Ubuntu – Can’t connect to Ubuntu server on LAN from pfSense VPN

networkingopenvpnpfsenseUbuntu

Quick summary

pfSense server is connected to the WAN and LAN. This box also has an OpenVPN server running.

  • The LAN clients use 192.168.20.0/24
  • OpenVPN clients use 192.168.30.0/24

On the LAN I have two servers, one running Ubuntu (15.10) and one running OS X (10.11 with Server).

  • OS X server is at 192.168.20.10 (static DHCP assignment)
  • Ubuntu server is at 192.168.20.12 (static DHCP assignment)

Problem

When connected via the VPN, I can ping, traceroute and generally access the OS X server fine. However, the Ubuntu server just times out (no ping, and the traceroute stops at 192.168.30.1).

I've confirmed this problem using both ping and traceroute tools from pfSense as well. I can hit both servers with a LAN source, but only OS X with an OpenVPN source.

This lead me to believe it's an issue with Ubuntu, so I temporarily disabled UFW and enabled IP Forwarding. Didn't fix it (not that I expected either of those to work, but I'm drawing at straws at this point).

More details about the VPN setup

Tunnel settings

  • IPv4 Tunnel Network = 192.168.30.0/24
  • Redirect Gateway = TRUE
  • IPv4 Local network(s) = 192.168.20.0/24
  • Type-of-Service = FALSE
  • Duplicate Connection = FALSE

Client settings

  • Dynamic IP = FALSE
  • DNS Default Domain = TRUE, internal
  • DNS Server enable = TRUE, 192.168.20.1 (pfSense address, which is running the DHCP server and DNSMasq)

Conclusion

The part I can't wrap my head around is why it works for one server, but not the other. I suspect something is wrong with the Ubuntu setup, but I can't put my finger on what. Any thoughts on what I'm missing here, or where I should be looking?

Update 1

I've also made sure that unbound on the pfSense box explicitly allows DNS traffic between 192.168.30.0/24 and 192.168.20.0/24. I've also confirmed the firewall and gateway rules allow traffic between these two subnets. Still can't access the ubuntu server from the VPN either directly to the IP or via a domain lookup. However, both methods work for the OS X box.

Update 2

I've found that I can ping the OpenVPN gateway 192.168.30.1 from OS X; however, it times out from Ubuntu. I suspect this means there's something wrong with the routing table on the Ubuntu side, because it doesn't appear to be communicating with the VPN subnet the way OS X is.

Update 3

After more hours than I care to admit, I found the solution. I was missing the bloody route to the VPN subnet (I assume OS X just falls back to the main gateway when in doubt or something, which is why I didn't have to add a route there).

So, this fixed everything from the Ubuntu server side.

sudo ip route add 192.168.30.0/24 via 192.168.20.1

Once that was fixed, everything worked like a charm. Many thanks to this issue as well for pointing me the right direction.

Best Answer

Make sure that your rules permit it. You probably have a rule either on the incoming(wan) or outgoing(lan) interface that restricts the traffic.

Related Topic