OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: gs on March 13, 2019, 08:04:51 pm
-
Hello,
This thing has been driving me crazy for a while now. I have an OPNSense 19.1.4 router with an OpenVPN road warrior setup. It works perfectly fine and the client connecting through VPN can connect to any host on the LAN (which also means that replies from those hosts get routed back correctly). However trying to connect from a host on the LAN to the address of the OpenVPN client always fail.
The setup looks like this (there are also two WAN interfaces to the internet not shown here):
VPN Client 10.10.12.2 <-> |10.10.12.1 Router 10.10.10.10| <-> 10.10.10.40 LAN host
Traceroute from VPN client to LAN host is correct
traceroute to 10.10.10.40 (10.10.10.40), 64 hops max, 52 byte packets
1 10.10.12.1 (10.10.12.1) 15.706 ms 14.337 ms 18.585 ms
2 10.10.10.40 (10.10.10.40) 22.600 ms 18.737 ms 16.566 ms
While trace route from LAN host to VPN client is wrongly routed to the internet
traceroute to 10.10.12.2 (10.10.12.2), 30 hops max, 60 byte packets
1 85.195.x.x (85.195.x.x) 0.825 ms 0.668 ms 0.685 ms
2 82.197.x.x (82.197.x.x) 0.784 ms 0.777 ms 0.869 ms
Routing tables in OPNSense seem correct:
ipv4 10.10.12.0/24 10.10.12.2 UGS 576 1500 ovpns1
ipv4 10.10.12.1 link#9 UHS 0 16384 lo0
ipv4 10.10.12.2 link#9 UH 1200 1500 ovpns1
And catching packets at every interface confirms what traceroute shows (nothing goes through at the OpenVPN interface of the server when coming from LAN to VPN, but packets are logged when going from VPN to LAN).
My NAT outbound rules are auto-generated as follows:
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN * YES Auto created rule for ISAKMP
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN * NO Auto created rule
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN2 * YES Auto created rule for ISAKMP
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN2 * NO Auto created rule
If anybody has any idea for troubleshooting this, it would be much appreciated!
Many thanks
-
Are hosts on the lan windows based?
-
Salü gs
Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?
gruss ivo
-
Are hosts on the lan windows based?
On the LAN we have Windows, Mac and Linux. The traceroute was done from both a Mac and Linux host with the same result.
Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?
We have multiple client connecting through that VPN, 10.10.12.1 is the IP of the router's vpn interface and 10.10.12.2, 10.10.12.3 etc... are each client. What defines that is in VPN > Servers> IPv4 Tunnel Network that is set to 10.10.12.0/24 (and we are in topology mode). As for why I included a traceroute to 10.10.12.3 instead of 10.10.12.2, well, it is because I didn't pay enough attention when I wrote the message :-) (I corrected it now).
Thanks!