OpenVPN - Can't access computers on the LAN side of the VPN server, unless their firewalls are completly off

Hello everybody,

First of all, I would like to apologize for the confusing topic, I had some troubles making it short and insightful…

On a certain LAN subnet that has several computers that I wish to access remotely, there is one computer running OpenVPN as a server (Tun, On Windows).

LAN subnet: 10.0.0.0 (Gateway-Router, separated from VPN is on 10.0.0.138).
VPN range: 10.8.0.0/24 (OpenVPN Server is on 10.8.0.1).

I have followed the “Extending the scope” part of OpenVPN’s How-to. I’m pushing “route 10.0.0.0 255.255.255.0” to the clients, IP forwarding is enabled on the VPN server windows machine and I’ve added a static route to my router. I’ve also disabled the firewall for the interface that Ovpn is using. I can access that VPN server, I can ping the gateway and in general, things seem to be working just fine.

The problem applies to computers running Windows Firewall (I’m guessing it will happen with other firewalls too), for example, the one at 10.0.0.10, which I’m trying to access for RD and for file sharing. When the firewall on that computer is completely disabled (Which is not a good practice), I can access it through the VPN without any issues. However, when I enable the firewall, I lose the ability to reach it. I tried allowing incoming connections through specific ports (RD and SMB ports, for example) from the desired scope (10.8.0.1/24), which didn’t fix the issue. In addition, I also tried simply allowing all traffic from that scope to low, but that didn’t work either. The thing that confuses me the most, is that from my understanding, allowing all traffic from that scope to enter, which doesn’t work, is almost like turning off the firewall completely, which does work, so I just don’t get where the issue is at.

I have taken a look at Wireshark while the firewall was turned on, with the rule that allows all traffic from 10.8.0.0/24 to flow, and it does show incoming requests, but as far as I understand, they get rejected, redirected, etc. I will admit that I’m having some problems understanding everything that Wireshark throws at me (It’s a hobby…)

I’m also linking 2 screenshots of Wireshark ping updates (Sorry for the confusion, when I took those screenshots, my VPN range was changed to 10.8.0.0):
This one is running on the target of the ping, with its firewall enabled, with a general rule of allowing traffic from VPN subnet: https://imgur.com/RMRddko
This one is running on the computer running the VPN server: https://imgur.com/dlS6Tu9

I have a feeling it is a routing issue, but I just can’t figure out what or where.

OpenVPN Server config:

config
dev-node “Obelisk”
topology subnet
server 192.168.5.0 255.255.255.0
port 49361
proto udp4
dev tun
tls-server
tls-crypt “C:\Program Files\OpenVPN\config\ta.key” 0
ca …
cert …
key …
dh …
keepalive 10 120
cipher AES-256-GCM
auth SHA256
push “route 10.0.0.0 255.255.255.0”
persist-key
persist-tun
verb 3

I’m not a professional of any sort, but I am trying to learn and to do my googling for solutions before posting.
I’ll be more than happy to provide any more info necessary.

Thank you so much!
Noam.

By default Winows blocks non local subnets it can be turned off but I so rarely use Windows I don’t recall where.

Hey Tom, thank you for replying so quickly!

Shouldn’t adding the VPN subnet to the firewall for any program and any port, on all computers involved, remove that block?

Screenshot 2021-01-04 191453444×586 43.5 KB

I’ll update, as I managed to sort it out (Kinda).
Adding both the VPN subnet (10.8.0.0/24) and the LAN subnet (10.0.0.0/24) together to the “Remote IP Address” worked. Now I totally understand why the VPN subnet needs to be added, but I don’t understand why the LAN subnet does. If anybody has an explanation… I’ll be more than grateful.

Another weird issue that has appeared after fixing the first problem, is the inability to Remote desktop (Using IP, not hostname) into any computer WITHOUT pinging it first. The first few ping attempts will time out, but after a successful one, I can immediately RDP (And do other stuff as well) without any problem. It needs to be done every few minutes. Energy saving options are turned off for the NIC and the computer is not going to sleep or anything of this sort. Any Ideas?

Wireshark screenshot of the computer that I’m trying to connect to after an RD connection attempt:

wireshark - rdp before a wakeup ping1291×264 134 KB

Thanks again!

Strange, that is not an issue that I have come across before.

It’s indeed strange. Not that I mind pinging the computer in advance, it’s not exactly a difficult task, but it’s definitely not normal.

If I understand your topology correctly working configuration makes sense. The subnet 10.8.0.0/24 is the tunnel which is basically acting as the gateway for the subnet 10.0.0.0/24 to access the remote machine. Therefore 10.0.0.0/24 would have to be permitted by the firewall.

As far as the need to ping before RDP I would guess that this is a keep-alive issue, and RDP is timing out before the tunnel can be re-established. Which is why pinging first works, you would have to check your logs to confirm.

Thanks! It makes sense.

About the RDP issue: I’ve checked the log and there doesn’t seem to be any timing out/disconnections issues. Moreover, I don’t actually lose the VPN tunnel connection, as I can communicate freely with other devices (VPN server itself at 10.8.0.1, remote gateway at 10.0.0.138), but not with other computers. I might have understood you wrong, but I do believe that there isn’t a keep-alive issue, even though recent studies show that I have a tendency to be wrong .

The thing with the ping is even stranger, as I can start RD almost as soon as I hit “Enter”, even before a first reply is received. As a matter of fact, even if the first response is a time out, it will still do the trick and I’ll be able to connect.

I was advised by Senior Google to check ARP table on the remote gateway and on the device acting as the VPN server, and they both seem to be ok.

The mystery continues…

In another exciting turn on events, I was forced to switch to a “lovely” Checkpoint 600 Firewall/router (Not up to me).
I have applied all the necessary settings, including routing the VPN traffic, port forwarding and everything else, yet this time, I can’t access/get a reply from any machine on the VPN LAN (I’ve turned off their firewalls, just so I can eliminate one cause), other than the VPN itself and the remote Checkpoint gateway. I have been at it for hours, and I just can’t figure out why is it happening.

When I ping a remote machine, Wireshark on that machine shows that it got the ping request and replied perfectly. Wireshark on the computer acting as the VPN server, shows a “No response found” for every ping request, originating in the VPN client, directed at the computer in VPN Lan (The same goes when I monitor the tun interface)

There doesn’t seem to be any blocks or rules on the router firewall that prevents any traffic from flowing between the VPN subnet and the LAN subnet.

What am I missing this time?
As always, I highly appreciate your help.