OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: deekdeeker on June 04, 2019, 06:32:09 pm

Title: How to route OpenVPN client network to workstations
Post by: deekdeeker on June 04, 2019, 06:32:09 pm

Hi

I have Openvpn server running on 10.51.0.0/16 - for user vpns

I have Openvpn clinet running on 10.11.0.0/16 for remote logging
Opensense connects via the client fine and from the opnsense box i can communicate over the client vpn network 10.11.0.0/16 but i need a workstation on the lan 192.168.50.0/24 to access the 10.11.0.0/16 network.
Ive looked though some posts re NAT entries but still cant get this going, seems it should be fairly simple but must be missing somthing? do i manually need to add somthing specific.

OpenVPN firewall rules are IPv4 * * * *
my outbound nat rules have 10.11.0.0/16 on WAN interface permitted.

help is appreciated.  ;D

Title: Re: How to route OpenVPN client network to workstations
Post by: bartjsmit on June 04, 2019, 06:44:45 pm

No need to NAT when all your IP networks are RFC 1918 compliant. Concentrate on the routing - the default gateways on each end need to have a route to each other.

Packet trace wherever you're not sure traffic is going the right way or is getting denied by firewall rules.

Bart...

Title: Re: How to route OpenVPN client network to workstations
Post by: deekdeeker on June 04, 2019, 11:00:52 pm

Well the firewall is not blocking the traffic , do i need to create and new interface for this ? its seems as if opnsense is not using the routing table for this traffic. i can see the proper route out to that network via ovpnc4.
update:
I also created a new assignment interface (opt1) and still not routing out. the opnsese box itself knows how to route this traffic when im connected via ssh on the LAN network.

firewall is not blocking traffic when attempting to access 10.11.0.0/16

Title: Re: How to route OpenVPN client network to workstations
Post by: bartjsmit on June 04, 2019, 11:06:23 pm

Don't trust the routing table. Packet trace on the next hop and confirm the traffic arrives. Adding complexity will only muddy the waters.

Bart...

Title: Re: How to route OpenVPN client network to workstations
Post by: deekdeeker on June 04, 2019, 11:17:37 pm

frig, i just got it working but not sure in the best way.

The first issue that i ran into was when i created the OPT1 (ovpnc4) interface and assinged it DHCP for address,i checked ifconfig on the opnsense box there was no address assigned to OPT1 until i restarted the openvpn client, i then received an IP from the openvpn server on the other end.

So with that sorted  I then created a static route to the host i needed 10.11.0.1/32 and used gateway OPT1. Thoroughly confused why this wasnt working. I added a outbound NAT from interface OPT1 and translation interface address and boom now working. Not sure if this is the most efficient way of doing it but it is working.

Also added a any any firewall rule for the newly added OPT1 interface

I only needed access to the openvpn private network not any networks behind the openvpn server so it may have made this more of a unique scenario.

I hope this makes sense and can help someone else  :D

thanks bart for your replies.