OpenVPN client can only reach router

[jmcgee]

I am setting up Openvpn with and Android client to start.  From the Android I can connect to the openvpn server.  I can reach the router's web page at 192.168.1.1

Is this a problem with my IP numbers?

[Gauss23]

What do you have as "Local network" in your OpenVPN server config?

And do you have firewall rule on the OpenVPN tab to allow traffic from the VPN?

[jmcgee]

I don't see local network in VPN|Servers.  Just tunnel network.

[Gauss23]

Why do you provide screenshots of DHCP?

Please send a screenshot of your VPN server config:
VPN: OpenVPN: Servers

There is a row with IPv4 local network.

[jmcgee]

Here is 3 screen shots that cover VPN:Server

[Gauss23]

Is this OPNsense the main router/gateway for the network 192.168.1.0/24? Usually this should work if your client is able to reach 192.168.1.1. Do you have a firewall rule to allow traffic coming in via OpenVPN interface? You checked "redirect gateway" so all traffic from the client is flowing through your OPNsense. Even the WAN traffic. You'll need a NAT rule to allow outgoing traffic from OpenVPN clients.

Did you follow those guides? https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

[jmcgee]

Is this OPNsense the main router/gateway for the network 192.168.1.0/24? Usually this should work if your client is able to reach 192.168.1.1.

Yes, this sits between my computers and the Charter modem. Not sure that answered that question, but the opnsense router is accepting the OPENVPN clients and theoretically connected it to all the devices on the router inside the LAN, and to the WAN as well.

Do you have a firewall rule to allow traffic coming in via OpenVPN interface? You checked "redirect gateway" so all traffic from the client is flowing through your OPNsense. Even the WAN traffic. You'll need a NAT rule to allow outgoing traffic from OpenVPN clients.

Did you follow those guides? https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

I tried, but got hung up on the google authenticater part.  Ended up using
https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/

[Gauss23]

Why are you only allowing tcp traffic from the OpenVPN clients? Icmp (ping) and all udp based services will be blocked.
It's always a good idea to have a look at the live view in Firewall: Log Files: Live View to see what's blocked.

[jmcgee]

Why are you only allowing tcp traffic from the OpenVPN clients? Icmp (ping) and all udp based services will be blocked.
It's always a good idea to have a look at the live view in Firewall: Log Files: Live View to see what's blocked.

Thank you for your help. I am making progress. Changed protocol on OPENVPN FIreall rule to any and I can get out onto internet from the Openvpn server now.

But I cannot access any internal ip numbers (web traffic or ssh).  The firewall live view is all green.
What could be blocking that?
attached are screenshots of openvpn server config.

[jmcgee]

Can I provide anymore info to help solve this issue?

[chemlud]

You have set "Enforce local group" to "(none)".

The documentation says

"The option Enforce local group can be used to constraint access to only users in a specific (set of) group(s)"

https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Maybe have a look at this option...

I don't understand why your config has no option for "local network(s)".

[jmcgee]

I am still battling this.  Using OpenVPN connect app on Android.  I can connect, browse internet, hit IP of Opnsense router, but cannot connect anything inside LAN.

[Gauss23]

Please try the option ,,Topology" in OpenVPN server. Read the help by clicking on the  ,,i".

[jmcgee]

Thanks, I tried toplogy option. No changes.
Here is VPNserver log:
2021-01-24T07:38:15   openvpn[75895]   Jack/172.58.109.231:59321 AEAD Decrypt error: bad packet ID (may be a replay): [ #397 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings   
2021-01-24T07:37:55   openvpn[75895]   Jack/172.58.109.231:59321 MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 [Jack] Peer Connection Initiated with [AF_INET]172.58.109.231:59321   
2021-01-24T07:37:55   openvpn[57323]   user 'Jack' authenticated using 'Local Database'   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_SSO=openurl   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_PROTO=2   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_TCPNL=1   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_NCP=2   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_PLAT=android   
2021-01-24T07:37:55   openvpn[75895]   172.58.109.231:59321 peer info: IV_VER=3.git:released:662eae9a:Release   
2021-01-24T02:41:19   openvpn[75895]   TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.84:46424   
2021-01-24T00:07:50   openvpn[75895]   Initialization Sequence Completed   
2021-01-24T00:07:50   openvpn[75895]   UDPv4 link remote: [AF_UNSPEC]   
2021-01-24T00:07:50   openvpn[75895]   UDPv4 link local (bound): [AF_INET]35.134.112.112:1194   
2021-01-24T00:07:50   openvpn[75895]   Could not determine IPv4/IPv6 protocol. Using AF_INET   
2021-01-24T00:07:50   openvpn[75895]   ERROR: FreeBSD route add command failed: external program exited with error status: 1   
2021-01-24T00:07:50   openvpn[75895]   /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1621 10.0.0.1 255.255.255.0 init   
2021-01-24T00:07:50   openvpn[75895]   /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up   
2021-01-24T00:07:50   openvpn[75895]   TUN/TAP device /dev/tun1 opened

[Gauss23]

Looks like your crypto settings don't match between client and server. How did you create the client config?