OPNsense Forum
English Forums => General Discussion => Topic started by: Ulrar on October 19, 2020, 01:46:20 pm
-
Hi,
I have a routing issue (in another post) but I suspect the real issue is my openvpn client config.
I have an OpenVPN client configured in tun mode, udp, going through the WAN interface. My default gateway is the WAN interface, the vpn client is only there for some policy based routing.
What I've noticed is that the system doesn't seem to be considering the vpn interface as a WAN, so it's not generating outbound NAT rules and it's doesn't seem to be using reply-to (which is my real issue) on it.
When the connection gets established, a public IP is properly assigned to the interface, and a Gateway is created.
Below the two IPv4 black boxes (IP and Gateway) are covering the same exact IP.
(https://i.imgur.com/wIV6Q0V.png)
That gateway has "dynamic" as the IP address, since I've ticked the "This interface does not require an intermediate system to act as a gateway" box in the interface config :
(https://i.imgur.com/HxASwQd.png)
However in the Gateway "single" menu, the IP for the gateway is the interface's IP itself (instead of dynamic, seen when editing the gateway), hiding the IP since it's public :
(https://i.imgur.com/SVMMkEw.png)
(https://i.imgur.com/WLdbHGJ.png)
There's also a route added by something to route the interface's IP to the loopback interface (the red square is the interface's IP, the black squares are just routes added by openvpn for the subnet and the first IP of the bloc) :
(https://i.imgur.com/UVvR1gx.png)
The result is that when trying to use the VPN, packets are routed through the loopback interface back at opnsense itself, instead of going through the VPN. So if I try to query any website for example, I'm getting my own HAProxy back since it's listening on ports 80 / 443 of the router.
One way to work around this I've found is to edit the gateway and use any other IP as a gateway, since openvpn doesn't actually require a gateway ip any value works there as long as it's not the interface's own IP (which seems to be the default value chosen when using dynamic).
That allows policy based routing to work, but that's obviously not a good way and still doesn't make it generate proper outbound NAT and reply-to rules so incoming connections aren't working.
Any ideas what I might be doing wrong ? I've been struggling with this for almost a week now.
Thanks
-
Where did you define Firewall rules for that interface?
On the generic OpenVPN section or the interface?
If using the interface I needed to tick "disable reply-to" in the advanced section of all firewall rules on that interface. Otherwise packets just went somewhere else.
-
You mean the rule allowing port 80 / 443 inound ?
On the interface's page, not the generic openvpn one. I've tried with or without reply-to enabled and the result is the same : packets come into the vpn interface, but responses leave through the WAN interface (with the VPN interface's IP as the source, somehow).
I think the issue is that reply-to is missing on the vpn interface, so it leaves back through the default WAN interface.
Note that policy based routing does work, I'm able to route stuff through the VPN just fine as long as the connections originates from my LAN. Connections from outside however leave through the WAN, whatever I do.
-
I just compared your screenshot to my settings. I have something similar running. OpenVPN client connection but only route some traffic to this interface.
You have the box "This interface does not require an intermediate system to act as a gateway" ticked, which I don't.
And I had to set "disable reply-to" to all outgoing rules defined on the interface, if defined on the interface. On the generic OpenVPN section this was not needed.
Outbound NAT is in manual mode on my box. So I configured outbound NAT myself for that interface. Do you have an outbound NAT rule for the OpenVPN interface?
-
I don't have any outbound rules on that interface, so I can't do much there.
I have an inboud rule allowing port 80, on which I've tried both disable reply-to ticked and unticked but same result.
As for outbound NAT yes, but I have to define it manually since it's not automatically created. It should be though, according to the doc any wan interface should have reply-to and outbound nat created automatically but clearly it's not happening.
Defining all of that manually does work for policy based routing (internal connections going out) but not for external connections going in, these get answered on the wrong interface.
EDIT: Oh and I have tried ticking and unticking the "This interface does not require an intermediate system to act as a gateway" box on the interface page and to be honest I have no idea what it changes, everything looks exactly the same either way as far as I can tell
-
I'm sorry, I'm out of ideas in this case.
Maybe you can post a screenshot of the OpenVPN client config to see if there is something weird.
-
So I've been looking at the /tmp/rules.debug file, and I've noticed this :
- When I leave the gateway unedited (using "dynamic" which seems to resolve to the interface's IP) then the rules do have a proper reply-to generated, but since that IP is the interface itself the packets are just going through the loopback interface instead of vpn
- If I edit the gateway and put another IP in there then policy based routing starts working, but reply-to is not added to the rules anymore so replies are leaving through the wrong interface.
I've tried editing the gateway to get routing to work, then edited the /tmp/rules.debug file to add the missing reply-to bits and re-applied it and that fixes my issue : incoming and outgoing connections are working as expected.
Now obviously that's not practical, I can't be editing the file after each reboot.
Not sure if I'm doing something wrong or if this is a bug, but I might create an issue on github since I don't know what else to do at this point.
Thanks for checking your config though !
-
If you think there is a bug, you should create an issue on Github.
Hope this issue can be resolved.