Hi,
I have been using OpenVPN for quite a while but am new to OPNsense. There are some things that confuse me.
I have created a CA on my OPNsense installation, and I have created an OpenVPN _instance_ with the role Server, the Type TUN and topology "subnet". As "Server (IPv4)" I have set 10.242.4.0/26. My Local Network ("internal" on my OPNsense) is 192.168.0.0/20 (don't ask), and I have left the Remote Network empty since the (currently, one) client is just a client.
My client is a plain Linux machine, and the connection comes up: I see a tun0 Interface on the client, with 10.242.4.2/26 assigned as its IP address, and when I ping 10.242.4.1 and tcpdump on tun0, I see those ICMP echo requests going down the tunnel. On the OPNsense side, I see the client with Status "ok" in VPN => OpenVPN => Connection Status. However, I don't see any log entries refering to the connection in VPN => OpenVPN => Log File.
I have a firewall rule on my WAN interface to allow the incoming UDP/1194 packets to my OPNsense, and I have an "allow all" rule in the "OpenVPN" ruleset.
However, when I ping 10.242.4.1 from the client, there is no answer. Neither there is an answer when I ping 192.168.0.141 which is a host on my internal network. tcpdumping on the OPNsense internal interface doesn't see the ICMP echo request packets from my VPN client.
Now the strange things:
- ifconfig on my OPNsense shows a tun1 Interface, but that one doesn't have an IP address. I would have expected 10.242.4.1/26 to appear on that interface.
- Firewall => Log Files => Live View doesn't show anything with "Interface" OpenVPN, and I cannot establish a filter "Interface contains OpenVPN". The List only contains internal, Loopback, MGT0, PFSYNC and wan.
Obviously OPNsense does something differently from what I am used to when using OpenVPN on Linux. Can someone enlighten me please?
Greetings
Marc
Topology = "Subnet"?
Firewall rule on OpenVPN: direction "in", allow all? Direction is frequently confusing for OPNsense beginners.
HTH,
Patrick
Quote from: Patrick M. Hausen on October 25, 2025, 04:14:31 PMTopology = "Subnet"?
Yes. I forgot to mention that. Fixed the original article.
Quote from: Patrick M. Hausen on October 25, 2025, 04:14:31 PMFirewall rule on OpenVPN: direction "in", allow all?
I think so.
Screenshot_20251025_170217.png
Quote from: Patrick M. Hausen on October 25, 2025, 04:14:31 PM>Direction is frequently confusing for OPNsense beginners.
Yes, but it's mentioned THIS properly in ALL docs that it's almost impossible to miss.
Greetings
Marc
You should have an ovpns1 interface with 10.242.4.1/26, not a tun1 on OPNsense.
Which version of OPNsense are you running?
Quote from: Patrick M. Hausen on October 25, 2025, 05:49:43 PMYou should have an ovpns1 interface with 10.242.4.1/26, not a tun1 on OPNsense.
Nosireebob.
root@OPNs01:~ # ifconfig | grep ovpn
root@OPNs01:~ # ifconfig | grep 242
root@OPNs01:~ #
Quote from: Patrick M. Hausen on October 25, 2025, 05:49:43 PMWhich version of OPNsense are you running?
25.1.10 on FreeBSD 14.2-RELEASE-p3. I intend to upgrade before going live, but I'd like to have the configuration complete so that I can actually see that everything survives the upgrade.
Greetings
Marc
I don't have any 25.1 running to compare, sorry. Although ... that system with my ovpns1 is a 25.4 business edition so essentially 25.1
I attached the relevant part of my config. Try a reboot, maybe, to whack the interfaces into shape? ;-)
Quote from: Patrick M. Hausen on October 25, 2025, 06:36:55 PMTry a reboot, maybe, to whack the interfaces into shape? ;-)
"Gesundbooten" as we say in Germany. It helped. Part of me is happy about that, other part not.
Thanks for helping.
Greetings, Marc
Possibly a restart of the OpenVPN service would have achieved the same. If you don't have it already, place the Services widget on your dashboard.