OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: mdirickx on December 30, 2018, 05:37:16 pm

Title: port forward to openVPN
Post by: mdirickx on December 30, 2018, 05:37:16 pm

Happy Holidays everyone!!

I have a OPNsense firewall that needs to pass openVPN to a vpn server VM, and for the hell of it I can't figure it out. I included a screenshot of the old firewalls config. There are 2 vpn servers active on that VM, I'm starting with one of them: the one on UDP port 20096.

I thought this was as straight forward as possible: firewall>NAT>port forward
Interface:    WAN
tcp/ip:       IPv4
protocol:     UDP
Destination:  Any
Dest port:    20096-20096
Redirect IP:  172.16.20.89
redir port:   20096
Filter rule:  add rule

This doesn't seem to work. I get the typical "no ssl handshake within 60 seconds" error from openVPN. Am I missing something?

(I also attached 2 screens of the opnsense nat and rules gui. I disabled the combined rule for the two vpn-servers and create one rule for each server. The rule for the port forward for the 20096 artist VPN is missing, as I tried setting it to "filter rule association: pass")

Kind regards

Title: Re: port forward to openVPN
Post by: guest19757 on January 01, 2019, 03:45:26 am

Hello there,

Quote from: okgomarum

no ssl handshake within 60 seconds

I know this might sound silly but by any chance did you click 'Apply Configuration'? If you did, did you 'tcpdump/wireshark' traffic between the firewall and backend Openvpn VM? It might be the case, the Openvpn VM is the cause? I'd would suspect the firewall if the error was 'connection time out'?

Regards

Title: Re: port forward to openVPN
Post by: mdirickx on January 01, 2019, 04:31:25 am

Thank you @bugmanagement!

I did apply the settings. Though I haven't captured any network dumps. I wanted to check first if my approach seemed righteous.

The thing is: this is my network firezwall. So I've parallelled them. I can switch from old to new firewall by replugging 4 network cables. During the holidays these switch-overs are easy. It doesn't matter how long it takes as there is nobody to complain. Over the next few weeks debugging will become ... harder.

Therefore I would like more possible paths to explore for when I do switch over, so that I can get the most out of these corporate 'downtime'. (even though WAN is working; other studios are not able to connect over OpenVPN)

I did notice that when I replug the old firewall everything is up and running again. This implies that the VPN downtime is due to a OPNsense misdirection/rule. Any further help would be most welcome. Let me know exactly what I can publish to help.

Happy New Year to you, non-gender-specific-person ;)
Cheers!

Title: Re: port forward to openVPN
Post by: guest19757 on January 01, 2019, 04:34:27 am

You do know 'tcpdump' is really easy right? Interfaces -> Diagnostic -> Packet Capture?

Regards