OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: rafaelmagu on April 03, 2016, 08:41:49 am

Title: VPN Frustration
Post by: rafaelmagu on April 03, 2016, 08:41:49 am

Hi everyone! I'm a long-time user of m0n0wall and have recently deployed my first instance of OPNsense for a client on an APU board. Works great, and I love the updates made to the interface and package system.

I recently went about setting up VPN access for the client to this instance, along with the 3 other m0n0wall installs he has at different locations. Ignoring the big warning about PPTP (legacy clients to deal with), setting up a PPTP server on m0n0wall was dead simple, and I was able to connect to nodes on the internal network easily.

However, the same could not be said about OPNsense. I've spent the better part of a day testing many different configuration options only to find out it simply won't route through. When I'm on the VPN, I can successfully connect to and browse the GUI, but nothing reaches nodes behind it.

I would love to figure out what I'm missing, and if anyone got tips for it, I'd appreciate them too.

Special mentions:
- firewall has a class C IP for the WAN (sits behind a crappy DSL modem; for now)

Title: Re: VPN Frustration
Post by: rafaelmagu on April 03, 2016, 08:54:18 am

I have also set up OpenVPN, and am having the same issue: can't route traffic from mobile VPN clients to the LAN devices.

Title: Re: VPN Frustration
Post by: franco on April 03, 2016, 02:23:43 pm

This points to missing routes from VPN to your LAN? At System: Routes...

Title: Re: VPN Frustration
Post by: rafaelmagu on April 03, 2016, 10:36:31 pm

Quote from: franco on April 03, 2016, 02:23:43 pm

This points to missing routes from VPN to your LAN? At System: Routes...

That's my thinking as well. When I connect to the VPN, I cannot reach the firewall until I manually add a route on my Mac:

sudo route -n add 172.16.7.1/24 172.16.72.48

Topology:
Firewall - 172.16.7.1 (/24)
VPN range - 172.16.72.48 (/28, with .47 being the firewall)

How does one set up a route to be pushed to VPN clients correctly? The only gateway options I have under System > Routes are:
- WAN_DHCP
- Null4
- Null6

I created a new gateway and route, but no traffic goes through it. Does anyone have a working VPN setup (PPTP or OpenVPN) that passes traffic through to LAN net?

Title: Re: VPN Frustration
Post by: franco on April 04, 2016, 08:11:31 am

I'm sure this is just a setup issue. Getting the minimal config working is the key. You've already established the VPN setup works. Now the question is why the client does not have a route automatically.

For OpenVPN, the local/remote subnets configuration in the server edit page is likely what you're looking for.

For IPSec there is a road warrior how-to:

https://docs.opnsense.org/manual/how-tos/ipsec-road.html

There is also a PPTP server in OPNsense for use, I don't think it changed much since m0n0wall.

I hope that helps.


Cheers,
Franco

Title: Re: VPN Frustration
Post by: Zeitkind on April 04, 2016, 12:31:20 pm

Quote from: rafaelmagu on April 03, 2016, 10:36:31 pm

That's my thinking as well. When I connect to the VPN, I cannot reach the firewall until I manually add a route on my Mac

Your Mac simply has no clue how to get into that remote LAN and still sends pakets via its default route.
You have 2 choices then:
1. Add a route manually
2. Route all traffic via VPN (can be set in options for the VPN connection)
Windows clients normally route all traffic via VPN by default, but that's not a good idea anyway.

Older implementations of PPTP-servers did not use a transfer net and gave your Mac/PC an IP-address of the remote LAN, so no routing was to be done. Most modern routers don't do this anymore.

This is where eg. OpenVPN comes into play with the possibility to push the routes to the clients automatically.

Title: Re: VPN Frustration
Post by: rafaelmagu on April 05, 2016, 10:33:12 pm

Quote from: Zeitkind on April 04, 2016, 12:31:20 pm

Quote from: rafaelmagu on April 03, 2016, 10:36:31 pm

That's my thinking as well. When I connect to the VPN, I cannot reach the firewall until I manually add a route on my Mac

Your Mac simply has no clue how to get into that remote LAN and still sends pakets via its default route.
You have 2 choices then:
1. Add a route manually
2. Route all traffic via VPN (can be set in options for the VPN connection)
Windows clients normally route all traffic via VPN by default, but that's not a good idea anyway.

Older implementations of PPTP-servers did not use a transfer net and gave your Mac/PC an IP-address of the remote LAN, so no routing was to be done. Most modern routers don't do this anymore.

