VPN LAN pfSense – How to Access pfSense LAN Through OpenVPN

lanpfsensevpn

I'm trying to access a LAN through OpenVPN.

My current setup is that I have one machine (Linux (old)) that can successfully connect to OpenVPN running on a pfSense (2.3.2) machine. Behind the pfSense machine is a LAN with a third machine attached.

The subnet used for OpenVPN clients is 10.0.8.0/24. The client I'm testing with has the IP 10.0.8.3.

The subnet used for the LAN is X.Y.Z.0/24. The machine that's on the LAN has the IP X.Y.Z.12, and it can ping its gateway, X.Y.Z.254.

So, I'd like the machine that's connected to pfSense over OpenVPN to be able to talk to the machine that's on the LAN. In the pfSense configuration for the OpenVPN server, there is an option "IPv4 Local network(s)", which implies that the VPN clients should have access to the specified subnets. I put X.Y.Z.0/24 for that option. I also added a firewall rule that allows all traffic from hosts on 10.0.8.0/24 to hosts on X.Y.Z.0/24.

The last bit of configuration I did is I manually added routing rules on the OpenVPN client, since they are not added successfully by the OpenVPN client (likely due to a version mismatch?). Following are the current (relevant) routing rules on the OpenVPN client:

$ ip route
10.0.8.1 dev tun0  scope link
X.Y.Z.0/24 via 10.0.8.1 dev tun0
10.0.8.0/24 via 10.0.8.1 dev tun0

10.0.8.1 is the gateway that the OpenVPN connection command outputs on the client, although I am unable to ping it. When multiple OpenVPN clients are connected, they can ping each other.

pfSense can ping both the OpenVPN client and the machine on the LAN.

With this configuration, I expect that trying to ping X.Y.Z.12 from my connected OpenVPN client should yield a response, but any attempt to connect fails. Trying traceroute X.Y.Z.12 outputs only stars.

I suspect that either I need to tell pfSense how to route traffic between 10.0.8.0/24 and X.Y.Z.0/24, such as with a bridge or a NAT, or that my routing table is incorrect. It's possible that there's something obvious I'm missing since I'm not very familiar with networking stuff.

Is there an error in my configuration, or is there an additional step I need to take to access the LAN from an OpenVPN client?

Best Answer

You're going down the correct path, you need a route for your local LAN. But you need a route back from your LAN machine. At the moment it only has a default route of X.Y.Z.254 so sends all its traffic not on the local LAN here. Theres 2 options:

Add a route on your gateway router, if its a half decent after-market router you should be able to add a route to 10.0.8.0/24 pointing at your pfsense box. So any traffic going there will be directed out the OpenVPN route.
If you cant add the route then for every device you will need to add a static route to the VPN clients so it knows that subnet exists through the pfSense box.

For Windows:

route add 10.0.8.0 mask 255.255.255.0 X.Y.Z.pfsense -p

^^ replace the IP on your LAN with that of the pfsense box, the P flag is to permanently add it to the routing table

For Linux:

ip route add 10.0.8.0/24 via X.Y.Z.pfsense

^^to persistantly add it varies per Linux distro

Best Answer

Related Solutions

Vpn – OpenVPN Bridge on pfsense: once LAN pings clients, connectivity breaks

OpenVPN CentOS – Fixing Client Connection Issues to Internet

Looking at your iptables config more closely ...

Related Topic