I am setting up Openvpn with and Android client to start. From the Android I can connect to the openvpn server. I can reach the router's web page at 192.168.1.1
Is this a problem with my IP numbers?
What do you have as "Local network" in your OpenVPN server config?
And do you have firewall rule on the OpenVPN tab to allow traffic from the VPN?
I don't see local network in VPN|Servers. Just tunnel network.
Why do you provide screenshots of DHCP?
Please send a screenshot of your VPN server config:
VPN: OpenVPN: Servers
There is a row with IPv4 local network.
Here is 3 screen shots that cover VPN:Server
Is this OPNsense the main router/gateway for the network 192.168.1.0/24? Usually this should work if your client is able to reach 192.168.1.1. Do you have a firewall rule to allow traffic coming in via OpenVPN interface? You checked "redirect gateway" so all traffic from the client is flowing through your OPNsense. Even the WAN traffic. You'll need a NAT rule to allow outgoing traffic from OpenVPN clients.
Did you follow those guides? https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Quote from: Gauss23 on December 09, 2020, 08:43:18 AM
Is this OPNsense the main router/gateway for the network 192.168.1.0/24? Usually this should work if your client is able to reach 192.168.1.1.
Yes, this sits between my computers and the Charter modem. Not sure that answered that question, but the opnsense router is accepting the OPENVPN clients and theoretically connected it to all the devices on the router inside the LAN, and to the WAN as well.
QuoteDo you have a firewall rule to allow traffic coming in via OpenVPN interface? You checked "redirect gateway" so all traffic from the client is flowing through your OPNsense. Even the WAN traffic. You'll need a NAT rule to allow outgoing traffic from OpenVPN clients.
Quote
Did you follow those guides? https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
I tried, but got hung up on the google authenticater part. Ended up using
https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/
Why are you only allowing tcp traffic from the OpenVPN clients? Icmp (ping) and all udp based services will be blocked.
It's always a good idea to have a look at the live view in Firewall: Log Files: Live View to see what's blocked.
Quote from: Gauss23 on December 09, 2020, 11:54:21 PM
Why are you only allowing tcp traffic from the OpenVPN clients? Icmp (ping) and all udp based services will be blocked.
It's always a good idea to have a look at the live view in Firewall: Log Files: Live View to see what's blocked.
Thank you for your help. I am making progress. Changed protocol on OPENVPN FIreall rule to any and I can get out onto internet from the Openvpn server now.
But I cannot access any internal ip numbers (web traffic or ssh). The firewall live view is all green.
What could be blocking that?
attached are screenshots of openvpn server config.
Can I provide anymore info to help solve this issue?
You have set "Enforce local group" to "(none)".
The documentation says
"The option Enforce local group can be used to constraint access to only users in a specific (set of) group(s)"
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Maybe have a look at this option...
I don't understand why your config has no option for "local network(s)".
I am still battling this. Using OpenVPN connect app on Android. I can connect, browse internet, hit IP of Opnsense router, but cannot connect anything inside LAN.
Please try the option ,,Topology" in OpenVPN server. Read the help by clicking on the ,,i".
Thanks, I tried toplogy option. No changes.
Here is VPNserver log:
2021-01-24T07:38:15 openvpn[75895] Jack/172.58.109.231:59321 AEAD Decrypt error: bad packet ID (may be a replay): [ #397 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2021-01-24T07:37:55 openvpn[75895] Jack/172.58.109.231:59321 MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 [Jack] Peer Connection Initiated with [AF_INET]172.58.109.231:59321
2021-01-24T07:37:55 openvpn[57323] user 'Jack' authenticated using 'Local Database'
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_SSO=openurl
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_PROTO=2
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_TCPNL=1
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_NCP=2
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_PLAT=android
2021-01-24T07:37:55 openvpn[75895] 172.58.109.231:59321 peer info: IV_VER=3.git:released:662eae9a:Release
2021-01-24T02:41:19 openvpn[75895] TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.84:46424
2021-01-24T00:07:50 openvpn[75895] Initialization Sequence Completed
2021-01-24T00:07:50 openvpn[75895] UDPv4 link remote: [AF_UNSPEC]
2021-01-24T00:07:50 openvpn[75895] UDPv4 link local (bound): [AF_INET]35.134.112.112:1194
2021-01-24T00:07:50 openvpn[75895] Could not determine IPv4/IPv6 protocol. Using AF_INET
2021-01-24T00:07:50 openvpn[75895] ERROR: FreeBSD route add command failed: external program exited with error status: 1
2021-01-24T00:07:50 openvpn[75895] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1621 10.0.0.1 255.255.255.0 init
2021-01-24T00:07:50 openvpn[75895] /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up
2021-01-24T00:07:50 openvpn[75895] TUN/TAP device /dev/tun1 opened
Looks like your crypto settings don't match between client and server. How did you create the client config?
@jmcgee
can you try to uncheck "redirect gateway" and (input will appear after this) add LAN net address to "IPv4 Local Network"?
@Gauss23
QuoteLooks like your crypto settings don't match between client and server. How did you create the client config?
QuoteTLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.84:46424
imho that's not real client IP. port scan from 185.200.118 / 24 net. im also view activity from this subnet twice a day
@jmcgee
imho its better to remove private info from logs
...never use the standard port for openVPN...
Quote from: chemlud on January 24, 2021, 04:54:48 PM
...never use the standard port for openVPN...
Or at least use tls-auth/tls-crypt
Quote from: Fright on January 24, 2021, 04:28:00 PM
@jmcgee
can you try to uncheck "redirect gateway" and (input will appear after this) add LAN net address to "IPv4 Local Network"?
I did. No change.
Do you see packets flowing? Enable logging on the firewall rules in OpenVPN group.
Quote from: Gauss23 on January 24, 2021, 06:17:51 PM
Do you see packets flowing? Enable logging on the firewall rules in OpenVPN group.
I have enabled firewall logging on OpenVPN firewall rule. How do I filter those in log?
Firewall: Log Files: Live View
Quoteand theoretically connected it to all the devices on the router inside the LAN
sorry, can you describe your lan? any other router besides the OPN?
still think that the issue is on the LAN side (routes, port blocking or some) if you not touched default\wizard pf-rules.
can you make Packet Capture on LAN interface while trying SSH from vpn-client to (working) LAN host ?
Quote from: Fright on January 24, 2021, 08:23:09 PM
Quoteand theoretically connected it to all the devices on the router inside the LAN
sorry, can you describe your lan? any other router besides the OPN?
still think that the issue is on the LAN side (routes, port blocking or some) if you not touched default\wizard pf-rules.
can you make Packet Capture on LAN interface while trying SSH from vpn-client to (working) LAN host ?
I don't think I can do packet capture.
There is no other router, just a network switch.
Would the TUN/TAP issue be the cause?
https://openvpn.net/faq/why-does-the-app-not-support-tap-style-tunnels/
I had this working on Freshtomato router after putting in appropriate firewall rules. Don't recall what those were.
You can packet capture under Interfaces > Diagnostics
QuoteWould the TUN/TAP issue be the cause
dont thinks so. and you are in tun mode as far as I can see
as @Greenlan said you can try to capture in Interfaces > Diagnostics