My network is as follows:
OpenVPN network OPT1 (10.8.0.1) <--> (10.8.0.2) OpnSense <--> (192.168.2.254) LAN Network
I'm trying to ping/access the 192.168.2.0/24 network from the linux machine on 10.8.0.1. I can ping 10.8.0.2 and 192.168.1.1 (WAN GW) but I can't seem to figure out how to reach the other.
I tried doing a outbound NAT to force anything on 10.8 not going to 10.8 to go to 192.168 by firewall and by GW but no luck.
No need for NAT internally. Do you have a (floating) rule to allow ICMP?
Check for denies in your firewall log - Firewall: Log Files: Live View, filter on source == 10.8.0.1
Bart...
I created a floating rule to allow ping from any protocol to and from any interface and removed all that NAT rules ect...
Started a ping and I see the successful to 10.8.0.2 logged but I don't see the deny to 192.168.2.254 which confuses me.
Do both endpoints have OPNsense as their DG? If not, you'll need to add a static route on 192.168.2.254 for the return traffic
By endpoints we mean the Linux Server and OpnSense firewall?
In regards of adding a route, is the following correct way if needed?
I had to manually create the LAN GW since it wasn't auto created.
Thanks bart!
Quote from: jennifer.cruize98 on July 17, 2023, 03:33:30 PM
By endpoints we mean the Linux Server and OpnSense firewall?
Endpoints would be a host on 192.168.2.0/24 and 10.8.0.2
Try some packet traces to see if you can see the packet going out and the reply going back.
Interfaces: Diagnostics: Packet Capture
What is the routing table on 10.8.0.2 like? Does it have an entry for 192.168.2.0/24 via 10.8.0.1 in there?
ip ro sh on most Linux OS.
Bart...
192.168.2.0/24 can ping 10.8.0.1 and 10.8.0.2
Looking at the packet capture, I don't see the 192.168.2.0/24 network being mentioned so my guess is the traffic is never leaving the Linux machine running on 10.8.0.1 which is the OpenVPN network.
On the Linux machine I have:
ip ro sh
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
public_IP/24 dev venet0 proto kernel scope link src public_IP
So this means I need to have a static route added on OpnSense, correct?
You need a static route for 192.168.2.0/24 via 10.8.0.1 on the Linux machine for the packets to enter the tunnel. Otherwise they will go out via its default gateway.
You can confirm with tcpdump -w on the Linux machine. Analyse the file in Wireshark - https://www.wireshark.org/
Got it. So something like this?
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
45.88.168.0 0.0.0.0 255.255.255.0 U 0 0 0 venet0
192.168.2.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
I ran a ping in one window and then ran the following
tcpdump icmp and src 10.8.0.1 and dst 192.168.2.254
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Not sure if I'm going about this the right way.
Try to add "-n" and "-i <interface>" to the tcpdump command.