OPNsense Forum
English Forums => General Discussion => Topic started by: Vortex on November 25, 2019, 10:02:44 am
-
Dear all,
I'm new to OPNSense and I love it. Yesterday I wanted to try it's OpenVPN functionality and it didn't work, clients connected almost.. then after waiting, dropped out. I think my setup is special so I better tell you the situation.
What I have: classic router setup.
- 1G WAN (ftth), ASUS RT-N56U B1 router with Padavan firmware, doing classic NAT, routing, basic firwalling and OpenVPN
- OpenVPN functionality is limited + when it works, it's slow. My upload is capable of ~300Mbits (real), friend's download at 100Mbits and connection speed between us capped at around 10Mbits or so, while the ASUS router's CPU was heavily maxed out.
What I wanted to experiment with: provide OpenVPN Server functionality with OPNSense and port forwarding in a Virtualbox VM, being on the LAN (via bridge mode in VBox config, no nat).
- OPNSense got an internal LAN ip from my ASUS box
- 1 virtual interface up & running
And here I'm stuck.
How can I configure OPNSense to work with 1 interface, get it's IP from the ASUS router as usual and serve as an OpenVPN endpoint for my friend ? I have an SMB share on the Windows host (same subnet like VM since VM is brigded) and I'd like to make it visible for my friend coming in via OpenVPN. Is 1 interface enough for this trick ? Shall it be WAN or LAN ? Or shall I assign 2 interfaces in the VM config for OPNSense, both bridged mode into my router's LAN (where the VM host itself sits too) then make one WAN, the other LAN, disable NAT in OPNSEnse, disable DHCP, and configure OpenVPN somehow on this weird setup ?
I simply don't understand - yet - what to assign where to make it work. :)
To put it simple: the OpenVPN endpoint would be my OPNSense instance, sitting on the same LAN like the host itself and other devices. This LAN is the good-old classic basic setup provided by my ASUS Router and my friend reaches the OPNSense VPN concentrator via the ASUS router's public IP & port forwarding.
Maybe I just need a basic overview of the logic, what interface how to assign where... and getting used to the OPNSense terminologies.
On my old Debian it wasn't an issue: 1 interface, eth0 LAN, internal ip, provided by the router (fixed IP via MAC Address &DHCP), port forward set up, friend cames in and woo-hoo, there he is. I didn't have a WAN interface. But apparently in OPNSense it might be needed to provide one .. or not. The logic is missing in my head.
(Maybe I can do it with 1 LAN interface the other way around: I don't need to set up a 10.0.8.0/24 subnet in OpenVPN config so then it can connect my friend with my subnet, not sure).
Huh. ???
Anyway... just playing around with OPNSense but I'm going to switch over to this and use my ASUS as a plain WiFi AP, nothing more.
-
First things first: Using OPNsense as your WAN-facing router would make things easier and potentially more reliable. So if you're planing for that anyway, you might want to skip ahead to that setup directly.
Running OpenVPN on OPNsense behind your primary router should work pretty much the same way as on your old Debian box: LAN interface only. You will also have to create a static route to your VPN prefix on either your Windows server (if this is the only machine that needs to be accessible by your VPN clients) or on your primary router. (Or you could set up a bridged (tap) VPN, but this is generally not recommended.)
Cheers
Maurice