OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: jeremiah on October 19, 2019, 12:29:29 am
-
Hello!
I set up my OPNsense firewall over the weekend and I have it up and running now, it's working great so far but I am having some trouble setting up OpenVPN and I have a few questions re. the firewall.
The docs have been very helpful but I believe the article for the SSL Road Warrior may be a bit outdated as it doesn't seem to have been updated to match the added functionality in the latest releases.
I followed the instructions exactly, and was able to connect to my router with my remote client but I was unable to access the internet or the LAN through the tunnel. Do I need to change the NAT settings as well to get this working or am I missing something that isn't presented in the docs?
In regards to the firewall, I have noticed a bunch of blocked connections from random IP addresses, and from a bit of digging, it seems that they might have something to do with NTP servers, is that something that I should be worried about? Also, the firewall is blocking connections on my lan but all of the addresses being blocked are IPV6 addresses -- I don't have an internal ipv6 setup, everything I have is basically default.
I would like to get the VPN server set up soon, anyone have suggestions as to what I could be missing? I configured the firewall rules as per the instructions in the docs, and set up the server exactly as its described in the documentation.
Thanks!
-
Hi Jeremiah, welcome to OPNsense :)
I would start with some basic troubleshooting. The three most common impediments to normal traffic flow are firewall rules, routing and DNS.
Start with a ping from your VPN client to the firewall VPN interface. This is normally .1 in the tunnel subnet. Use the client OS ping command line switches to set the source IP to the tunnel address and the local address (-I on Unix, -S on Windows). Do the same with the LAN address of the firewall. If all four work, then routing between the VPN server and the client is fine. If they don't, check for denies in the firewall log and run a packet trace to confirm that the traffic goes the way you expect.
Post your results here if you would like help with their interpretation.
Bart...
-
Hello Bart!
Thank you for the tips! I was able to get the issue with my VPN resolved and things seem to be working as expected. What I needed to do was enable the 'Redirect Gateway' option in the VPN Server settings, as I wanted all of the traffic generated by my client to travel through the VPN tunnel I set up.
I was also able to resolve my issue with the TOTP logins, I kept putting in the TOTP code sans my password so I kept getting errors when logging in.
After getting the VPN resolved, I have a few new questions. I would be grateful if you or someone can answer them :) ---
- I'm not sure if it's an issue but it's a concern that I would like to resolve. When I travel, I use a hotspot whose carrier apparently supports both IPv4 and IPv6, and the device is assigned IP addresses on both IPv4 and IPv6.
When I run the OpenVPN tunnel, my IPv4 traffic is routed via my OPNsense router's IP but the public IPv6 is still the one from the hotspot. Is there a way to configure my server/client to force all of the traffic, both v4 and v6, through the VPN tunnel?
- Also, is all of the traffic that's generated through my VPN using the Unbound DNS server that's on my OPNsense router? I have not changed any of the settings on there so before I go digging, I figured I'd ask.
- I saw in the Unbound DNS server's settings that the 'Custom options' section willl be deprecated sometime in the future for security reasons. I also saw that most configurations running a Pi Hole and Unbound need that functionality to work, is there a new way to get that done? I don't have a PiHole set up currently but I was planning on buying a board sometime in the next few months once I have a good grasp of how my OPNsense router works.
Thanks!!
-
Hi Jeremiah,
The equivalent of redirect gateway in IPv6 is:
push "route-ipv6 2000::/3"
This is the publicly routable part of the IPv6 address space. You will also need to assign a /64 subnet to your tunnel on the VPN server page. You can have a private (from fe80::/10) subnet for the tunnel between the firewall and the portable router, but your hotspot needs to dish out routable IP's from your ISP range, and OPNsense needs to know that the hotspot subnet is on the far side of the tunnel. Put it into the 'IPv6 Remote Network' option on the OpenVPN server page. Double check that the hotspot picks up the 2000::/3 route. You may need to add a static route if it doesn't.
VPN clients normally pick up the DNS from the server, but you need to test; https://www.dnsleaktest.com is your friend.
I think there is work being done on DNSCrypt and such like to emulate a Pi Hole. Keep an eye on this forum ;)
Bart...
-
Thank you Bart!
I will test out the IPv6 configurations sometime this week/weekend.
Using that tool you linked to, I was able to discover that the DNS on my laptop is contingent on the DNS Windows assigns to the WiFi adapter, which can change based on the AP I'm connected to.
In my browser (Firefox), all of my traffic is resolved using their DoH implementation via their partnership with Cloudflare. In other browsers/programs, the DNS being used was what was picked up from the ISP/AP, in this case it was Level 3. I manually changed the DNS for the AP I'm currently using to Cloudflare. I will test when I'm home to see what that tool says on my home network.
That's good to hear, I will definitely keep an eye on developments here and hold off on buying a raspberry pi!! Might just end up donating the budget for that to OPNsense :).
edit:I was able to figure something out using this link (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)). I added these two options to my OpenVPN config file: register-dns
block-outside-dns
After adding those two options, and enabling the 'DNS Servers' option in the server config on my OPNsense router, I was able to get my OpenVPN client to use the unbound server. On the DNS Leak Test tool, the IP/server that's now shown is the public WAN address on my OPNsense box/VPN server.