Good afternoon!
I went through several OpenVPN setup tutorials and am confident I have almost everything setup correctly (internal CA, server certificate, OpenVPN Server with aforementioned server certificate, user with client certificate). I made a test connection from my phone using the OpenVPN client and importing the .ovpn profile. The connection was successful and I see it under the "Connection Status" tab.
This is where things get a little weird and I'm left with a few questions.
1. I've tried pinging back and fourth (from phone to servers, gateway, and vice versa). Looking through the firewall logs, I can see the traffic getting allowed. However, the response is never received. I ran a packet capture and checked it out in Wireshark and it said the same thing. I can see my ping requests going out (from VPN-ed client to the default gateway, or to a server it should have access to) but the response is never received. And this isn't unique to ping, I can't seem to receive any kind of response. But the traffic is definitely not getting blocked. I also cannot ping the VPN client from the firewall itself or servers behind the firewall, even though firewall logs show the traffic being allowed. I've tried pinging the client IP from all the different interfaces.
None of the tutorials I followed did anything with NAT so I'm thinking there may be a routing problem, but I don't know how to solve the problem. And this leads me into my seconds question...
2. I used the setup wizard to create the OpenVPN server. It did NOT create a new interface under Interfaces. However, looking at the interfaces under Firewall -> Rules, I do see a new one named "OpenVPN". But, if I go back to Interfaces and go to Assignments, I see that there is a new interface that is ready to be created. So I went ahead and added/enabled it. This resulted in a second OpenVPN interface being listed Firewall -> Rules.
Something tells me that I shouldn't do this, but I feel like the interface needs to be Enabled at the very least. Is there a reason why the Interface wasn't created by OPNsense but it still shows up under Firewall -> Rules?
3. During the setup for the OpenVPN server, it asked for the "IPv4 Tunnel Network" and the "IPv4 Local Network/s". I don't want the clients to have access to my LAN. I had already created a designated DMZ that I would allow them access to instead and put that CIDR into the IPv4 Local Network/s field. However, I don't understand the logic behind the "IPv4 Local Network/s" setting. I'm just going to create firewall rules for the OpenVPN interface to allow it access to where I want it to access. So what's the purpose behind this setting, why is it necessary?
This is likely the return route. Does the server you are pinging have a route to your OpenVPN client? That is only automatic if the server has OPNsense as its default gateway.
If not, set up a static route on the server to the OpenVPN subnet(s) via the firewall. For a road warrior, that is just the subnet of the tunnel, for a site-to-site that also includes the far end subnet(s).
Bart...
OPNsense is the default gateway for every subnet.
I think I've narrowed down what the issue is, looks to be a bug. As I mentioned in my first post, the setup wizard did not create an Interface for OpenVPN. However, if I manually create and enable it myself, and then restart the OpenVPN service (important), pings and other traffic will start working. I validated that this is the issue because the moment I disable the OpenVPN Interface, traffic stops on the clients.
Here's what the Firewall rules section shows for my interfaces, notice I actually have two OpenVPN interfaces: "OpenVPN" (created by the wizard, not actually an Interface), and the Interface I enabled under Interface -> Assignments (VPNtestinterface). This looks pretty weird, I can't imagine this is how it is designed to work.
(https://i.imgur.com/pEXUy2m.png)
Can anyone confirm if this is a bug in the wizard? It's seems odd that the wizard didn't create an actual Interface for OpenVPN.
Is anyone able to provide guidance?
Perhaps the documentation is just outdated?
Quote from: Psychic49 on February 22, 2022, 02:57:47 PM
Can anyone confirm if this is a bug in the wizard? It's seems odd that the wizard didn't create an actual Interface for OpenVPN.
It is not odd because for historical reasons in PFsense and OPNSense it is created an "openvpn" firewall section for all openvpns and it was considered "enough".
Assigning a different interface to each openvpn is a recent and "advanced" feature.
And anyway I am bitten by this behaviour too: second openvpn server is not routed.
If I remember well it was a behaviour also in PFSense several years ago but not it is solved there.
Here even applying "reply-to" workaround in firewall routes I am not able to solve it.