OPNsense Forum

English Forums => General Discussion => Topic started by: ja133 on June 23, 2023, 04:51:05 AM

Title: Connected to VPN, unable to take advantage of rules using VTI gateway
Post by: ja133 on June 23, 2023, 04:51:05 AM
Hello, long time lurker, first post. I moved over from pfSense a few months ago and couldn't be happier!

Anyhow, one small issue. I am hosting my own VPN server with both OpenVPN and Wireguard and I experience the same issue on both services. I also have a VTI with Wireguard (but already tried changing it to IPSec, and experienced the same exact issue)

Under the firewall rules (both openVPN and WG), I created a rule to route a specific alias over the VTI. When trying to access the alias from the VPN, the page tries to load. I get the favicon, but eventually it just times out.

Copy the exact same rule but under the LAN interface, and it works perfectly when accessing from my home network

Sounds like an MTU issue to me, and I've played around with it but no luck. Any other suggestions?

Thank you
Title: Re: Connected to VPN, unable to take advantage of rules using VTI gateway
Post by: zan on June 23, 2023, 04:37:53 PM
Try clamping the MSS too, eg: use 1400 for both MTU and MSS.
Title: Re: Connected to VPN, unable to take advantage of rules using VTI gateway
Post by: ja133 on July 07, 2023, 02:08:06 PM
Thank you. After running a packet capture I realized that the issue was unrelated to MTU. I had to create an outbound NAT rule. Source is the WG subnet, destination is the alias I created, and NAT address is the OPT interface address associated with the VPN.