OPNsense Forum
English Forums => Virtual private networks => Topic started by: liceo on October 25, 2020, 02:08:40 pm
-
Hi there!
I replaced pfsense with opensense few weeks ago, and i really like it! In relation to a multi-WAN environment, it behaves different than pfsense as far i understood. To make use of a gateway group and it's redundancy options, there is a need to create firewall rules which routes the traffic to the gateway group. This works fine so far e.g. any LAN interface.
But what i don't get to work is my OpenVPN setup with a dual/multi-WAN configuration, the result is:
- OpenVPN only works, when remote clients connect to the cable provider WAN public address
- When clients connect to the DSL public address, it doesn't work.
- As i can see in the firewall logs, opnsense routes the traffic coming from DSL clients back to Cable Provider WAN which causing asynchronous routing, because the Cable gateway has the higher priority
- When disabling the cable WAN gateway (in Gateways > Single) the VPN connection works from the DSL public IP
I also searched the forum and read through the official documentation, without success. I also tried to add a rule for the OpenVPN Interface, but this was not working.
Any ideas how to solve this problem?
Thanks in advance!
-
Hi,
i want to do the same, do you found a solution?
regards
[EDIT] found you're german thread: https://forum.opnsense.org/index.php?topic=19804.msg92059#msg92059 (https://forum.opnsense.org/index.php?topic=19804.msg92059#msg92059) :)
-
Well, yes i have posted twice ;-). The solution with port forwarding OpenVPN traffic to localhost, was not properly working => It was only working over one WAN interface, but i don't know the root cause yet. It's probably related to the HA setup i have in place.
Now i set up two OpenVPN servers, one for each WAN interface. You can copy the first Server you have configured, you only need to change the interface the server is listening to the second WAN and assign another IP tunnel network IP range.
In case you have a high availability setup, take the CARP VIP as your WAN address in the OpenVPN config.
Example Configuration:
Settings OpenVPN Server #1:
- Interface: "WAN1 (or CARP VIP1)"
- Tunnel Network: 10.242.4.0/24
Settings OpenVPN Server #2:
- Interface: "WAN2 (or CARP VIP2)"
- Tunnel Network: 10.242.5.0/24
This seems to work stable.
-
Firewall: Settings: Advanced
Do you have enabled: "Disable reply-to on WAN rules" ?
Usually pakets should leave the same way they entered.
-
Do you have enabled: "Disable reply-to on WAN rules" ?
No, the option its unchecked (not disabled)
-
Check in Interfaces : WAN if wan interfaces have an upstream gateway
-
WAN if wan interfaces have an upstream gateway
Yes, both WAN interfaces has an upstream gateway configured.
-
Oh,you have carp, then maybe bind the instance to LAN VIP and do Port forward there
-
Yes, i also tried this, same results... but anyway, the setup with the two OpnVPN server instances works well at the moment.
-
I am using this with my dual WAN setup (1x cable, 1x dsl):
Firewall --> NAT --> Port Forward
--> Add (+)
- Interface WAN1
- Protocol UDP
- Destination WAN1 address
- Destination port range from: to:
OpenVPN OpenVPN
- Redirect target IP Single Host or Network
127.0.0.1
- NAT reflection Use system default
- Filter rule association Add associated filter rule
- Save
--> Add (+)
- Interface WAN2
- Protocol UDP
- Destination WAN1 address
- Destination port range from: to:
OpenVPN OpenVPN
- Redirect target IP Single Host or Network
127.0.0.1
- NAT reflection Use system default
- Filter rule association Add associated filter rule
- Save
VPN --> OpenVPN --> Servers
--> Edit
- Interface Localhost
- Save
-
I'm resurrecting an old thread because I found a solution for our use case.
In our case, we had created an interface group under Firewall > Groups called WANAll. This allowed us to set firewall rules for our WAN1 and WAN2 interfaces in one place. We created the obligatory rule to allow port 1194 traffic for OpenVPN under WANAll instead of creating two separate firewall rules for WAN1 and WAN2.
The resulting pf rule looked like this:
pass in log quick on WANAll inet proto udp from any to (self) port = openvpn keep state label "0667d76bd1b44ab51c4eb85bb052e5e3"
We needed two separate rules, one for each WAN interface. I removed the rule under WANAll and created the rules separately under WAN1 and WAN2. The resulting pf rules look like this.
pass in log quick on igb1 reply-to (igb1 104.218.xxx.yyy) inet proto udp from any to (self) port = openvpn keep state label "2d1fd0c4c78f6823e4f74c3f01259251"
pass in log quick on igb2 reply-to (igb2 12.7.xxx.yyy) inet proto udp from any to (self) port = openvpn keep state label "1738df7680cf468ea2a66b684c810f64"
The reply-to clause is important. It tells pf that traffic entering on one interface should exit on the same interface. If the reply-to clause is not there, traffic destined to WAN2 will enter on WAN2 but response traffic will exit WAN1 because WAN1 has the higher-priority gateway (with a lower priority value). This causes an asymmetric routing problem where the response traffic never reaches its destination.