Problem after 17.1.1 Upgrade

[AndyX90]

Hi Guys,
i have a serious problem with OpenVPN after the upgrade to 17.1.1.
My OPNSense is acting as a OpenVPN-Client for Site2Site which is working normal after the Upgrade.
But the OpenVPN-Server for my "Road-Warrior-Connections" isn't working as it should.
Both are assigned to separate Interfaces.
I can connect to the Server via UDP, authenticate against OTP+Local Users and establish the connection.
But obviously the rules on the assigned interface are failing... (I have no rules on openvpn tab)

For example: I create one rule on (ovpn-server)interface: Proto TCP, Source Any, Dest. Lan Address, Port HTTPS
and i can't access the webinterface from within the VPN.
Server Settings: tun, UDP, topology, tunnel-network: 192.168.x.x/29, conc. connections: 3, pushed 3 routes to local/other networks.
On client side: everything seems ok. got correct ips on vpn-adapter, got correct routes pushed.
Any suggestions?

Thanks in advance.

[AndyX90]

Okay, setting "sysctl net.pf.share_forward=0" solves the problem.
But after every reboot the option reverts to 1. Any solution for that?

[fabian]

create a tuneable which this setting

[franco]

We are circling back to using the default pf/ipfw behaviour with 17.1.2, with an additional GUI firewall setting for using the new behaviour.

That should be permanent enough and accommodate for both kinds of users/use cases.


Cheers,
Franco