Can connect to OpenVPN from the web, can't access home LAN.

[Joey S]

I set up OpenVPN following this guide: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

I am able to connect to the VPN from my iphone, but I cannot access any of the hosts on my home local network. I tried to ping some of the IPs on my home LAN but got no response. I bet I screwed something up in one of the config files but I can't figure out what. I've compared everything to the guide many times and just can't seem to find what I did wrong. Can anyone look at my config and offer any help?

Ill try to post all relevant info.
On my home network:
FreeNAS box: 10.0.0.38/24
Gateway: 10.0.0.1
OpenVPN Jail: 10.0.0.5/24

Here is my openvpn.conf file:

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
route 10.0.0.5 255.255.255.0 10.8.0.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nogroup
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Here is /usr/local/etc/ipfw.rules from within the openvpn jail:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

Here is /etc/rc.conf from within the openvpn jail:

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

ipfw list from within the openvpn jail:

Code:

00100 nat 1 ip from 10.8.0.0/24 to any out via epair3b
00200 nat 1 ip from any to any in via epair3b
65535 allow ip from any to any

sockstat -4 -l from within the openvpn jail:

Code:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
nobody   openvpn    25284 6  udp4   *:10011               *:*
root     syslogd    25252 7  udp4   *:514                 *:*

work-vpn.opvn file:

Code:

client
dev tun
proto udp6
remote <myurl> 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert <cert>.crt
key <key>.key
#tls-auth auth.key 1
ns-cert-type server
comp-lao
verb 3

And finally a screenshot from my phone:

 

[nightshade00013]

Simple answer here is to change the VPN server location IP address range to something other than 10.0.0.0/24

The long answer is:

I am going to make a couple guesses here. First off you're on comcast at the VPN server loaction and you're also going to someplace that has comcast to check the connection. Both places have a 10.0.0.x IP address range.

You need to change your VPN server location's IP address range to something OTHER than a default range that every other location uses. So set your home range to a 10.x.x.x range other than a 10.0.0.x, a 172.16.x.x or a 192.168.x.x https://en.wikipedia.org/wiki/Private_network

What is happening is that the server you are trying to connect to is a 10.0.0.x number and your remote device has a 10.0.0.x IP address. Even though you are connected to a VPN the device sees your current local network as the one it should be searching and fails to send traffic for a 10.0.0.x network over the connection. If you pick different network IP address set like 10.2.8.x with a VPN of 10.8.0.0 and are on a 10.0.0.x network in the remote location any traffic that needs to go to the 10.2.8.x will be passed over the VPN while any traffic that should be on the 10.0.0.x will stay on the local network.

By the way the most common default networks are 192.168.0.1 192.168.1.1 and Comcast started using 10.0.0.0 I know this as my father is out that way and I have to try and walk him through changing his net over so VPN connections will not come up with issues if I am traveling and need to look at something.

 

[Joey S]

@nightshade00013

Thanks for your reply. I did what you suggested. First I changed the IP range for my gateway/router, I updated the openvpn.conf, I updated the jails' IP addresses, and I changed the port forwarding on the router. Unfortunately that did not resolve the issue. I was still able to connect to the VPN using my iPhone, but I could not access any of the stuff on my local network.

I don't believe that the IP address issue you were referring to was the problem. When I had originally tested the configuration, before making these recent changed, my iPhone was on AT&T's cellular network. I verified the IP address of the phone and it was something completely different than the 10.x.x.x range.

 

[Joey S]

Do I have to regenerate the certificates after making changes to the IP addresses and config file?

 

[nightshade00013]

Do I have to regenerate the certificates after making changes to the IP addresses and config file?

Shouldn't have to. The certificates for the OpenVPN connection are not IP dependant. What port do you have forwarded from your router to the jail?

 

[Joey S]

What port do you have forwarded from your router to the jail?

1194, 443, 10011

 

[nightshade00013]

I'm drawing a blank tonight. I can't see anything wrong right now, the IP address was my best guess at the time from the description.

 

[Joey S]

I'm drawing a blank tonight. I can't see anything wrong right now, the IP address was my best guess at the time from the description.

Not a problem my friend. I appreciate your help!

 

[alexisph]

Change this:

route 10.0.0.5 255.255.255.0 10.8.0.1

to this:

route 10.0.0.0 255.255.255.0 10.8.0.1

 

[jailnoob]

it seems your configurations are correct. try to reboot your jail and server.
That worked for me after I tried so many other ways to make it.
Reboot whatever you can reboot!!!