Hi all,
still somewhat puzzled about the "symbolic" interface assignments in OPNsense.
As soon as I create an OpenVPN server, an interface appears under "Firewall --> Rules" and I can apply rules to the VPN client connections.
The interface does not appear under the global "Interfaces" section. I can make one appear by "Interfaces --> Assignments" and assigning a symbolic name to "ovpns1".
What is this supposed to do? What is the difference between this interface and the one already present in "Firewall --> Rules"?
Thanks!
Patrick
The automatically generated 'Firewall: Rules: OpenVPN' is actually not an interface, but an interface group. Also see this recent discussion about WireGuard (same concept): https://forum.opnsense.org/index.php?topic=22778.0
Cheers
Maurice
For reference:
https://github.com/opnsense/core/blob/45b697f6db341709e4b93ec3d3110823927bf2e1/src/etc/inc/plugins.inc.d/openvpn.inc#L92
https://github.com/opnsense/core/blob/45b697f6db341709e4b93ec3d3110823927bf2e1/src/etc/inc/plugins.inc.d/openvpn.inc#L489
Quote from: Maurice on April 27, 2021, 02:28:42 PM
The automatically generated 'Firewall: Rules: OpenVPN' is actually not an interface, but an interface group.
Understood. So if I have my required "permit" rules on the single interface, I don't need any on the global interface group, right?
Exactly. :)
OK, we tried that, no success.
Created an interface via "Assigments", set it to "enable" but no further configuration.
Added permit all IPv4 to that interface.
Removed same rule from interface group "OpenVPN".
No communication for remote workers.
So we reverted the changes for production for now. I will have to look into this. But thanks for giving me the general outline.
I'm doing exactly this with WireGuard. Assign and enable the wgX interfaces, no further configuration, rules only on the assigned interfaces, no rules on the 'WireGuard' interface group. Works fine.
Maybe something is a little different with OpenVPN. I don't currently have an OpenVPN setup to check, sorry.
Sounds familiar, try the recommended steps here: https://docs.opnsense.org/troubleshooting/openvpn.html
This is related to the historic "reply-to", which is applied to rules on assigned OpenVPN server interfaces by default. That's becaue corresponding gateways are also auto-created, hence the interfaces are considered WAN-type interfaces. I haven't yet found a situation in which i actually needed said gateways, so i usually just disable then, and then the assigned interfaces work just fine.
Also check out https://github.com/opnsense/core/issues/4485 for further discussions on the subject
Thank you very much, guys. Now I see the light. ;)
I always wondered why OPNsense defaults to forcing a gateway instead of relying on the routing table, but I see the use in multi-WAN situations.
There are too many automagic things influencing the firewall rules that cannot be found in the firewall/NAT setting sections of the UI for my tastes. Take the "anti lockout" rule for just one example. Clicking on the little pencil to edit it takes you to a completely different part of the UI. Very confusing.
Yeah, there are many quirks which can only be explained by, well, history. "Reply-to" and "route-to" are good examples. There have been intense discussions whether to disable them by default, but no consensus was reached. "Might affect existing setups" is a very sensitive topic when it comes to proposing changes.
Quote from: pmhausen on April 27, 2021, 11:23:37 PM
There are too many automagic things influencing the firewall rules that cannot be found in the firewall/NAT setting sections of the UI for my tastes.
Agreed, but a lot has already improved in the past few years.
Hi,
a question about it, i understand that:
wireguard and openvpn are interface-groups
= rules are for ALL interfaces of wireguard or openvpn.
But I think Wireguard interface in rules get all traffic from LOCAL Net to Wireguard-Tunnel.
But where can I set rules for Traffic from Tunnel to my networks?
Greets
Byte
Quote from: Bytechanger on April 29, 2021, 10:54:57 AM
But where can I set rules for Traffic from Tunnel to my networks?
On the WG interface.
OK so
QuoteBut I think Wireguard interface in rules get all traffic from LOCAL Net to Wireguard-Tunnel.
this ist wrong?
The Wireguard interface/ interfaces are traffic TO MY LOCAL Network.
Traffic that goes OUTSITE the Tunnel, there is only LAN, VLAN1, GUEST interface?
Greets
Byte
I don't really understand what you are asking.
Traffic from VPN clients will come into OPNsense on the WG interface, so you want to set rules there to determine where that traffic should be able to go, whether to local networks or elsewhere.
Suggest you have a look at the OPNsense docs on WG setups that match your use case.