OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: gs on March 13, 2019, 08:04:51 pm

Title: Packets from LAN to OpenVPN road warrior client get routed to WAN
Post by: gs on March 13, 2019, 08:04:51 pm

Hello,

This thing has been driving me crazy for a while now. I have an OPNSense 19.1.4 router with an OpenVPN road warrior setup. It works perfectly fine and the client connecting through VPN can connect to any host on the LAN (which also means that replies from those hosts get routed back correctly). However trying to connect from a host on the LAN to the address of the OpenVPN client always fail.

The setup looks like this (there are also two WAN interfaces to the internet not shown here):
VPN Client 10.10.12.2 <-> |10.10.12.1 Router 10.10.10.10| <-> 10.10.10.40 LAN host

Traceroute from VPN client to LAN host is correct
traceroute to 10.10.10.40 (10.10.10.40), 64 hops max, 52 byte packets
 1  10.10.12.1 (10.10.12.1)  15.706 ms  14.337 ms  18.585 ms
 2  10.10.10.40 (10.10.10.40)  22.600 ms  18.737 ms  16.566 ms

While trace route from LAN host to VPN client is wrongly routed to the internet
traceroute to 10.10.12.2 (10.10.12.2), 30 hops max, 60 byte packets
 1  85.195.x.x (85.195.x.x)  0.825 ms  0.668 ms  0.685 ms
 2  82.197.x.x (82.197.x.x)  0.784 ms  0.777 ms  0.869 ms

Routing tables in OPNSense seem correct:
ipv4   10.10.12.0/24   10.10.12.2   UGS   576   1500   ovpns1       
ipv4   10.10.12.1   link#9   UHS   0   16384   lo0       
ipv4   10.10.12.2   link#9   UH   1200   1500   ovpns1

And catching packets at every interface confirms what traceroute shows (nothing goes through at the OpenVPN interface of the server when coming from LAN to VPN, but packets are logged when going from VPN to LAN).

My NAT outbound rules are auto-generated as follows:
WAN   LAN networks, 127.0.0.0/8, 10.10.12.0/24   *   *   500   WAN   *   YES   Auto created rule for ISAKMP
WAN   LAN networks, 127.0.0.0/8, 10.10.12.0/24   *   *   *   WAN   *   NO   Auto created rule
WAN2   LAN networks, 127.0.0.0/8, 10.10.12.0/24   *   *   500   WAN2   *   YES   Auto created rule for ISAKMP
WAN2   LAN networks, 127.0.0.0/8, 10.10.12.0/24   *   *   *   WAN2   *   NO   Auto created rule

If anybody has any idea for troubleshooting this, it would be much appreciated!

Many thanks

Title: Re: Packets from LAN to OpenVPN road warrior client get routed to WAN
Post by: agh1701 on March 13, 2019, 08:10:27 pm

Are hosts on the lan windows based?

Title: Re: Packets from LAN to OpenVPN road warrior client get routed to WAN
Post by: ivoruetsche on March 13, 2019, 08:49:26 pm

Salü gs

Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?

gruss ivo

Title: Re: Packets from LAN to OpenVPN road warrior client get routed to WAN
Post by: gs on March 14, 2019, 09:46:48 am

Quote from: agh1701 on March 13, 2019, 08:10:27 pm

Are hosts on the lan windows based?

On the LAN we have Windows, Mac and Linux. The traceroute was done from both a Mac and Linux host with the same result.

Quote from: ivoruetsche on March 13, 2019, 08:49:26 pm

Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?

We have multiple client connecting through that VPN, 10.10.12.1 is the IP of the router's vpn interface and 10.10.12.2, 10.10.12.3 etc... are each client. What defines that is in VPN > Servers> IPv4 Tunnel Network that is set to 10.10.12.0/24 (and we are in topology mode). As for why I included a traceroute to 10.10.12.3 instead of 10.10.12.2, well, it is because I didn't pay enough attention when I wrote the message :-) (I corrected it now).

Thanks!