[SOLVED] OpenVPN can't ping LAN

[Groveld]

I have a problem with my setup, where i can connect to my VPN and have a fully functioning internet connection trough it, BUT cannot ping anything other than my OPNsense box on my LAN...
i have setup my firewall so that it allows all traffic from and to all interfaces (LAN, DMZ, OPENVPN).
vpn didn't work at first, i had to provide an dns server even when i only access ip adresses directly, this is only tru for the opnsense box since i can't ping anything other than that on the lan network.
when i check my client's config, i see the remote network in the routing table.
is this some sort of rookie mistake where ik overlooked something simple? or is it more like a bug?
for now internet is working for me, but i would like to use it as a real vpn, not just as a secure tunnel to the internet
many thanks in advance!

[neo243]

add this under advanced in the openvpn server tab in the opnsense

push "route 192.168.xx.0 255.255.255.0";
for every network you want to access throw the vpn

[Groveld]

I will try this, but doesn't  the "IPv4 Local Network/s" entry the exact same thing?

[Groveld]

It didn't work, now i can't even ping my OPNsense box...
here is a screenshot of the settings of my VPN:

[neo243]

the "IPv4 Local Network/s" entry should do this but it didn't work for me so i set this under advanced and it worked mhh:/. I just checked all your settings everything is equal except the DNS Server, i didn't need one so i didn't set it up.

Can you post your FW settings?

[Groveld]

Some screenshots of my firewall rules...

[neo243]

yup also ok MHH :/

[franco]

When you run OpenVPN on 443 on WAN, which port runs the GUI?

If you move OpenVPN to LAN and use NAT forwarding from 443:WAN to 443:LAN does that help? I can imagine that traffic from WAN is blocked into LAN, because that's what you want.

[Groveld]

OPNsense GUI runs on port 80 and i disabled https access.
if you see my previous post, i included my firewall rules. doesn't the automagicly created vpn rule take care of the wan-lan issue? or is it only to access the opnvpn service itself? if so, where do i create the extra rule?

[franco]

No, it doesn't as it is a routing issue between LAN and the other internal subnet, only that it is on WAN. Even so, you are blocking private networks on WAN, that may be another thing to switch of and try (also further proof that VPN shouldn't terminate in WAN, spoofing happens and this private range block ought to stop it).

[franco]

You can disable blocking under "Interfaces: WAN: Block private networks" (needs a filter apply)

[Groveld]

"Interfaces: WAN: Block private networks" doesn't change anything, i can still only ping the OPNsense box.

[franco]

Hmm, you'll probably have no trouble pinging 8.8.8.8 through the VPN? I still see a potential routing table issue with your VPN traffic trying to reach LAN being blackholed by the default route.

[slackadelic]

Under Topology, check that box, save the config and reconnect with your client.

Those push statements won't help much, you can probably remove them, but leave them for now for testing.  I'm pretty sure that once you check the Topology it'll work.  If you don't check this it creates an isolated /30 network that will only allow the client to see OPNsense and nothing else.

[Groveld]

i can ping all WAN adresses, on the LAN interface only the OPNsense box (10.25.1.254).
my NAS, which is on 10.25.1.1 can still not be resolved.
the "topology" option didn't work either for me...