Hello,
I have 3 WAN interfaces. I have created a single openvpn remote access server. Selected the interface as "any".
However, I am able to only connect via ONE specific out of the Three interfaces. I am simply changing the "remote" line in the openvpn config file to test this.
Things that I have verified:
a) Firewall rules on all all three interfaces are the same
b) I AM able to successfully able to connect via each of the WAN interfaces if I just select that specific interface in the openvpn server settings instead of "Any"
So the simple questions is: Why I am not able to connect via any WAN interface if I am setting the interfaces as "Any" in the server settings.
In a previous similar post (posted by me) . someone gave the following solution:
Quote"One workaround would be to bind it to localhost and add port forwards from WAN interfaces and port to localhost and port."
And if the above is the only solution, what is the point of having the "Any" option
Just a FYI, there is board dedicate to VPN issues. You might have better luck over there. https://forum.opnsense.org/index.php?board=36.0
Can you post screenshots of your WAN's? All WANs need an upstream gateway set and maybe you also need Disable Force Gateway in Firewall : Settings : Advanced.
@mimugmail
Thanks for your reply. I noticed something very strange.
1st -> only one gateway (lets call this WAN1) was set as the upstream gateway (and this was the only one that the OpenVPN was working on)
2nd -> As an experiment, I disabled the WAN1 interface, and tried to connect via WAN2 (I set the openvpn server to run on WAN2 interface. But alas, openvpn clients wouldn't connect even though I changed the IP in the client config! They would fail with an error (check network connectivity, failed to negotiate TLS in 60 seconds)
However, when I enabled WAN1's interface again, lo and behold it would work.
So it would seem that the packets were coming IN via WAN2, but going OUT via WAN1 (Isn't that bizzare?)
P.S - For the moment I have set the upstream gateway bit for just WAN2 and have changed the openvpn server interface to WAN2 (people need to work remotely.) Maybe tomorrow or day after I can do further testing.
NOTE: every WAN Interface DOES have an "upstream gateway" set (in the interface settings). I just did not check the "upstream gateway" setting in system ->gateway -> single
My assumption WAS -> if a packet is coming in via WAN1, it should go OUT via WAN1 and if its coming in via WAN2, it should goOUT via WAN2. Am I wrong?
Yes, thats the case, Screenshots please
@mimugmail attached
WAN 1 is the one in the middle (offline) as I disabled the interlace
Really, noone here is interested in any bit of your gateways :)
Also Interfaces please
I setup my lab with multiwan and for me it works great.
Maybe you added an accept rule for OpenVPN port in floating rules? Then your reply-to rules are not working. You need to add an accept rule in every WAN interface in fw rules, then it works out of the box.
Quote from: mimugmail on May 16, 2021, 06:28:17 AM
Really, noone here is interested in any bit of your gateways :)
Lol I know. Employer rules! Can't help it!
Quote
Also Interfaces please
Which view specifically ?
Quote from: geek on May 16, 2021, 12:14:58 PM
Quote from: mimugmail on May 16, 2021, 06:28:17 AM
Really, noone here is interested in any bit of your gateways :)
Lol I know. Employer rules! Can't help it!
Quote
Also Interfaces please
Which view specifically ?
Quote from: mimugmail on May 16, 2021, 08:02:21 AM
I setup my lab with multiwan and for me it works great.
Maybe you added an accept rule for OpenVPN port in floating rules? Then your reply-to rules are not working. You need to add an accept rule in every WAN interface in fw rules, then it works out of the box.
No I just an accept rule to destination "this firewall" on all interfaces
Screenshots of both WAN Interface details, WAN rules (overview), Gateways overview, Firewall:Settings:Advanced
@mimugmail sorry for the late reply.
I've setup an exact system and just replaced the IPs / names.
see screenshots attached.
NOTE: all firewall interface rules are exactly the same (so attached only 1 screenshot instead of 3)
notes:
openvpn interface is currently selected as WAN1
default gateway (currently set to wan1)
LAN has a rule with a gateway group that swtiches from wan1 -> wan2 -> wan3 in case of gateway failure
There is also a very weird issue: probably what is causing this:
IF I disable WAN1,
I am unable to ping / access WAN2 and WAN3 from the outside!
(even though I have selected all of them as upstream gateways - not shown in the attachment above)
What I don't understand is, Why would disabling one WAN connection have anything to do with the other?
I don't know whether this is a bug or I have seriously messed something up
After searching through the forums and reading the documentation again, I found there is another setting:
"System : Settings : General, enable default gateway switching"
Are my problems are a result of NOT checking this box?
All I want is: traffic coming in WAN1, should leavevia WAN1 GW. And traffic coming in via Wan2 must leave via WAN2 GW and so on.
I was able to fix this problem.
I did three things in total:
0) Openvpn running on "ANY" Interface
1) Made sure "upstream gateway" is selected on all gateways
2) gave a priority of 255,254,253 in accordance to what gateway priority I wanted
3) Most importantly I checked the option "System : Settings : General, enable default gateway switching"
Now even If I disable one interface, The other interfaces work fine and the openvpn client is able to connect to whatever IP I specify in the "remote" section.