OPNsense Forum
English Forums => Virtual private networks => Topic started by: ManBat on January 20, 2022, 10:48:43 pm
-
Howdy
I have configured OpenVPN, over TCP on the default port on my Opnsense firewall. The problem was unable to reach the LAN. I have got it working. The question is, how and more importantly, why?
Configuration: Dual WAN LB
Connect to: Dynamic DNS hostname hanging off the combined UPLINK gateway
OpenVPN: TOTP + Internal CA
VPN Net: 10.10.0.0/24
LAN of interest: 192.168.1.0/24
I use the OpenVPN client to connect and it works, I get a 10.10.0.x ip address on my client computer. If I try and hit 192.168.80 (some server) it doesn't work.
I check the firewall rules, IN on the openvps interface (annoyingly not a "proper" interface), and OUT on the LAN interface. Green all the way (pass). Nothing.
Assumptions:
1) Client is successfully connected and authenticated.
Evidence: Connection logs the openvpn client and a 10.10.10.8 IP, logs on the firewall show connections
2) Packets are making it to the firewall and not being blocked (at least by the firewall)
Evidence: Firewall logs show that two rules are being matched, those matches are showing as PASS
ncat a server to see if it's just packets not getting back, nothing, no connections reach the target (10.10.0.8->192.168.1.80).
Ping fails to work, as does telnet as does http.
I then stumble upon this: https://forum.opnsense.org/index.php?topic=749.0 and another key entry asking when advanced options might be removed and what the alternative will be (I just can't find it despite looking for it now for far too long).
So I test the following advanced config:
push "route 192.168.1.0 255.255.255.0";
Lo and behold it works!
I can now, telnet to my ncat, I can http to random stuff, life is great.
But WHY? I hate not knowing why. A bit of googling explains what push "route" is doing https://forums.openvpn.net/viewtopic.php?t=9055, save you clicking on the link:
route 10.0.1.0 255.255.255.0
is used to add to local OpenVPN server's routing table only. And it may be used as on OpenVPN server as on client too.
push "route 10.0 .2.0 255.255.255.0"
is used only in OpenVPN server's config to push the routes to client's. Insteed of using "route" command on all client's config, you can use one "push route" on server config to do the same on all clients.
With this in mind I then monkey with the option: REDIRECT GATEWAY expecting what this will do is just be a cheap and easy way to capture all the traffic and send it to the VPN. I remove push route and this works exactly as expected, it works, stuff reaches my internal network over the tunnel.
This is all fantastic but it leaves me with two questions:
1) Why does this not work if I specify the IPv4 Local Network as : 192.168.1.0/24 (which I do)
2) Why does the traffic appear to hit the firewall, trigger some rules, pass them but not work, especially if the reason is there is no route?
This is
1) potentially a bug in how IPv4 Local Network is supposed to work and
2) TOTALLY BONKERS in that traffic reaches the firewall from the client!!
If you got this far, well done.
If you understand what I'm getting at.
Cheers,
MMB
p.s. all this after figuring out that TOTP authenticator bug with a mismatch between server config for timing and the client config (answer, just leave the defaults)
-
I just have exactly the same problem trying to migrate a configuration from pfSense to OPNsense. 27.1.8 in my case.
I'll try to get some more detailed debug info tomorrow. This is weird. The "local networks" should be pushed to the client and the "tunnel networks" (v4 and v6) should be routed into the ovpnsN interface on the server side.
-
I played for hours with this issue. I found the solution: I had to enable "Redirect Gateway" in VPN -> OpenVPN -> Servers -> edit (My IPv4 Tunnel Network is 10.10.0.0/24). Also, I think what's throwing off people is that simply saving the server config DOESNT WORK. I had to
- disconnect my client
- manually stop and start OpenVPN
- reconnect my client
Also for the record, I had a single Firewall NAT WAN rule for incoming traffic source: *, port: *, destination: *, port: 1194 (OpenVPN). I also had a single Firwalls -> Rules -> OpenVPN rule for incoming traffic source: *, port: *, destination: *, port: *