Hi, just like thread name, I have problem with connection from LAN to VPN client.
Discription:
LAN: 192.168.100.0
VPN client address: 192.168.100.100
I can access from VPN client to my LAN.
I can’t access from my LAN to VPN client
Any ideas? Strange is this, for moment this works, I was able to connect to my client from LAN and even from other subnet from side2side location. I did nothing, but now there is no traffic from LAN to VPN client.
Either change address space for vpn clients so it doesn’t intersect with local subnet, or enable proxy-arp on your LAN bridge.
I did it few days ago, (with proxy ARP on interfaces and masquerade) but then clients was unable to access to local servers so i use previously settings - same subnet. But there i think was same action - for some time it was okay, but after couple of hours clients lost access to local network.
If you use same subnet for vpn users → you need proxy arp.
If you use different subnet → you don’t need proxy arp.
You don’t need masquerade (apart from the default one for WAN port) in any of them.
So let’s stay with same subnet scenario. When i use arp-proxy on a bridge interface it change nothing, but if i add masquarade rule without addresses or interfaces i can connect to my VPN client from LAN… I suspose general masquarade rule without specific informatins is not prefered to use?
Sure. This way every device sees incoming connections originated from the router’s IP.
Everything should work without masquerade.
What kind of VPN client device is that?
Or if i user vpn client address in masquerade rule in dst.
Client with 192.168.100.100 address who we want to connect is windows server with openvpn client installed. I just want to access to him via RDP from our local network, .100.0 or even from second subnet, where we are connected as site2site. Now with masqurade dst 192.168.100.100 is possible. But i want to configure this in best way 
As i said i trying to use arp-proxy on bridge but this change nothing.
I guess the problem could be that unlike phones and other personal devices, when establishing vpn connection, your client uses proper peer-to-peer connection with /32 netmask.
So it doesn’t have a route to the whole /24 subnet, only to your router’s address.
Check the routing table on the client and if that’s the case, you need to add the proper route to the whole /24 subnet.
Hello, I have configured an IKEv2 RoadWarrior IPSEC VPN, and everything works well but when my Win 11 client is connected to the VPN, it takes the correct IP from the pool, but it does not reach correctly (ping) the subnet.
The roadwarrior client is in the same subnet as the local devices (192.168.88.0/24).
So, I have started wireshark on a local device (192.168.88.248) and when VPN Win 11 client (192.168.88.240) tries to ping this device, the packet arrived, but the device (192.168.88.248) does not respond, as if the packet was lost in the router. could be a NAT exemption problem? Do I have to add a Firewall rule? Thanks a lot. Have a good day.