make a couple of open vpn client hosts accesible from open vpn server LAN
Hi everyone, i'm tring to make a couple of open vpn client hosts accesible from open vpn server LAN but i'm missing a rule of course.
openVPN Server is running on a pfsense
client is running on Mikrotik
i'm struggling to set the right rule to reach the bridge interface network of the mikrotik.
Anyways i can ping openvpn-out1 ip from pf sense with no issue.
I know that's just a couple of info...
24 Replies
I'm not entirely sure of your network architecture but you may need to setup a static route between the two.
So, you're saying LAN, meaning it's all locally routed, right? It doesn't go out over the internet?
not directly connected to the internet....basically i think i have to set a rule in pfsense telling that the traffic destinated to that ip must go inside openvpn server and should be redirected to the client and then to the final open vpn client network...hehe i'l draw something with some minus signs and a couple of >< that's better
i set a couple of static routes in the client that's the mikrotik
Yeah, you'll definitely need to draw that out for me lol. It almost sounds like it's being overcomplicated but I'm not entirely sure. You may need to do some level of port forwarding. It's been a minute since I've used a pfSense FW, so I don't remember specifically how to do that but @DirtyJ has one and might be able to help if you can't figure out that specific part.
But by default, it's going to reach out over its known port, so if that's getting blocked, the routing may be fine but the port traffic may be getting blocked.
what port?
So, I just saw that diagram and I think you may be over complicating this. What you can do is setup a point to point VPN between your two edge firewalls
Lets say you have site A with a private range of 192.168.0.1/24 and site B with a private range of 192.168.1.1/24. Notice how they're different subnets. That's important, as you're gonna have a bad time if you have two identical LANs.
Both site A and B will negotiate the site to site connection and maintain the connection. If you're at site A and you try to connect to 192.168.1.5, it'll hit the edge router and it will know "alright, I have a point to point (p2p) connection with a route over that tunnel to reach 192.168.1.5 and it will forward the traffic. With this setup, the individual clients on your LAN don't need the openvpn client because you've got a persistent p2p connection going.
Now, that leads me to OpenVPN. If you're able to, I recommend WireGuard. It's faster and just overall better than OpenVPN
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-psk.html This is technically deprecated but you can get the general gist of things
If you're not familiar with certificates, you might wanna go the PSK route
everything is already setup.. i just cannot ping the lan2 of the diagram
from the server of course
I'd do a pcap and see where it is failing tbh. Probably the best way to narrow it down
source: pinging machine's IP
service/protocol: ICMP
Totally wasn't asleep @weet :P
Can't think of any other obvious things outside of the example you gave. Pcap should get you headed in the right direction.
would you configure a static route in my pfsense in order to forward the packets to openvpn server interface? i still haven't succed in doing that. But for me it's pretty obvious pcs in the lan behind the pfsense have the pfsense as gateway and then they reach the internet through the router.
I think you'd need to, yeah.
I know I need to on FortiGates. I have to make a static route that says "if you're trying to reach x network, go out over this interface".
i added psh route "LANipofclient subnetmask" in custom options of my pfsense openvpn server, then i opened whireshark after the installation of npcap and i ping some host on the client network. It seems the client is trying to send back a icmp package
Ahh, so it's at least reaching it. You need to have the same rules in reverse, basically, so maybe that's where the problem lies?
I wish you had some FortiGates, they're so much easier, in my experience
And they look cool 
it says Destination unreachable (port unreachable)
You may need to allow the ICMP protocol through in the firewall(s)
But also ICMP doesn't run over any ports
i see also a packet from the external ip of the client trying to reach the host i used for pinging
shouldn't that work inside the tunnel so that i dont't need any other firewall rule?
in that case i read network unreachable
should i configure any firewall on the client side? I found a nice diagram about openvpn flow
Probably so, yeah
any news? i'm reasy for some serious tests.
I'm still confused, news on what? And what tests?
you should see the entire conversation here am i right?
Yes, I see it but I'm confused as to what news you're waiting for.
i think i'm missing some routes
I mean sure, probably but it's kind of hard to help here when I can't see your configuration lol. Your routes should basically say "if you're trying to get to this subnet, go over this interface"
we must do some tests to troubleshoot the issue... for example: i'm on the private network LAN behind my openvpn server that is on my pfsense... i want to ping from LAN the network my mikrotik is giving to the clients on the other side...
i can do the other way instead...without any issue
we have to check routing options...because pfsense must know if an host is trying to reach the network of the client on the other side...it should reach it through the openvpn server virtual adapter...