OpenVPN CSO only works for "default tunnel network"

[jonakarl]

Hi,

I have multiple VLAN/subnets (one subnet per vlan), only certified personel should have access to the mgmt subnets.
I have a problem with cso where I get no traffic through the firewall to my internal lan when using a different tunnel network from the one I specify on the server page. I had this working in pfsense but I cannot get it working in opnsense.

Current setup:
I have two openvpn servers, one for admins and one for clients, "user" tunnel network is 10.0.8.0/24 and admin uses 10.0.10.0/24.
I block all outgoing traffic to the admin lans from 10.0.8.0/24 on the openvpn interface.
This works but is cumbersome.

What I would like to have:
1 openvpn server and use cso to put the admin personal on a different tunnel network (ie 10.0.10.0/24) so I can filter this in the firewall later.

The cso works to the extent that when I connect with a user that matches the cso, I get 10.0.10.1 as gateway  (strangely also a route to 10.0.8.5). However I cannot ping any ip on the other side of the tunnel (10.0.10.2, my side of the tunnel works).

Any clues on where to start debugging would be helpful since I cannot see anything in the logs. 

[djGrrr]

I suspect you are missing an outbound NAT rule for the admin network source, you may need to manually add it.

[jonakarl]

I suspect you are missing an outbound NAT rule for the admin network source, you may need to manually add it.

I thought so to, however I have added a second openvpn server that uses the exact same subnet range and that added a outbound nat on my WAN interface  (that works). So in theory the nat rules should already be in place (by the second vpn server).

Sorry for the noob questions but I do not fully understand what opnsense does when I run the openvpn wizard. I suspects it adds a "hidden"/virtual interface and add some firewall/nat rules but since I do not know the exact procedure it is very difficult for me to debug this.