opnsense blocking openvpn [SOLVED]

Started by cake, November 27, 2016, 07:29:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 27, 2016, 07:29:02 AM Last Edit: November 28, 2016, 12:20:01 AM by cake
Hello, my setup is very basic. It is also unattended for months at a time. Being back from abroad I noticed something is blocking openvpn clients on the lan to server(s) on Internet. Clients will connect to vpn on Internet according to (linux terminal) sudo openvpn --config *.ovpn,  I don't think its a dns problem, because one of my devices uses dnscrypt, and that also does not work. Looking for a obvious setting before I spend half a day or better blindly trying stuff out.

My config's are correct for openvpn client(s) and server(s), tested it out on different network without opnsense in the middle. I'm sure opnsense is blocking it.
November 27, 2016, 07:59:38 AM #1
You should be able to see what OPNsense blocks from the firewall log.
Maybe something is wrong with your rules on the OpenVPN interface.
November 27, 2016, 09:36:34 AM #2 Last Edit: November 27, 2016, 09:57:42 AM by cake
Quote from: fabian on November 27, 2016, 07:59:38 AM
You should be able to see what OPNsense blocks from the firewall log.
Maybe something is wrong with your rules on the OpenVPN interface.
Thanks, I like the easy rule:pass traffic button in the log area. I have for troubleshooting on both [rules | firewall]  LAN2 and WAN tabs, * * * *  allow every port, source and destination. rebooted, Still blocked in the log, and clicking to make blocked connections with easy rule isn't helping.

I get to "Initialization Sequence Completed" in the openvpn status (fully connected) however no traffic, I can only icmp ping router with opnsense on it, nothing past it. I was hoping for a obvious setting I overlooked. :-) Also I am recieving the push DNS from openvpn server.conf  --> PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ifconfig 10.8.0.122 10.8.0.121'

bewildered
from the log-- "The rule that triggered this action is:

@63 pass out log route-to (em0 192.168.101.1) inet from 192.168.101.183 to ! 192.168.101.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
November 27, 2016, 11:53:58 AM #3
Quote from: cake on November 27, 2016, 09:36:34 AM
from the log-- "The rule that triggered this action is:

@63 pass out log route-to (em0 192.168.101.1) inet from 192.168.101.183 to ! 192.168.101.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"

You should look for pass in rules from your OpenVPN Network / Interface. Can you try this rule in the floating tab:
Code Select
pass in quick inet from your_openvpn_net/netmask to any
to make sure it is not the firewall blocking your traffic. Don't select any interface on the page so the rule is valid for all interfaces.

Kind regards

Fabian Franz
November 27, 2016, 12:14:58 PM #4 Last Edit: November 28, 2016, 12:19:39 AM by cake
Thanks for your help Franz. I have **** in the floating tab of firewall already. Its operator error, since nobody else has any issues.
My vps log says lzo compression errors, and I set it up to not use lzo also use the  push lzo no directive.
I think my vps provider is poor, every time they restart it, something gets broke it seems. lol

EDIT: It was problem with openvpn MTU size.
Print
Go Up Pages1
User actions