OPNsense Forum

English Forums => Virtual private networks => Topic started by: Ultranium on March 27, 2021, 01:56:09 pm

Title: Nested VPN problems
Post by: Ultranium on March 27, 2021, 01:56:09 pm

Hi.

I'm trying to setup nested OpenVPN client connecitons in OPNsense 21.1.3_3 and it doesn't work as it should.

My network overview:

(https://i.ibb.co/Z8R9Fgy/network-overview.png)

What I wan to achieve:

(https://i.ibb.co/VLFbVK8/desired-config.png)

This configuration works just fine if I use two separate machines with OPNsense per each VPN and chain them, but when I setting up both VPN connections inside a single OPNsense instance, weird things happen:

• Gateway monitor shows 100% packet loss on VPN1, hosts from LAN1 have no internet access
• Internet access for LAN2 hosts works just fine
• OPNsense GUI becomes very laggy, opening the Dashboard takes more than 10 seconds

If I restart both VPN connections few times, it's starting to work fine, but after I reboot OPNsense machine, it starts all over again.

OpenVPN setup:
VPN1: Interface: ISP_PPPoE, Don't pull routes, Don't add/remove routes
VPN2: Interface: VPN1, Don't pull routes, Don't add/remove routes

Firewall rules:
LAN1: PASS LAN1 network to ANY, GATEWAY VPN1
LAN2: PASS LAN2 network to ANY, GATEWAY VPN2

Outbound NAT:
Firewall to ISP_PPPoE
LAN1 to VPN1
LAN2 to VPN2

I'd like to know if having nested OpenVPN connections is a supported configuration?
If so, could you please advise me how to fix this problem.

Upd: I checked, VPN subnets are not overlapping. VPN1 get a dynamic IP in 10.8.0.0/24 with GW 10.8.0.1, VPN2 is in 10.8.8.0/24, GW 10.8.8.1.

Title: Re: Nested VPN problems
Post by: Antaris on April 02, 2021, 04:44:32 pm

You don't need 2 OPNsense boxes for that :) Just set 2 VPN servers in one OPNsense box on different ports that leads to different internal networks.

Title: Re: Nested VPN problems
Post by: Ultranium on April 03, 2021, 09:03:32 am

Quote from: Antaris on April 02, 2021, 04:44:32 pm

You don't need 2 OPNsense boxes for that :) Just set 2 VPN servers in one OPNsense box on different ports that leads to different internal networks.

I guess you misunderstood me.
I need nested VPN clients, not servers.

Title: Re: Nested VPN problems
Post by: vigilian on April 19, 2021, 09:29:03 am

this is not a problem at all.
you specify in the second vpn the vpn interface in which you want to nest it.
You take of course a new interface for the DHCP and other routing stuffs to link up your hosts and opnsense.
And in the firewall rules from this last interface you of course put rules to redirect packets to your vpn interface.

You may want to deactivate monitoring because I think it's clearly buggy because it makes it change the routing table and so you have loss of connection etc if there is the slightliest slow down.

And then  that's pretty much it.

You need to test of course if you have connectivity.
Don't hesitate to test it from opnsense with ping and select the good interface. Verify always the command line that is selected by the webui because there might be some bugs, I know that I have from time to time. For example if there is any problems with the interface you want to try, the webui will automatically use the general gateway which we don't want.

If you don't have connectivity inside your clients, then you need to verify your gateway orders, and you need to verify if the ciphers is good. Unfortunately you won't have accurate messages about that in the journal of your vpn because depending of the vpn server configuration it might give you an error or not. You need to verify it from opnsense itself which is the primary client. If opnsense doesn't have any conenctivity from this interface, then it is probably because of your cipher being bad. Ping 1.1.1.1 but also the first gateway inline from the vpn tunnel.

see my post of my setup about it:
https://forum.opnsense.org/index.php?topic=22465.0

I've nested tunnels links like you for differents reasons.

Forgot a little thing:
Don't forget to correctly setup your outbound nat on your first vpn itnerface with all the good rules which includes the one for 127 loopback, the one for all destination and the one for port 500

Title: Re: Nested VPN problems
Post by: Ultranium on April 19, 2021, 10:22:45 am

vigilian, thank you for detailed answer.
A few days ago I just gave up and set up the second VPN on a separate VM, routing it then to the first one via additional interface. This works pretty stable so far.

The "2 VPNs 1 OPNsense" setup just didn't work for me. Turning off the VPN1 gateway monitoring didn't help, ping from VPN1 interface didn't work until I restarted it a couple of times.

Maybe there is something specific to my VPN endpoints, but I just can't make it work properly after spending a week.

Title: Re: Nested VPN problems
Post by: vigilian on April 19, 2021, 12:17:33 pm

well my first vpn was from a big provider.
my second one was more for public routing.

So I don't know what was your first vpn provider, but if you already didn't got any connectivity from opensense by pinging from the first interface from the first vpn then you have already a problem with your first vpn link.
Because at each step you should be able to ping from opensense to the outside world. If it's not the case then the problem is in your setup of your vpn tunnel.

I would suggest you that you start from the start but step by step and well staging your test step by step, not after everything is setup. Especially since you really don't need to use RAM for another vm to do that. Even if I can agree that it can be a more secure schematics since qubes is doing it like that.
also you didn't specify what were you pinging.