When you are connecting, what is the subnet of the LAN that you are connecting from?

I am changing my response. I guess I did not read your question well enough. Is there VPN server side configuration you can post on here?

Hi Guys,

Thanks for the replies and my apologies for the slow reply, it's been a busy peroid with a horribly executed Exchange role out going in, don't ask...

Trent, I've done nothing more than select the OpenVPN package and OpenLDAP so it would work. I've added one user and allowed OpenVPN to configure itself. Client side I think the only change I made was to use TCP instead of UDP.

Nick, I'm connecting to 192.168.10.x server side and connecting from 10.10.25.x client side. This is intended as a replacement for a WatchGuard OVPN which has poor performance. If I connect to that VPN I can browse fine, this one connects but I cannot ping beyond the ClearOS box so it's definitely the server somehow.

I'm happy to post firewall rules and such if someone can help me find them, things are just different enough from CentOS I'm struggling.

Thanks.

Hi Jeff,
Please can you post the output to:

iptables -nvL

iptables -nvL -t nat

cat /etc/openvpn/clients-tcp.conf

Please put the output between "code" tags - the piece of paper icon with a <> on it.

Is there any particular reason for switching to TCP? UDP is generally preferred.

[edit]
Please also check the LAN device firewalls? The Windoze firewall often blocks traffic like incoming pings (and, I think, fileshares) if they come from outside the LAN subnet. Perhaps ping an Android device as a test.
[/edit]

Jeff C wrote:

Hi Guys,

Thanks for the replies and my apologies for the slow reply, it's been a busy peroid with a horribly executed Exchange role out going in, don't ask...

Trent, I've done nothing more than select the OpenVPN package and OpenLDAP so it would work. I've added one user and allowed OpenVPN to configure itself. Client side I think the only change I made was to use TCP instead of UDP.

Nick, I'm connecting to 192.168.10.x server side and connecting from 10.10.25.x client side. This is intended as a replacement for a WatchGuard OVPN which has poor performance. If I connect to that VPN I can browse fine, this one connects but I cannot ping beyond the ClearOS box so it's definitely the server somehow.

I'm happy to post firewall rules and such if someone can help me find them, things are just different enough from CentOS I'm struggling.

Thanks.

You may want to enable "client-to-client" on the OpenVPN server side. When that is enabled, OpenVPN takes care communication between the clients. When it is not enable (no option included) , the packets are sent to the IP layer in which were you could be experiencing firewall/IP tables issues.

I believe client-to-client only allows one OpenVPN client to communicate with another - normally they are isolated from each other. It should not affect clients talking to LAN devices

Nick Howitt wrote:

I believe client-to-client only allows one OpenVPN client to communicate with another - normally they are isolated from each other. It should not affect clients talking to LAN devices

As I mentioned, client-to-client option tells OpenVPN to handle communication between clients itself, Otherwise communication is performed through the IP layer, and there is where you start to have issues with IP Tables, and firewall. It rather much easier to enable client-to-client than to fiddle around with IP Tables, and firewall.

Hi team,
It is possible to configure OpenVPN with access to LAN without modification via SSH,SCP, add manualy records to iptables?
Or user friendly interface only for monitoring?

Welcome to the forums. next time Please can you start your own thread as your questions are different.

If you use ClearOS as the OpenVPN server, then anyone connecting will have full access to your LAN but note:

• Your LAN has to be on a different subnet to the remote user's local LAN so best avoid 192.168.0.0/24 and 192.168.1.0/24.
  
• The remote users will get IP addresses in the 10.8.0.0/24 subnet. Windows machines on your LAN will not see them as being on the local LAN so if you need to access those windows devices you *may* need to adjust their local firewall. It may also be possible to NAT the incoming traffic instead but that is not the normal way of working.
  
• Win10 PC's may have a problem with DNS resolution of your LAN devices if you use the same internal and external domain names. There are workarounds.
  
• The only firewall adjustment you need in ClearOS is to the Incoming Firewall and can be done through the webconfig
  

For the moment there is no solution out of the box for monitoring OpenVPN connections. I use OpenVPN Monitor and it works reasonably. It could do with an update as it uses a GeoIP database which is no longer maintained (but it still works).

[edit]
As a new user your first couple of posts are moderated so don't appear immediately. I'll clean up your duplicate posts.
[/edit]