Messages

yes, sure. But this is already ensured due to all other Interfaces also exposed to the WAN.

Thank you. What do you mean by

Then use the CARP address of the cluster as the OpenVPN endpoint for your clients.

The clients connect from the internet to the Firewall which has the respective Openvpn port open?

Hi,
I have trouble understanding the concept of HA and OpenVPN. I currently use HA for all Interfaces besides OpenVPN, working great. My "normal" implemenation for a certain interface is creating a Virtual IP address like 192.168.22.100 for CARP and assigning on the individual machines for the interfaces a static IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine.

However, for OpenVPN I have to define the IP upcon creating the VPN server. But, upon creating the only option given to me is to set the IP like "192.168.22.0/24" and the explanation is "This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/TAP interface".

So, I cannot use the same VPN subnet on the first and second machines since they are automatically assigned the same server IP 192.168.22.1. I understand that I would have to set the server IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine. That would follow my general logic?

So, how can HA be implement here? Please note that I'm not interested in seamless VPN operation in case of HA switching the firewalls. It just serves to simply setup of common firewall rules and VPN servers on the machines.

Thank you!

Use 2FA?

add

Code Select Expand

block-outside-dns
to your client.ovpn

Hello,
I solved the issue. I have no idea why the old configuration worked. Obviously the New Instances stuff is more picky and not doing stuff in the background the old Server tab did.

Solution: Added outbound nat for the OpenVPN net (I use Manual outbound NAT rule generation). Redirect gateway is set to default.

I found out that I have the same problem like mentioned here: https://forum.opnsense.org/index.php?topic=34701.0:

I uninstalled the plugin, manually deleted /usr/local/share/java/unifi, reinstalled everything and used an old backup to restore the settings. Now it's working again.

Hello,
I realized that (at least) with OPNsense 23.7.4 the Unifi-Plugin stopped working. Reinstall does not help. The error is always "HTTP Status 404 – Not Found".

Can anyone help?

Perhaps add ip4v route 192.168.0.0/16 to your server?

Ipv4 local network is about routes pushed to the client. This has nothing to do with firewall rules. The alternative would be to do that same setting on the clients in my opinion. So in case of your configuration a client would add manually a route to 172.16.0.0/16 access should be given to all your subnets.

In my opinion it would be better to have explicit firewall rules for each vpn server (subnet).

According to the Opnsense blog "The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently." As far as I understood from other discussions, the old way may become completely replaced by the instances in the far future.

You can leave the bind interface empty, no need to modify. The Server IP is set via "Server (IPv4)". This is self explanatory "This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/TAP interface".

Hello,
I have sucessfuly set up a VPN connection using the new instances tab. The Server is listening on TCP6, access to local 192.168.0.0/16 is possible from remote. However, redirect-gateway does not work at all. Neither by ticking any of the options in the server configuration, nor by using the option "redirect-gateway" in the client config.

I would appreciate some guidance how to approach this issue. I used the same server/client configuration with the "old" Server tab, having ticked "redirect-gateway" and this worked without any problems.

Thank you!

Update: under access restrictions is deselected "Disable all except ntpq and ntpdc queries". Now the result is still unreach/pending for the pool, but it seems to work for "content" of the pool, even though I have no idea what ".PZFs." means (and I don't have GPS).

Code Select Expand

Unreach/Pending 0.de.pool.ntp.org               .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending 1.de.pool.ntp.org               .POOL. 16 p - 64 0 0.000 +0.000 0.000
Candidate 213.209.109.45                 10.129.9.96 2 u 28 64 377 18.335 -0.258 3.273
Active Peer 131.188.3.223                  .PZFs. 1 u 29 64 377 17.491 +0.860 2.054
Candidate 49.12.125.53               131.188.3.222 2 u 27 64 377 18.710 +1.093 2.421
Candidate 85.214.127.75               208.90.67.116 3 u 26 64 377 24.587 +0.649 3.101
Candidate 193.203.3.170                             .GPS. 1 u 33 64 377 25.712 -1.734 3.365
Candidate 85.215.93.134               192.53.103.108 2 u 22 64 377 25.651 -0.275 0.987
Candidate 91.107.199.28               36.224.68.195 2 u 32 64 377 19.211 +0.997 1.131
Candidate 81.169.199.94               161.143.24.141 2 u 22 64 377 25.849 +2.366 2.736

All very strange.

Hi,
thanks for the idea. Of course I can add

Code Select Expand

static-challenge "Enter Authenticator Code" 1 at the client which then requests seperately password and OTP. But how does the server know how to handle this information? The server has to be somehow instructed how to concatenate the PWD+CODE.

Makes no difference.

Code Select Expand


Unreach/Pending 1.de.pool.ntp.org .POOL.         16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending 192.168.1.1         213.239.234.28 3 u 48m 512 0 1.293 +0.043 0.000