OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: lello1231 on April 13, 2022, 08:54:33 pm
-
Hello,
I configured VPN server on opnsense , LAN network :192.168.2.0/24 , VPN network: 10.10.0.0/24 .
VPN clients connect successfully to the server and i can surf the internet via the tunnel with gateway redirection.
However , i have an issue with routing in regards to reaching the LAN network . firewall rules are attached .
i can see in the firewall live view the following when i try to reach the following box:192.168.2.100
lan 2022-04-13T21:44:49 10.10.0.6:51945 192.168.2.100:80 tcp let out anything from firewall host itself (direction out)
if i add a static route on my box that to reach 10.10.x.x is via 192.168.2.1 , the problem will be fixed. however, obviously i have some misconfiguration somewhere.
Appreciate your help ,
-
if i add a static route on my box that to reach 10.10.x.x is via 192.168.2.1
That means the firewall (and VPN endpoint) is not the default gateway on your box :)
Your solution is valid. If the VPN does not connect to your default gateway, you need an explicit route.
Bart...
-
I dont know if this is possible , Is there a way to make vpn traffic appears in the LAN network as local traffic (same subnet IP's)?. Basically i want to change the source IP for VPN traffic once on LAN network.
192.168.2.X instead of 10.10.X.X
-
I dont know if this is possible , Is there a way to make vpn traffic appears in the LAN network as local traffic (same subnet IP's)?.
Yes, put an outbound NAT on the OpenVPN interface. Firewall, NAT, Outbound: interface=OpenVPN, source=any, port=*, destination=LAN net, destination port=*, NAT address=LAN address NAT Port=*
-
I dont know if this is possible , Is there a way to make vpn traffic appears in the LAN network as local traffic (same subnet IP's)?.
Yes, put an outbound NAT on the OpenVPN interface. Firewall, NAT, Outbound: interface=OpenVPN, source=any, port=*, destination=LAN net, destination port=*, NAT address=LAN address NAT Port=*
Hello,
I set the outband NAT entry as advised,
OpenVPN any * LAN net * LAN address * NO
however it didn't work. i can still see the source ip as 10.10.0.6 on the lan network
lan 2022-04-14T18:41:03 10.10.0.6:49681 192.168.2.100:80 tcp let out anything from firewall host itself
-
Any more idea guys?
-
Your next step is a deep dive with packet traces and firewall log analysis. Capture packets at source, on the firewall and at the destination and use Wireshark to see where the connection fails.
Bart...
-
The connection does not fail , on the lan interface , i can see incoming VPN traffic source ip as 10.10.0.6.
what i wanted is to change the source ip from 10.10.0.6 to any ip address that belong to lan network (192.168.2.x)
i tried your suggestion by putting an outbound NAT on the OpenVPN interface.
Firewall, NAT, Outbound: interface=OpenVPN, source=any, port=*, destination=LAN net, destination port=*, NAT address=LAN address NAT Port=*
but this rule is not changing the source ip, as you can see in below trace
lan 2022-04-13T21:44:49 10.10.0.6:51945 192.168.2.100:80 tcp
Another thing, OpenVPN interface need to be created in the interface section for the outband NAT works correctly?