This is where eg. OpenVPN comes into play with the possibility to push the routes to the clients automatically.

At one point, I set the VPN subnet as a /28 of the LAN net (/24), and then I didn't have to manually set any routes on my Mac to be able to reach the firewall. Same with OpenVPN.

In both scenarios, the packets to internal hosts seem to stop at the firewall level. My traceroute to a host inside LAN net shows packets getting to the firewall's VPN address (.47 in my topology above).

Title: Re: VPN Frustration
Post by: rafaelmagu on April 05, 2016, 10:52:36 pm

Got a bit further into my research and found that the firewall's OpenVPN address also can't ping the local net (using Interfaces > Diagnostics > Ping):

PING 172.16.7.105 (172.16.7.105) from 10.0.7.1: 56 data bytes

--- 172.16.7.105 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Whereas it can from the LAN interface:

PING 172.16.7.105 (172.16.7.105) from 172.16.7.1: 56 data bytes
64 bytes from 172.16.7.105: icmp_seq=0 ttl=64 time=1.744 ms
64 bytes from 172.16.7.105: icmp_seq=1 ttl=64 time=0.818 ms
64 bytes from 172.16.7.105: icmp_seq=2 ttl=64 time=0.680 ms

--- 172.16.7.105 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.680/1.081/1.744/0.472 ms

As I suspected initially, it feels like the firewall can't route between the two subnets (VPN and LAN) correctly.

Title: Re: VPN Frustration
Post by: rafaelmagu on April 10, 2016, 10:50:03 am

Tested routing all traffic through the VPN using the connection setting in OS X, still no luck.

Franco mentioned "not much has changed since m0n0wall", but I'm beginning to think that "just enough" changed so as to make routing unusable from a road warrior. I'm at a loss as to what to do, so will try installing m0n0wall and giving that a go with the same setup I have in the other locations.

Title: Re: VPN Frustration
Post by: Zeitkind on April 11, 2016, 01:38:30 am

Quote from: rafaelmagu on April 10, 2016, 10:50:03 am

Tested routing all traffic through the VPN using the connection setting in OS X, still no luck.

Did you check the routes with eg. netstat -nr?
I sometimes noticed that OS X had 2 default routes (0.0.0.0) and that the old default route (which points to the LAN gateway) was on first place and didn't got removed. Also do a traceroute in both directions to find any blackholes.
I still recommend OpenVPN with OS X (eg. https://tunnelblick.net/ ), but I do have several OS X clients connecting to OPNsense via L2TP and PPTP.

Title: Re: VPN Frustration
Post by: rafaelmagu on April 11, 2016, 01:57:00 am

Yes, and the same behaviour appears when using OpenVPN. :/

Title: Re: VPN Frustration
Post by: jschellevis on April 14, 2016, 02:59:30 pm

Just stumbled upon this forum post..

I have setup both IPsecs and OpenVPN on my Mac with OPNsense.
IPsec doesn't need a client but for OpenVPN I use Viscosity.

Both cases my road warrior setup works fine and I can reach all local adresses.
Some possible issues you may want to look in to:

1) Firewall Rules, Are you sure the firewall isn't blocking the traffic?
2) NAT issues, look at the traffic and see if source/destination is correct
3) Client application. Some client applications won't add the correct route for the vpn net.

Title: Re: VPN Frustration
Post by: rafaelmagu on April 14, 2016, 11:27:00 pm

The device in question is a network camera, the same one that was working behind a m0n0wall setup.

While I'd like to think I've got the rules and NAT sorted, having configured m0n0wall a dozen times, it is quite possible I screwed up in OPNsense's configuration.

I have tested from different clients as well, and I am 100% certain the PPTP should have worked based on the m0n0wall config working elsewhere.

Sadly, due to time constraints, I had to abandon OPNsense in favour of Smallwall, a continuation of the original m0n0wall project with very few cosmetic changes. I hope to pick up OPNsense on another setup later on to see if I can sort this out.

Thanks to everyone who answered to this thread. :)

Title: Re: VPN Frustration
Post by: jschellevis on April 15, 2016, 09:04:27 am

@rafaelmagu

Thank you for your reply and looking forward to your next setup with OPNsense  ;)

Title: Re: VPN Frustration
Post by: franco on April 15, 2016, 10:38:35 am

Sometimes we've seen that m0n0wall and *sense have the same options available, but m0n0wall is more helpful in creating automatic rules and adding more useful settings by default. It can't be something big, but whatever works  for you works. :)