Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: tops4u on August 23, 2024, 09:53:11 AM

Title: 24.7.2 dropped WAN Rules for VPN
Post by: tops4u on August 23, 2024, 09:53:11 AM
I just upgraded from 24.7.1 to 24.7.2 yesterday and my VPN stopped working (iOS) via IPSec. So I noted two things today.

1. The VPN Log will stay empty even on Debug Level, whatever you to (Restart the Service, Change Config, Connect, etc...)
2. The Default Rules for VPN Traffic on the WAN Interface have been (probably) removed in the upgrade Process. I just added them now manually as per: https://github.com/thomergil/opnsense-ipsec-vpn and now IPSec works again.

Maybe this will help other with the same problem.
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: SpyAlelo on August 24, 2024, 08:28:18 PM
Thanks for the solution, I had the same issue. Shouldn't these rules be automatically created when the tunnels are configured?
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: Patrick M. Hausen on August 25, 2024, 12:07:04 AM
Intentional and well documented change, because many administrators (me included) hate "magic" and prefer manually created rules.
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: DarthAnimagus on August 25, 2024, 03:48:52 AM
I spent the better part of the day today trying to get my vti tunnels back up.  Even after manually adding the VPN rules back to the WAN interfaces, nothing would work.  It was very strange, because on each end of the tunnel I could see traffic make in in from the other side, but never going back out.  Each firewall could ping the tunnel interface of the other, but get no farther.

What has made it work (for now) is changing the IP address of the VPN Gateway I had created to anything other than the IP addresses of the virtual tunnel interfaces.  Policy routing works again, even though the tunnel gateway is now totally bogus one each side of the connection.

Edit...  Which seems to be because somehow in all the confusion the gateway interfaces ended up pointing to themselves, not the other side of the tunnel.
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: dwoodroofe on August 25, 2024, 07:13:50 AM
IPSEC 24.7.2 <--> 24.7.2 does not work

IPSEC 24.7.2 <--> 24.1.5 still working

Do NOT upgrade to 24.7.2!!!!
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: SpyAlelo on August 25, 2024, 05:40:13 PM
Quote from: Patrick M. Hausen on August 25, 2024, 12:07:04 AM
Intentional and well documented change, because many administrators (me included) hate "magic" and prefer manually created rules.
I thought as much, and is a welcome change to be fair. I do also have a distaste for "automagic" rules.
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: dwoodroofe on August 25, 2024, 06:09:14 PM
Confirmed roll-back to 24.7.1 resolves issue

     - SSH to appliance
     - Select (8) Shell
     - Command:   opnsense-revert -r 24.7.1 opnsense
     -Reboot

Tested on 2 so far and both rebooted and VPN's came online.
Title: Re: 24.7.2 dropped WAN Rules for VPN
Post by: guyp2k on August 26, 2024, 04:02:16 AM
Spent the entire weekend redoing the IPSEC tunnels, manually adding in the WAN rules and thought that had addressed the issue, nope just received a call they are down. Rolling back until this is resolved.

Tempted to adding another GW as someone suggested.
Text only | Text with Images