[SOLVED] OPENVPN client connect but can't surf internal LAN

[brokenby2703]

I can connect using Viscosity but I can't surf any internal devices (NAS, printer, etc)

First of all the LAN has 192.168.0.x/24 while when I'm connected I get 10.0.0.6 because this is what I used as suggested in the how to on this link : https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/

I repeated 3 times the how to, step by step but I can't surf internal clients.
I have double checked the Firewall NAT/Rules automatic rules was ticked.

I'm stuck.
Thanks for helping.
P.

[bartjsmit]

What is the subnet you are connecting from?

Once the tunnel is up, can you ping the OPNsense firewall LAN interface on 192.168.0.0/24?

Bart...

[brokenby2703]

First of all, thanks for your time.
Second, sorry if I didn't provide any further information about it, but to avoid fill up the message with some not useful information I did prefer to leave them out and provide when required.

Hope can help:

1) Firewall has 2 ethernet card : LAN and WAN
2) WAN is PPPoE ADSL with userid/password
3) Firewall act as DHCP server on the LAN
4) LAN IP : 192.168.0.x / 24 (255.255.255.0)
5) WAN IP is static : 188.--.--.--
6) NAS on the LAN has fixed IP : 192.168.0.11
7) ASTERISK on LAN has fixed IP : 192.168.0.6
8) AFICIO RICOH NETWORK PRINTER IP : 192.168.0.8
9) PCs etc has dynamic IP on the LAN : 192.168.0.x (with X starting from .100)
10) In the VPN server parameters I setup :
- TUNNEL NETWORK : 192.168.1.0/24
- LOCAL NETWORK : 192.168.0.0/24
- INTER CLIENT COMMUNICATION : Allowed
- Everything else as per the link I have provided.

Now, when I connect my laptop to the LAN (DHCP) I got address 192.168.0.102 (for example), I can ping and connect all devices including printer/nas/ etc.
From OPNSENSE firewall I can ping all devices including my laptop

I disconnect from the LAN.
To be sure I log off and re-login (it's MacBookPro / OSX MAVERICKS)
I switch ON the WIFI.
I swtch ON my 4G ROUTER (LTE)
I got a local address: 192.168.1.100
I'm now connected on 4G VODAFONE network separately.

I switch ON VISCOSITY client.
I have previously imported the configuration file I exported from OPNSENSE (OPENVPN client export).
I connect successfully to OPNSENSE server VPN.
I got IP 192.168.1.100
But I can't connect to no one device: neither I can ping them.
When, for example,  I try to login at NAS admin page (192.168.0.11:5000 it's a SYNOLOGY), I can see in the window of the VISCOSITY client, peaks as generated traffic, but page failed to load after a while.

I have repeated all the operations of OPEN VPN set for 4/5 times.
Each time I carefully deleted all the certicaite, users, etc. reboot the firewall to be sure that (although no need it) any config wasn't loaded.

I tried also to do it following youtube videos (PFSENSE OPENVPN) but same result: connect, get IP 192.168.1.100 but no surf internal devices, no PING at all.

I tried one last thing:
10) In the VPN server parameters I changed setup to:
- TUNNEL NETWORK : 192.168.0.0/24
- LOCAL NETWORK : 192.168.0.0/24
both same as my LAN.

I got a strange IP when I connect with VISCOSITY : 192.168.0.33 (out of DHCP range and very unusual).
But again I can't ping, neither I can't surf.

Thanks for help.
Sorry if I have given informations not required.
If anything missing, please let me know I will try to provide although I'm a newbie.
(Previously using M0n0.ch since 2007 but never VPN before).

P.

[bartjsmit]

Hi, that's a lot of info ;-)

The tunnel subnet must be different from the LAN to allow the firewall to operate as a router on Layer-3. Your 'last try' configuration with the tunnel subnet the same as the LAN subnet won't work, I'm afraid.

Can you post the output from the command below from a terminal window on the Mac?

1. while connected to the LAN
2. while connected to 4G
3. while connected to 4G with the tunnel up

        netstat -rn -f inet

Thanks,

Bart...

P.S. I have had good results with Tunnelblick for OpenVPN on OS X, but I haven't used it with OPNsense

[brokenby2703]

Thanks a lot for your prompt reply.

I knew that setting up the tunnel subnet same as LAN (192.168.0.0) wasn't going to work, but I just gave it a try.

Here are the 3 screeshosts :
- LAN
- 4G
- 4G + Tunnel

[brokenby2703]

What is the subnet you are connecting from?

Once the tunnel is up, can you ping the OPNsense firewall LAN interface on 192.168.0.0/24?

Bart...

I forgot to reply to this.
Yes, when I'm in 4G+TUNNEL connected, I can ping it the FIREWALL.
See screenshots.
But I can't connect to any of the internal DEVICE and I can only PING the FIREWALL

[bartjsmit]

Your default gateway does not change - it remains constant at 192.168.0.1.

If your Vodafone 4G router is issuing you a DHCP lease with an IP address of 192.168.1.100 then there are two possibilities:

1. The Vodafone does not issue a DHCP option 3 (default gateway) as part of its lease
2. The IP address of the Vodafone router is also 192.168.0.1

I would expect the Vodafone to have an IP in the same class C subnet as the DHCP scope, e.g. 192.168.1.1.

Is the Vodafone router configurable? Try setting its subnet to something like 172.20.20.0/24 with its IP as 172.20.20.1.

Bart...

[brokenby2703]

YOU ARE MY HERO !!!!

THANK YOU THANK YOU THANK YOU!

I changed the LAN IP of the Vodafone router to 192.168.2.1 (instead of 192.168.0.1) and it worked.

Thank you so much.
I'm newbie but if is there anything I can help you, I will be here.

Paolo

[bartjsmit]

Good stuff Paolo!  8)

You may want to consider changing the subnet of your internal LAN to avoid having this problem with public hotspots. Many of those use 192.168.0.0/24 or 192.168.1.0/24.

If you're only ever going to connect through your own 4G router, then that is not an issue.

Bart...