVPN: Client Specific Overrides

[bastimm]

I don't use clients.
I only have "Road-Warrior" Setup like here:
https://www.thomas-krenn.com/de/wiki/OPNsense_OpenVPN_f%C3%BCr_Road_Warrior_einrichten

At the moment I only can see incoming traffic to OpenVPN/WAN in my Firewall-Live-View.

Since changing the IPv4-Tunnel Network to 192.168.102.0/24 the WebGui is also not reachable via OpenVPN.

[bastimm]

Did a full reset and completly new install of OpnSense.....

OpenVPN login works.
But I cant reach internal network and also the Gui

Firewall is still all green and no rule seems to block, but I can't ping/reach the 10.10.0.0/16 Network.
OpenVPN Network is 192.168.103.0/24.
All other settings are the same as before....

[Patrick M. Hausen]

Did you add any firewall rule for your OpenVPN imterface? The default is to block everything, even if the connection succeeds.

[bastimm]

Yes, firewall is for testing "open" to all on OpenVPN, WAN, LAN,....

[Patrick M. Hausen]

Could you show us the rule on OpenVPN, please?

[zerwes]

and the routing table on both sides could help ...
IMHO you always should assure:
 1. the connection is up and established
 2. routing is as expected i.e traffic will know the right way
 3. firewall is not blocking legitimate traffic

[bastimm]

Hi,
first thanks for your help!

My Firewall rules are all "allowed" for testing, see attachments.

[bastimm]

Wan1 Settings, see attachment

[bastimm]

And my next post with OpenVPN Settings.

And last attachment is with a Live-Log-View from firewall, where I can see connections from OpenVPN to a TestServer (Port 81) (192.168.101.6 => 10.10.10.1:81).
But I can't reach this server via Ping/ssh/web from OpenVPN.