OPNsense Forum

English Forums => Virtual private networks => Topic started by: afan on January 23, 2023, 08:23:10 pm

Title: OpenVPN remote network behind ovpn client not reachable
Post by: afan on January 23, 2023, 08:23:10 pm
Hi there,

I've got following setup: https://prnt.sc/uCpJIatM6ZQc

I'm trying to get connection between the 10.0.10.25 and the 10.11.104.5 hosts. The latter is a host behind a firewall I do not control.
There's a static route set on Site2's OPNsense to allow traffic to the 10.11.104.0/24 network via the 3rd party IP address in the 10.11.10.0/24 LAN. Pinging from the 10.11.10.0/24 LAN to 10.11.104.5 works without problems.

However when I try to ping 10.11.104.5 either through the VPN tunnel, or even just on Site2's OPNsense using the (local, generated) OVPN_TS interface (setting 'Source Address'), I am unable to do so.

Working from LAN:

# /usr/sbin/traceroute -w 2 -n  -m '10' -s '10.11.10.1'   '10.11.104.5'
traceroute to 10.11.104.5 (10.11.104.5) from 10.11.10.1, 10 hops max, 40 byte packets
 1  10.11.10.2  0.118 ms  0.049 ms  0.034 ms
 2  10.11.104.5  0.192 ms  0.094 ms  0.083 ms

 
Failing from the local tunnel interface:

# /usr/sbin/traceroute -w 2 -n  -m '4' -s '10.9.1.2'   '10.11.104.5'
traceroute to 10.11.104.5 (10.11.104.5) from 10.9.1.2, 4 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *

 
The static route that was added is reflected in the routing table: Site2's OPNsense should know where to reach the 10.11.10.0/24 network:

Proto Destination       Gateway    Flags Use MTU Netif Netif (name)
ipv4   default         77.22.44.1   UGS   NaN   1500   vmx0   WANlink       
ipv4   10.0.10.0/24   10.9.1.1   UGS   NaN   1500   ovpnc1   OVPN_TS
ipv4   10.9.1.1      link#8      UH   NaN   1500   ovpnc1   OVPN_TS
ipv4   10.9.1.2      link#8      UHS   NaN   16384   lo0      Loopback
ipv4   10.11.104.0/24   10.11.10.2   UGS   NaN   1500   vmx1   LAN
(...)


I added 'allow all' rules on the OVPN_TS interface but I'm unable to get ping to work.

Any idea what I'm doing wrong?

Title: Re: OpenVPN remote network behind ovpn client not reachable
Post by: bartjsmit on January 24, 2023, 03:50:59 am
Add a static route on OPNsense Site 1 for 10.11.104.0/24 via 10.9.1.2

Your reply packets go out of the WAN interface of Site 1 and are being ignored by its ISP router (on account of being RFC1918).

Bart...