Client can connect to tunnel, but no LAN access

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
vanarathion
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 28, 2022 6:56 pm

Client can connect to tunnel, but no LAN access

Post by vanarathion » Fri Jan 28, 2022 10:55 pm

Hello all, first time poster. I've seen several topics similar to mine on this forum, however nothing has helped me.

I'm trying to get OpenVPN working in a virtual environment (as a proof of concept for a production environment). I also have a real lab set up for testing as well. Both labs are giving me the same symptoms now. The frustrating thing is that both of these labs worked once (I was able to ping a box on the LAN from the client), and then I've never been able to get it to work again.

This is my set up:

2 Windows 10 VM's (CLIENT and WINDOWS)
2 pfSense firewalls (FIREWALL and FW02, pfSense version 2.5.2-RELEASE)
All networks are /24.

CLIENT - 192.168.100.40
FW02 - LAN: 192.168.100.20 / WAN: 192.168.175.200

FIREWALL - LAN: 192.168.146.10 / WAN 192.168.175.100
WINDOWS - 192.168.146.40

Goal: Install/run OpenVPN GUI on CLIENT and be able to ping WINDOWS.

The test that I run is that I connect to the VPN on CLIENT (using GUI as my users will be doing), and then run a cmd prompt and try to ping WINDOWS (192.168.146.40). The end goal is that my users can turn on the VPN and enter an IP/DNS in their Chrome browser and be able to access the GUI for something like a NAS on the 192.168.146.0/24 network.

With OpenVPN connected, from CLIENT I can successfully ping the FIREWALL WAN/LAN, and the VPN tunnel gateway (in my case, 192.168.123.1).
The networking between all the devices is (I believe) correct. Both firewalls can ping eachother's WAN, and my Windows boxes can ping their own firewall's WAN and LAN. (While the OpenVPN is connected, I did notice CLIENT can't ping FW02's WAN)

Also, I will note that I am using the Wizard in pfSense to set up the server, and then go back in and change my setting to "User Auth-only" instead of "SSL/TLS + User Auth". I can post pics of the server settings as well if needed. I am also using the "openvpn-client-export" (v1.6_2) package in pfSense to run the .exe on the CLIENT to install/config OpenVPN. My certificate authority and certificates are just made by me (self-signed?), I just made them in pfSense, not using GoDaddy/LetsEncrypt/etc.

OpenVPN config file on CLIENT:

CLIENT config

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 192.168.175.100 5698 tcp4
auth-user-pass
ca FIREWALL-TCP4-5698-ca.crt
tls-auth FIREWALL-TCP4-5698-tls.key 1
remote-cert-tls server




Log from CLIENT (right click in tray and hit View log):
CLIENT log
2022-01-28 13:59:55 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
2022-01-28 13:59:55 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-28 13:59:55 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
2022-01-28 13:59:58 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 Attempting to establish TCP connection with [AF_INET]192.168.175.100:5698 [nonblock]
2022-01-28 13:59:58 TCP connection established with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 TCPv4_CLIENT link local: (not bound)
2022-01-28 13:59:58 TCPv4_CLIENT link remote: [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 [VPNcertSERV] Peer Connection Initiated with [AF_INET]192.168.175.100:5698
2022-01-28 13:59:58 open_tun
2022-01-28 13:59:58 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-01-28 13:59:58 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.123.0/192.168.123.2/255.255.255.0 [SUCCEEDED]
2022-01-28 13:59:58 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.123.2/255.255.255.0 on interface {5713925F-46BF-4277-9015-0AA440B6E486} [DHCP-serv: 192.168.123.254, lease-time: 31536000]
2022-01-28 13:59:58 Successful ARP Flush on interface [16] {5713925F-46BF-4277-9015-0AA440B6E486}
2022-01-28 13:59:58 IPv4 MTU set to 1500 on interface 16 using service
2022-01-28 14:00:03 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-28 14:00:03 Initialization Sequence Completed


Log from the FIREWALL for the most recent connection:
FIREWALL log
Jan 28 07:59:57 openvpn 45186 VPNuser/192.168.175.200:55830 MULTI_sva: pool returned IPv4=192.168.123.2, IPv6=(Not enabled)
Jan 28 07:59:57 openvpn 13252 user 'VPNuser' authenticated
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 [VPNuser] Peer Connection Initiated with [AF_INET]192.168.175.200:55830
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_GUI_VER=OpenVPN_GUI_11
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_TCPNL=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUBv2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_COMP_STUB=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZO=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4v2=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_LZ4=1
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_NCP=2
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PROTO=6
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_PLAT=win
Jan 28 07:59:56 openvpn 45186 192.168.175.200:55830 peer info: IV_VER=2.5.2
Jan 28 07:59:56 openvpn 45186 TCP connection established with [AF_INET]192.168.175.200:55830
Jan 28 07:59:39 openvpn 45186 VPNuser/192.168.175.200:47254 Connection reset, restarting [-1]


And the FIREWALL OpenVPN config (/var/etc/openvpn/server1/config.ovpn):
FIREWALL config
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.175.100
tls-server
server 192.168.123.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 5698
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNcertSERV' 1"
lport 5698
management /var/etc/openvpn/server1/sock unix
max-clients 3
push "redirect-gateway def1"
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet



When I go to Status > OpenVPN in pfSense, here is the established connection:

Code: Select all

Common Name: VPNuser VPNuser
Real Address: 192.168.175.200:55830
Virtual Address: 192.168.123.2
Connected Since: XXXXXXXXXXXXXXX
Bytes Sent: 16 KiB
Bytes Received: 22KiB
Cipher: AES-256-GCM
And on that same page, I click "Show Routing Table":

Code: Select all

Common Name: VPNuser
Real Address: 192.168.175.200:55830
Target Network: 192.168.123.2
Last Used: XXXXXXXXXXXXXXXXXX
I also noticed that when I revealed the routing table above, it also displays this: "An IP address followed by C indicates a host currently connected through the VPN." So this doesn't seem right, I think I should see a C? I am clearly on the VPN tunnel, seeing as I can ping the tunnel gateway IP, but this seems to think I am not connected?

Thank you to anyone who attempts to help!! Have been banging my head on this. :lol:

Edit: Getting my config/log tags to work

Edit: Based on https://openvpn.net/community-resources ... er-subnet/, I tried changing the PUSH statement in the FIREWALL config to "route 192.168.146.0 255.255.255.0", but this did not seem to work, my test pinging to WINDOWS still failed.

Perhaps I need to do this? https://openvpn.net/community-resources ... ux-server/

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Client can connect to tunnel, but no LAN access

Post by openvpn_inc » Sat Jan 29, 2022 1:13 am

Hi, it's late and I don't have time to digest all of this, but this might help:

Client LAN Access troubleshooting flowchart

Oh, and you definitely DO NOT want tap/bridging.

hth, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

vanarathion
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 28, 2022 6:56 pm

Re: Client can connect to tunnel, but no LAN access

Post by vanarathion » Mon Jan 31, 2022 2:50 pm

Thank you for the reply rob0! I will step through the flow chart and see how it goes.

Post Reply