I am really confused as to how to go forward. I have a WAN to my ISP and I setup an openVPN client as the primary gateway most of my internal network routes traffic to the web through. I created an openvpn server with the intention of connecting to my lan but it goes over the WAN and while I can connect to the vpn, I can't get traffic to return from the lan to the clients connected via the openvpn server. I believe I need to use the dhcp option to push a static route so that anything going back to openvpn clients from my lan will go via the openvpn server.
My lan is 192.168.3.0/24 with the gateway at 192.168.3.1. my openvpn server ipv4 tunnel network is 10.0.4.0/24 but it doesn't say what the gateway would be. I believe I need to set a classless static route option but am at a loss what I should put in there. Any help would be greatly appreciated.
Quote from: zombiehoffa on April 17, 2021, 03:04:48 AMI have a WAN to my ISP and I setup an openVPN client as the primary gateway most of my internal network routes traffic to the web through.
That one is hard to understand at least for me. So you have a "normal" WAN Line plus an OpenVPN client and you would like to route all of your LAN internet traffic out through the VPN? It's probably best to do this via policy routing in your LAN firewall rules.
Quote from: zombiehoffa on April 17, 2021, 03:04:48 AMI created an openvpn server with the intention of connecting to my lan but it goes over the WAN
What do you mean by "goes over the WAN"? You want your VPN to be reachable over your normal WAN interface, not through the VPN client interface? Is that it?
Quote from: zombiehoffa on April 17, 2021, 03:04:48 AMand while I can connect to the vpn, I can't get traffic to return from the lan to the clients connected via the openvpn server.
have you verified that the problem is indeed that packet's don't return? or does it lie earlier within the process i.e. maybe your client fails to route packets destined for your LAN through the VPN it has connected to?
Quote from: zombiehoffa on April 17, 2021, 03:04:48 AMI believe I need to use the dhcp option to push a static route so that anything going back to openvpn clients from my lan will go via the openvpn server.
Why would that be? Your LAN clients typically only know their own subnet, and will forward anything they don't know back to their default gateway. As i understand you, OPNsense is both default gateway and OpenVPN server, so you won't need to tinker with routing at all.
Quote from: zombiehoffa on April 17, 2021, 03:04:48 AMMy lan is 192.168.3.0/24 with the gateway at 192.168.3.1. my openvpn server ipv4 tunnel network is 10.0.4.0/24 but it doesn't say what the gateway would be. I believe I need to set a classless static route option but am at a loss what I should put in there. Any help would be greatly appreciated.
So where exactly do you want to set a route now? My first recommendation would be that you connect one client to the VPN (say using a mobile hotspot from your phone) and another one to the LAN. Then ping from one end to another, and use wireshark on both clients, aswell as the packet capture diagnostics feature on OPNsense (for the openvpn and LAN interfaces). Then you'll get an overview of where exactly packets are lost.
fwiw, a guess into the blue: If your OpenVPN server does not make itself the default gateway for connected clients, then it needs to announce a route to the LAN subnet to clients. There's a field for that (use the tooltips to find which one it is). So your client will connect and have e.g. 10.0.4.2 on its OpenVPN interface and in its routing table there should be an entry for 192.168.3.0/24 via 10.0.4.1.
Note: I'd generally recommend this so-called split tunnel approach. Don't make your OpenVPN server announce itself as default gateway, it doesn't scale. Unless you explicitly want and need to also route your VPN client's "regular" internet traffic via the VPN, stay with the split tunnelling approach, although it is a little bit more error-prone.