OpenVPN can ping LAN, but no TCP response

[derlhurgoyf]

I'm trying to migrate from pfsense to opnsense and setup a VPN for our off-site staff to be able to access internal servers on our LAN, but after many days of googling and reading all kinds of suggestions I'm about to throw the towel.

The weird part is that VPN users can ping LAN servers and I can ping them from the server. But TCP connections fail.

WAN: 10.0.0.20
LAN: 192.168.29.0/24
OpenVPN1: 192.168.28.0/24
OpenVPN2: 192.168.31.0/24 (not used yet)

Code Select Expand


derlhurgoyf@192.168.28.2:~$ ip a
[...]
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 192.168.28.2/24 brd 192.168.28.255 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::65b3:1efb:8f61:eb5b/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

derlhurgoyf@192.168.28.2:~$ ping -c2 192.168.29.5
PING 192.168.29.5 (192.168.29.5) 56(84) bytes of data.
64 bytes from 192.168.29.5: icmp_seq=1 ttl=63 time=35.4 ms
64 bytes from 192.168.29.5: icmp_seq=2 ttl=63 time=35.3 ms
--- 192.168.29.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 35.340/35.371/35.402/0.031 ms

derlhurgoyf@192.168.28.2:~$ tracepath -n 192.168.29.5
1?: [LOCALHOST]                      pmtu 1500
1:  192.168.28.1                                         34.940ms
1:  192.168.28.1                                         34.396ms
2:  192.168.29.5                                         35.217ms reached
     Resume: pmtu 1500 hops 2 back 2

derlhurgoyf@192.168.28.2:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.11.1      0.0.0.0         UG    100    0        0 enxe8ea6a8ee20e
10.10.11.0      0.0.0.0         255.255.255.0   U     100    0        0 enxe8ea6a8ee20e
10.10.11.1      0.0.0.0         255.255.255.255 UH    50     0        0 enxe8ea6a8ee20e
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enxe8ea6a8ee20e
190.95.11.92    10.10.11.1      255.255.255.255 UGH   50     0        0 enxe8ea6a8ee20e
192.168.28.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
192.168.29.0    192.168.28.1    255.255.255.0   UG    50     0        0 tun0
192.168.31.0    192.168.28.1    255.255.255.0   UG    50     0        0 tun0


and from the LAN server it looks like this:

Code Select Expand


derlhurgoyf@192.168.29.5:~# ip a
[...]
7: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:cc:53:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.29.11/24 brd 192.168.29.255 scope global dynamic enp7s0
       valid_lft 6497sec preferred_lft 6497sec
    inet6 fe80::5054:ff:fecc:5356/64 scope link
       valid_lft forever preferred_lft forever

derlhurgoyf@192.168.29.5:~# ping -c2 192.168.28.2
PING 192.168.28.2 (192.168.28.2) 56(84) bytes of data.
64 bytes from 192.168.28.2: icmp_seq=1 ttl=63 time=35.5 ms
64 bytes from 192.168.28.2: icmp_seq=2 ttl=63 time=35.2 ms

--- 192.168.28.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 35.214/35.346/35.479/0.132 ms

derlhurgoyf@192.168.29.5:~# tracepath -n 192.168.28.2
1?: [LOCALHOST]                      pmtu 1500
1:  192.168.29.1                                          0.709ms
1:  192.168.29.1                                          0.580ms
2:  no reply


I think some NAT rule might be missing, but I couldn't figure it out.
All possibly conflicting firewall rules have been resolved until no more blocking appeared.

what am I missing?

-edit: added vpn config. firewall rules are all pass. NAT tried out many different ways but no luck.