No LAN Access over OpenVPN after using Wiki How-To

[daniel329]

Hi all,
I'm new to OPNSense but I'm getting the hang of it. Really an impressive piece of software.

I followed the Wiki guide located here to set up an OpenVPN Server.

After completing it I am able to make a connection but I can't access anything on the LAN and my IP Address still shows the IP address of the network my device is currently connected to. It doesn't change to the IP address of my home server.

When I ping devices on the network (MacOS Terminal) I get the response: "Request timeout for icmp_seq 0"

I've attached screenshots of my configs. Please let me know if you need anything else. Appreciate any help!

[daniel329]

One more screenshot

[marjohn56]

Confused.. what do you mean 'It doesn't change to the IP address of my home server'?

The server sits on your LAN, you are connecting from the WAN to the LAN using VPN, the server on the LAN will not change address... as I said, confused.

[daniel329]

Whoops sorry that was worded poorly. When I connect to my home via VPN my device should assume the IP address of my home internet connection. It doesn’t.

[marjohn56]

No it shouldn't, you should be able to connect to anything on your LAN, but that's done by routing. For example, say your LAN is 192.168.1.0/24. Use the wizard to create an OpenVPN INSTANCE with a subnet of 192.168.3.0/24.What that means is that any device connecting on the VPN will get an address 192.168.3.×, the Opnsense OpenVPN wizard will create a route automatically.

[daniel329]

Right - but my device should be located behind the IP address of my home internet connection. I understand this is how VPNs obscure your IP Address so services like NetFlix can be accessed. Right now my IP address is staying the same. This is wrong no?

[marjohn56]

It will be. If you  look at it as if you have two LAN segments. One is your normal LAN, the other is the VPN 'LAN'.

What happens is, that your OpenVPN client connects to your WAN, any request that the client sends to the Internet will be routed via the VPN, that is provided you have set the client to force all traffic through the VPN connection - Thus as far as the target system is concerned, i.e. Netfix etc, that request is seen coming from your the WAN address of the VPN server. The only catch with this is that it does not work with Sky U.K. for thier 'Q' systems. If you don't use it I won't explain why.

[daniel329]

Correct. But that's the problem. Right now when I connect to my VPN (successful connection through Viscosity) my WAN IP does not change to the WAN IP of the VPN Server. It stays the same as the point I am connecting from. I also can't access any devices on the network I am connecting to.

[marjohn56]

It will stay the same as the WAN IP your connecting from, For example, say I'm in a hotel, Wifi gives me a local address of 10.10.10.123, my home VPN network, as explained earlier is 192.168.3.0. My Laptop WAN address, even when connected will stay at 10.10.10.123, only the VPN endpoint in the software will show an address in the 192.168.3.* range. If my WAN address changed, no  traffic would be able to route through the hotel network.


What is your LAN net range, and what is your VPN net range?

[daniel329]

LAN IP is 192.168.1.1/24 and VPN is 10.0.0.0/24

[daniel329]

It will stay the same as the WAN IP your connecting from, For example, say I'm in a hotel, Wifi gives me a local address of 10.10.10.123, my home VPN network, as explained earlier is 192.168.3.0. My Laptop WAN address, even when connected will stay at 10.10.10.123, only the VPN endpoint in the software will show an address in the 192.168.3.* range. If my WAN address changed, no  traffic would be able to route through the hotel network.


What is your LAN net range, and what is your VPN net range?

I think what confuses me about this is if I use a service, say Private Internet Access, the WAN IP address of my device is obscured so sites think it's coming from a different location than it is. I guess this isn't the case with OpenVPN? When I run an IP check on various sites it hasn't changed when connecting through my VPN.

[marjohn56]

No, your right it won't OpenVPN is a tunnel between your device out in the field and your home network. If you get a VPN connection, then sites will see your address as your home WAN address, that's providing you have set the VPN to route ALL traffic through the VPN tunnel. If you want to mask your address, then use something like Tunnel Bear.

[daniel329]

Right. But regardless I’m still unable to access anything on the network. If I set viscosity to force all traffic through the VPN (so I can watch Netflix abroad) I lose access to the internet completely.

[marjohn56]

If you get a connection, check your VPN logs, here's mine from a connection from my mobile phone, BTW I use the official OpenVPN client, it's free and it works.


openvpn[53611]: martin/89.194.161.62:43857 MULTI_sva: pool returned IPv4=192.168.4.6, IPv6=(Not enabled)


The 89.*.*.* address is my mobile phone WAN address, the 192.168.4.6 is the VPN endpoint address of the same phone.

[marjohn56]

OK, so it's likely there's an issue with the firewall entries.


Did you use the wizard to create the VPN?