Can't reach OpenVPN clients from LAN

[danb35]

tl;dr: Clients on my LAN can't connect to OpenVPN clients through OPNsense, but OpenVPN clients can reach hosts on my LAN.  I can reach OpenVPN clients (i.e., ping them) from OPNsense itself.  This started around the time I configured multi-WAN failover and upgraded to 20.7.1.

Networks:

LAN: 192.168.1.0/24
OpenVPN: 192.168.3.0/24
WAN: static IP
WAN2: 192.168.5.something (assigned by DHCP, but in that subnet)

I'm running an OpenVPN server on my OPNsense box, primarily for the sake of two remote hosts that need to be able to access services on my LAN.  At the same time, some devices on my LAN need to be able to access one of those remote hosts.

This all worked well for quite a while--on pfSense before I moved to OPNsense, then it worked under 20.1.8 and 20.1.9, and when I upgraded to 20.7 it continued to work.  Around a week ago, though, following my fourth multi-hour Internet outage in several weeks, I set up multi-WAN failover with a cellular modem (following the instructions at https://docs.opnsense.org/manual/how-tos/multiwan.html), and I also updated to 20.7.1.  And since about that time (I can't say for certain if the problem started with one or the other of these changes, but it started about the time I made them), clients on my LAN aren't able to reach the remote host via the VPN.

Specifically, the remote host is at 192.168.3.100.  If I ping that IP from my OPNsense box itself, it reaches it just fine.  But if I ping it from anywhere else on my LAN, I just get timeouts.  My Google-fu is apparently weak here; I get lots of hits about routing from VPN clients to the LAN (which already works), but nothing about routing from the LAN to those clients.  Any ideas on where to start looking?  Settings attached if they help.  I tried adding the "IPv4 remote network" as you see in those settings, but it didn't help--I'm getting the same results.

[Fright]

since vpn client can access internal resources
I you sure firewall on vpn client allow connection from main lan?
and afaik openvpn recommends switch to "topology subnet"

[danb35]

Thanks for the reply.  Yes, 192.168.1.0/24 is defined as a local, trusted network on the client system.  I'll try setting topology subnet and see what that does.

[maxxer]

Did you manage to solve your issue? I've the same problem in a customer setup.

What puzzles me is that in my own office I can ping from LAN to OpenVPN clients. Our config is much simpler, tough. The non-working one has VLANs and dual WAN, even tough it should not matter. The routes are configured correctly (all automatic, no custom ones), OpenVPN server setup is the same, firewall the same, NAT the same. I don't know where to look at. If I traceroute from LAN to OpenVPN's .2 IP the packet goes to OPNsense default gw instead of the OpenVPN gw.

[danb35]

Did you manage to solve your issue?

No, I gave up on OPNsense and went back to pfSense.  It's working perfectly there.

[rseifried]

The same issue here with version 21.1.5. Did anybody have the solution in the meantime? Do I have to switch to pfsense?