OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: joer on August 10, 2016, 03:23:17 pm

Title: Multi Wan and OpenVPN
Post by: joer on August 10, 2016, 03:23:17 pm

Hi,

Pretty new to firewalls this advanced and struggling a bit!

Struggling with OpenVPN site-to-site and multi-wan, as follows:

Site A has multi-WAN (two lines load balance and one failover) and static IP's on both WANs. OpenVPN is configured to use WAN1 interface (tun, shared key peer to peer).  LAN is on subnet 10.0.0.0/23, server IP 10.0.0.1 and OpnSense box 10.0.0.2.  OpenVPN virtual adapter 10.1.0.1.

Site B has single WAN with dynamic IP and is running the OpenVPN client.  Connection is up and remains solid. LAN is on subnet 10.0.2.0/23, server IP 10.0.2.1 and OpnSense box 10.0.2.2, OpenVPN virtual adapter 10.1.0.2.

OpenVPN is configured to use 10.1.0.0/24 as the tunnel network.

I have two Windows servers, one at each site.  The one client side works great.  The Site B server can ping the Site A server and replicate as necessary.  A tracert shows correctly, first hop 10.0.2.2, next hop tunnel exit 10.1.0.1 and finally to 10.0.0.1.  I can ping both sides of the tunnel also (10.1.0.1 and 10.1.0.2).

If I try to ping back at Site B from Site A though, I get nothing.  I can't even ping the local end of the tunnel (10.1.0.1).

I'm thinking there's a NAT rule I have to create on Site A's OpnSense to make sure traffic for the 10.0.2.0/23 network goes through the tunnel and not just out into the abyss over the gateway group, but as I said, new to this sort of thing so not sure how to go about it.

EDIT: Defnintely some sort of rule needed, pings from 10.0.0.2 to 10.1.0.2 and 10.0.2.1 are successful (using the OpnSense Ping util). Strangely though the OpnSense Traceroute doesn't work.  Both the pinger and traceroute utils were set to LAN as the local addresses.

Thanks!

Title: Re: Multi Wan and OpenVPN
Post by: franco on August 11, 2016, 10:06:01 am

Where do you policy-route for Multi-WAN (which interface tabs)?

As of 16.7 the policy-route is adhered to by VPNs, so that means in order to skip the policy routing for VPN networks, they need to be added manually *before* the policy route as simple pass rule for the OpenVPN networks so that the policy route doesn't apply.


Cheers,
Franco

Title: Re: Multi Wan and OpenVPN
Post by: joer on August 11, 2016, 10:16:55 am

Hi franco,

Not sure what that means (sorry).

I've actually got it working now.  The multi WAN is set up using a gateway group, two FTTC conections Tier 1 and a 4G LTE connection as a Tier 2 backup.  The default LAN to any rule has the gateway group set.

I think there may be a bug though; I added a new rule above the default LAN to any rule and set any traffic heading to 10.0.2.0/23 to be sent through WAN1, which is where the VPN server listens.  This didn't work.  I found the only configuration that made this rule work was to leave the gateway as 'default' in the rule and then set WAN1 as my default gateway.  This also meant I had to disable 'Allow default gateway switching' in the system settings.

Thanks.