OpenVPN: VPN clients no access to LAN network

[MrCCL]

I've followed the guide "Setup SSL VPN Road Warrior" but my VPN client don't have access to the LAN network.
Well, it does have access to the router's LAN interface, which is on the LAN network of course.

I did have the exact same problem using OpenVPN on OpenWRT...to make it work I had to create a so called "Source NAT" rule.
Do I need something similar in OPNsense?

Can someone confirm that using the above guide will work in regards to access to the LAN network or do I need some additional configuration? I'm surprised to see the guide do not enable "topology subnet"...I thought that was necessary to get LAN network access.

The VPN client do get a route to the LAN network from the VPN server.

Route table from VPN client (Win  7):

Code Select Expand


Network Destination        Netmask          Gateway       Interface  Metric
         10.0.0.0    255.255.255.0      192.168.2.1      192.168.2.2     20
         10.0.1.0    255.255.255.0         On-link          10.0.1.2    266
         10.0.1.2  255.255.255.255         On-link          10.0.1.2    266
       10.0.1.255  255.255.255.255         On-link          10.0.1.2    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.2    276
      192.168.2.2  255.255.255.255         On-link       192.168.2.2    276
    192.168.2.255  255.255.255.255         On-link       192.168.2.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.1.2    266
        224.0.0.0        240.0.0.0         On-link       192.168.2.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.1.2    266
  255.255.255.255  255.255.255.255         On-link       192.168.2.2    276


My networks:

Code Select Expand


Local LAN network:    10.0.0.0/24       (router's LAN 10.0.0.15)
VPN network:          192.168.2.0/24    (router's TUN 192.168.2.1 / VPN client 192.168.2.2)
WAN network:          10.0.1.0/24       (router's WAN 10.0.1.1 / VPN client 10.0.1.2)


[MrCCL]

One solution seems to be to create an outbound NAT rule...see attachment.

But I have some strange behaviour in regards to pinging from both sides.
If I first ping from VPN client to a host on LAN network (it works), then I cannot ping from LAN network to  VPN client. Only if I wait some time.
And when I ping from LAN to VPN (and it work), then I cannot ping from VPN to LAN, until I wait some time.
But no matter what, I can access the network share on the LAN network from VPN all the time.
How can I optimize this?

[joer]

This sounds a bit similar to the issue I'm having, though I'm trying to do a site-site connection.  Client-side the network can see and ping everything server side, but server side can't see or ping anything client side.

The weird thing is that I can't even ping the virtual/tunnel addresses from the server side.  Ill stick it on its own thread, but I'll also keep watching yours!

[MrCCL]

Okay....sometimes it help to think "out-of-box" and use what's left of your brain!
Everything works perfectly out-of-the-box....why I had problems was because I forgot I only allowe my local lan client to answer ping and SMB-share packets from the local subnet in the Windows firewall.
And when I ping from the VPN client, which is located on another subnet, it didn't get any reply.

Dammit! I wasted a lot of time because I thought it was related to the OpenVPN configuration :-(
Forget everything I wrote in this thread :-P