Hi,
I've (for the most part) successfully migrated to OPNsense today, after many many years with pfSense. Most stuff was easy to migrate, a few things I have to read up on, but what I don't get running at all is OpenVPN.
My VPN provider is Perfect Privacy.
Previously (pfSense), I had several clients set up (UDP4), and they would connect without issues. Each client's gateway (IPv4) would show up in the dashboard and I would just have to attend to the NAT (I had used manual outbound NAT).
Now (OPNsense), I have set up a single client for testing. It connects, but here two gateways show up (only one in pfSense; IPv4), with only the IPv6 having "(active)" appended to its name. I'm on hybrid outbound NAT, so these rules should work. However, no traffic through the IPv4 gateway. The client options are identical to what was running a few hours ago on pfSense (except for options not existing in the OPNsense version of the OpenVPN client).
How can I get a working, IPv4 only OpenVPN?
The entire OPNsense is supposed to run IPv4 only, so the corresponding options have been set, and no IPv6 traffic is allowed anywhere.
I assume, as I'm new to OPNsense, that I'm missing something pretty obvious... Thanks in advance!
Edit: Changed thread title to better reflect the issue.
Hi and welcome!
As for IPv6 gateway: that's hardwired for us (like we inherited it I believe) so the best thing to do is disable the IPv6 gateway manually. Deleting it would just bring it back.
About IPv4 I'm not sure at first glance.
Cheers,
Franco
Thank you, franco :)
Yeah, I've already seen that deleting it is no option, it keeps coming back from the dead ;)
Even after deactivating the IPv6 gateway and restarting the OpenVPN client, the IPv4 gateway doesn't receive an address or the "(active)" designation. When I select it as the gateway within a firewall rule, nothing works anymore (for that subnet). Reverting this change brings everything back to normal instantly.
The client config looks like this...
And the advanced part is:
hand-window 120;
mute-replay-warnings;
persist-remote-ip;
reneg-sec 3600;
resolv-retry 60;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA;
tls-timeout 5;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
remote-cert-tls server
OK, I think I've progressed a step. I can now get traffic through the IPv4 gateway of an OpenVPN client.
The automatically created NAT rules weren't working (for OpenVPN). I had to switch to manual outbound NAT and create all rules manually. Is this intended behavior? (pfSense has the same issue...)
Anyhow. Previously (pfSense), I would combine VPN gateways to gateway groups and use those in firewall rules. Once a gateway would be down, for whatever reason, the other ones in that group would still work and carry traffic. That worked great, but obviously relies on pinging the gateway monitor address.
Now (OPNsense), I also combine these gateways to gateway groups. But pinging them doesn't work, because only the IPv6 gateway is "active" and pingable (as described previously and as can be seen on the screenshots). That's bad. But it gets worse. Assigning the gateway group within a firewall rule as the gateway, the traffic still uses the default gateway. Assigning a single gateway (of the VPN gateways) works as intended.
OpenVPN within OPNsense is still a mystery to me.
PS: Interestingly, Perfect Privacy (my VPN provider) has screenshots online which show a OPNsense OpenVPN client config with a dedicated "Disable IPv6" switch, directly above the "Don't pull routes" switch. What happened to that?
Quote from: voodoo5_6k on October 28, 2023, 03:53:19 PM
Assigning the gateway group within a firewall rule as the gateway, the traffic still uses the default gateway. Assigning a single gateway (of the VPN gateways) works as intended.
I have a floating rule, that blocks all traffic for interface=WAN with a certain tag, assigned by the firewall rules with VPN gateway assignments. Using one of these gateway groups, nothing gets out anymore. Using a single VPN gateway, it works, and is also recognized on the Perfect Privacy website (external IP address from VPN provider, DNS from their network). Disabling the floating rule and using the gateway group, traffic works, but now I'm on the regular WAN, which is also noticed on the Perfect Privacy website (external IP address from my ISP, ISP DNS). Of course, WAN is not part of any of these gateway groups.
I've been reading more about gateway groups and it seems I might have to test a few more things. This seems to work completely different compared to pfSense.
Also, I'll try something for the IPv4 gateway monitoring. If this works, I might have a workaround for the issue.
However, I still think the OpenVPN client config is missing a few switches, especially to turn off IPv6.
Currently, I'm out of ideas. I'm going to look at it again tomorrow.
Summary so far.
OpenVPN client set up (as detailed in previous posts) for Perfect Privacy more or less works. But IPv6 cannot be disabled (although older config helps explicitly show "disable IPv6" switches - whatever happended to those?), I end up with two gateways, IPv6 and IPv4. The IPv6 one gets an address and can be monitored, the IPv4 one not. Even using something like 8.8.8.8 as monitoring IP fails (100% packetloss, but regular traffic through it works, via firewall rules).
My setup requires monitoring the gateways as they have to be used in gateway groups. And there is the next issue. Using the gateway group in firewall rules, the traffic is pushed through the default gateway. Using the IPv4 gateway instead of the group, everything works.
Although irrelevant for OPNsense, all of this worked a few days ago in pfSense. No IPv6 gateways, gateways monitored, gateway groups working in firewall rules...
Alright, I found no way to get this working. Entered the exact same config back into a new pfSense install, and all was working instantly.
As so far nobody seems to have experienced something comparable, I see no path forward (for me personally) with OPNsense at the moment.
Thanks and all the best!
PP works perfectly with Opensense.
it sounds like you have compression set wrong
i was required to use lz4 v2.
hope that helps. but no issues here using a dec670 on business edition opnsense
i also have this on all my tunnels.
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "