Can connect to OpenVPN, but cannot reach any LAN clients

Started by blazte, January 17, 2022, 05:12:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 17, 2022, 05:12:03 PM
Hi.

I have followed this guide "Setup SSL VPN Road Warrior" and can connect, but cannot reach any LAN clients.

LAN network: 10.1.1.0/24
VPN network: 10.4.4.0/24
Client network: 192.168.1.0/24

Client can connect to VPN and ping FW with 10.1.1.1 and 10.4.4.1, but cannot ping any LAN clients.

Any suggesting will be appreciated.

Screenshot is attached.

Version OPNsense 21.7.7-amd64
January 17, 2022, 05:38:48 PM #1
Is OPNsense the default gateway for your LAN clients?

Are you pushing the redirect-gateway option to your OpenVPN clients?
January 17, 2022, 05:56:56 PM #2
OPNsense is the default gateway (10.1.1.1) for my LAN clients.

redirect-gateway is not pushed.

Here is my .ovpn file:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote X 1194 udp
lport 0
verify-x509-name X
remote-cert-tls server
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
X
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
X
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
X
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
X
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
January 17, 2022, 08:45:39 PM #3
Do you have the 'redirect gateway' box ticked on the OpenVPN server tunnel settings?

Also try this on the client side:

redirect-gateway def1

Bart...
January 17, 2022, 09:56:03 PM #4
redirect gateway is unchecked.

I have tried to add "redirect-gateway def1" in .ovpn file and after this I get my gateway public IP, but i can still not  reach any LAN clients.
January 17, 2022, 10:23:30 PM #5
Do some packet traces on your VPN and LAN interfaces and confirm that packets pass from one to the other and if you see reply packets from your LAN clients.

Are you testing on IP address?

Bart...
January 18, 2022, 10:40:28 PM #6
Yes, I am testing on IP-address.

I did a Packet Capture on all interfaces and could see the ping request. 

I found out that I could ping Linux/android LAN clients, but all Windows LAN clients was still unreachable.

After I added a Windows Firewall rule that allowed my VPN network scope (10.4.4.1-10.4.4.254) it worked.

I have used OpenVPN Server on different OS like Ubuntu, OpenWRT, Synology, but I have never experience that I needed to add a Windows Firewall rule on Windows clients for allow connections from the VPN network.

Thanks anyway for your time.
Print
Go Up Pages1
User actions