OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: rdofl on January 02, 2019, 01:26:28 am

Title: Unable to route traffic over OpenVPN client
Post by: rdofl on January 02, 2019, 01:26:28 am
Hi,

I'm having issues getting an OpenVPN client to work (I am using ProtonVPN). I previously had this running on pfSense and I'm trying to get the same setup going on OPNsense. I've followed a number of tutorials as well as the HOWTO guide (https://forum.opnsense.org/index.php?topic=4979.75) posted on these forums here but I'm stumped! Any help would be appreciated!

I undid all the changes from those tutorials and started from scratch. I have a basic config set up on one of my VLANs ('SERVERNET', 10.1.10/24)  to try and figure this out. Can anyone see where I might be going wrong?

Info:

OpenVPN Client

Provider: ProtonVPN
Don't pull routes: checked
Don't add/remove routes: unchecked

Connection shows as UP in Connection Status

Interfaces & Gateway

ovpnc1 attached to new VPN_WAN interface
IPv4 Configuration Type: None

Gateway: VPN_WAN_VPNV4  on interface VPN_WAN
IP address from OpenVPN client shows correctly on gateway

VPN_WAN_VPNV4 has been added to a Gateway Group called VPN_GROUP

Firewall Rules

I'm using 'SERVERNET' VLAN (10.1.10.0/24) to test with a rule that all non-local traffic is to use the VPN_GROUP gateway group. There is only one other rule for my local networks to talk to each other. See screenshot for more details.

There are no port forward or floating rules for this network.

Pass/BlockProtoSourcePortDestinationPortGatewayDescription
AllowIPv4 *SERVERNET net*N_LOCALNETS**Default Allow any local traffic
AllowIPv4 *SERVERNET net***VPN_GROUPForce traffic over VPN

N_LOCALNETS is an alias of all local networks (10.1.50.0/26, 10.1.20.0/25, 10.1.0.0/24, 10.1.10.0/24)


Firewall -> Settings -> Advanced

IPv6 Options: Allow IPv6: checked
Gateway Monitoring: Skip rules when gateway is down: checked

Outbound NAT

Mode: Hybrid outbound NAT rule generation

I added additional rules for VPN_WAN interface with all local networks as sources, Source/Source Port/Destination/Destination Port as *, and NAT Address as Interface Address

System DNS

I added the VPN provider's DNS (10.8.8.1 and 10.8.1.0) under System -> Settings -> General for the VPN_WAN_VPNV4 gateway. I also tried with public DNS as well in case this was an issue.

DHCP DNS for SERVERNET is left empty in DNS settings and shows as 10.1.10.1 on my clients on this network.

Unbound DNS Resolver

Enable Forwarding Mode: checked


Screenshots of Gateways, Firewall Rules and Outbound NAT attached.

Does anyone have any ideas why I can't get this to work? If I remove the VPN_GROUP gateway group from the rule, I can access the internet over WAN from the SERVERNET machines. I also added logging to the rule and can see that the outbound traffic from those machines is being matched against the 'Force traffic over VPN' rule and allowed to pass but there seems to be no response back. I have a feeling it's a NAT issue and that there is no return path... but I am a little stumped as to where to go from here!

Thanks in advance for any help!
Title: Re: Unable to route traffic over OpenVPN client
Post by: HA4g3n on January 07, 2019, 10:35:04 pm
Hello,

Im trying to port forward a specified port so its opened in the VPN interface.
Now its configured all DHCP clients are under VPN and its working good besides the port forward issue.

I have tried several configs and tutorials without success.
Have heard one person saying its a bug in OPNsense that you can only portforward within a WAN interface, dont know it its true.

Im stuck aswell and others running PFsense this works directly.


Running OPNsense 18.7.10-amd64

OVPN over openVPN.
WAN 172.22.1.4 - Edgemax 172.22.1.4
LAN 192.168.1.2
VPN    10.128.64.xx Puiblic 185.x.x.x

Anyone haveing some ideas?