Text only | Text with Images

OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: jahlives on September 01, 2022, 09:25:47 AM

Title: OpenVPN server routes not fully learned?
Post by: jahlives on September 01, 2022, 09:25:47 AM
Hello

running latest  OPNsense 22.7_4-amd64 and having an issue with routing via a openvpn connection. I setup openvpn server on opnsense and added the remote network in question (192.168.77.0/24) to server settings in "IPv4 Remote Networks" and to the correct "Client specific overwrite". When the client connects to the server I can see that the route is learned to main routing table.
Code Select

root@OPNsense:~ # route -n get 192.168.77.130
   route to: 192.168.77.130
destination: 192.168.77.0
       mask: 255.255.255.0
    gateway: 10.230.0.2
        fib: 0
  interface: ovpns2
      flags: <UP,GATEWAY,DONE,STATIC>
recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

10.230.0.2 is the vpn ip of the correct client. I can ping it. But if I try to ping an ip in 192.168.77.0/24 there is no response. If I tcpdump on the client I cannot see one paket coming in on the openvpn connection.
If I check the routing table on server in VPN > connection Status > Routing table I cannot see the route for that network.

From what I know from other openvpn on other opnsense boxes there should be the route to that network displayed. So it seems to me that openvpn does not learn the route internally.

any idea how I could solve this / why the route is not displayed in connection status page?
If more details are needed I'm happily provide it on request :-)

Thanks for any hint

Cheers

tobi
Title: Re: OpenVPN server routes not fully learned?
Post by: jahlives on September 02, 2022, 01:00:59 PM
Update:

seems not to be a firewall rules issue. As also cannot ping when pfctl -d
So think firewall issue should be off the table :-)

Found out that I can reach the local subnet on the ovenvpn server side from the local subnet behind the openvpn client. But I cannot reach the local sub behind client from the sub behind server (also the server itself cannot reach it not just clients behind the server). It smells somehow inconsistent but I'm running out of ideas what else to try. Both client and server are opnsenses and are connected via a openvpn site2site Setup
Title: Re: OpenVPN server routes not fully learned?
Post by: jahlives on September 04, 2022, 01:54:56 PM
Maybe a picture from server side learned routes does help? (see attachment) Imho it should show there the route for 192.168.770/24 to that particular client
Title: Re: OpenVPN server routes not fully learned?
Post by: jahlives on September 07, 2022, 06:40:37 AM
changed to WireGuard VPN -> Site2Site works -> me happy :-)
Text only | Text with Images