OPNsense Forum

English Forums => General Discussion => Topic started by: eguun on May 23, 2020, 03:30:20 pm

Title: [Solved] OpenVPN: Single NIC opnsense as client - how to forward VPN traffic
Post by: eguun on May 23, 2020, 03:30:20 pm

Dear Community,

I'm new joiner to opnsense, but with some experience working with *BSD systems back in 1999-2003.

Could you please help me understand why I can't get opnsense to allow VPN traffic to local LAN?
I can't get the remote LAN to ping devices in the local LAN (the LAN on opnsense).

My setup:
      ------------------------------------------------------------------------------------------
 --- | (192.168.14.20)OPT1 (OPNsense, as OpenVPN client) (192.168.137.137)LAN | --- (192.168.137.0/24)Local
|     ------------------------------------------------------------------------------------------
|
VPN-Tunnel(192.168.14.0/24)
|
|    ----------------------------------------------------------------------------------------------
--- | (192.168.14.254)OVPN-Iface (mikrotik, as OpenVPN server) (192.168.4.254)LAN | - (192.168.4.0/24)Remote
     ----------------------------------------------------------------------------------------------



What I configured
- the OpenVPN server is a mikrotik router
- opnsense (OPNsense 20.1.7 (amd64/OpenSSL)) is a box in my network
- it's a single NIC box - the NIC is configured as LAN
- A virtual nic (ovpnc1) gets created when the VPN configuration is created. I associated this NIC as OPT1
- opnsense establishes the VPN connection OK with the OpenVPN server
- devices in the LAN subnet can ping devices in the remote subnet
- I have added firewall rules to all interfaces (floating, LAN, OpenVPN, OPT1) to permit all to all (example in the attachments
- I have created all sorts of (failed attempts) on NAT one-to-one as shown below and NAT outbound as show in the attachments



Found similar threads with no clear solutions:
https://forum.opnsense.org/index.php?topic=6860.0
I tried the one-on-one NAT (see screenshots), but they don't seem to be working

https://forum.opnsense.org/index.php?topic=3050.msg9401#msg9401
I tried the Hybrid NAT (see screenshots), but they don't seem to be working either

https://forum.opnsense.org/index.php?topic=4476.0
https://forum.opnsense.org/index.php?topic=3984.msg20878#msg20878

I don't think "client exception" will work as opnsense is the VPN client.
"client exception" seems to apply when opnsense is the VPN server.


EDIT:
opnsense is aimed to replace an OpenWRT router, which was capable (until it fried last week) to move traffic from the remote lan to the local lan; ie: what I can't manage to do at the moment.
It's really a 1:1 replacement: a single interface of the openWRT was used. And the forward was pretty easy to implement: had to check a "masquerading" checkbox next to the interface name.
This gives me confidence in the fact that the server side is OK (mikrotik), and I replicated the openvpn setup into the opnsense.
I must be close, but I spent 4 hours on it, and my wife is getting upset.


Happy to provide more insights if need be

Thanks

Title: Re: OpenVPN: Single NIC opnsense as client - how to forward VPN traffic to local LAN
Post by: eguun on May 23, 2020, 07:26:22 pm

We can close the topic

I feel a bit stupid, but it ended up being some firewall rules into the Mikrotik side that prevented to forward the traffic.
So it was absolutely not where I focused hours of attention, ie into the opnsense forwarding capabilities.

here goes some time well spent!

I'll mark the topic as solved.