OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: duckduck on September 16, 2016, 08:22:43 pm
-
Hi all,
I fail to configure the OpenVPN client properly.
Desired behaviour: All traffic from LAN goes through the OpenVPN client interface connection (and then from the OpenVPN server endpoint to the internet).
Actual behaviour: The OpenVPN connection is working and I see a Initialization Sequence Completed in the log file.
All the traffic from the LAN interface goes directly to WAN, however the desired behavior would be to go through the OpenVPN connection.
Resources I read so far and follow during the configuration process:
- https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/
- https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html?highlight=openvpn#step-5-client-firewall-rules
- https://forum.opnsense.org/index.php?topic=1951.msg6073#msg6073
OpenVPN client log file:
Sep 16 18:04:47 openvpn[97185]: Initialization Sequence Completed
Sep 16 18:04:40 openvpn[97185]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.x.x.x 255.255.0.0 init
Sep 16 18:04:40 openvpn[97185]: /sbin/route add -net 10.y.y.y 10.x.x.x 255.255.0.0
Sep 16 18:04:40 openvpn[97185]: /sbin/ifconfig ovpnc1 10.x.x.x 10.y.y.y mtu 1500 netmask 255.255.0.0 up
Sep 16 18:04:40 openvpn[97185]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep 16 18:04:40 openvpn[97185]: TUN/TAP device /dev/tun1 opened
Sep 16 18:04:40 openvpn[97185]: TUN/TAP device ovpnc1 exists previously, keep at program end
Interface
-> if.PNG
Gateway
-> gw.PNG
NAT outbound
-> ob.PNG
Firewall rules
-> fw.PNG
What point do I miss here?
-
what is the output from netstat -r in the OPNsense shell?
Bart...
-
netstat -rn shows:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS igb1
10.4.0.0/16 10.4.28.95 UGS ovpnc1
10.4.0.1 link#8 UH ovpnc1
10.4.28.95 link#8 UHS lo0
10.42.0.0/16 link#1 U igb0
10.42.0.1 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.1.0/24 link#2 U igb1
192.168.1.1 xx:xx:xx:xx:xx:xx UHS igb1
192.168.1.129 link#2 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
...
I don't know how to debug this issue.
It looks like the OpenVPN tunnel is working.
What is not clear for me:
- Is the interface ovpnc1 correctly configured.
- Is the NAT outbound rule working.
- Is the gateway correctly configured.
- Is the firewall rull working correctly.
Any hints how this can be step by step checked?
-
Your default gateway is set to your WAN IP, not to your tunnel IP.
Try this in the console:
route add default 10.4.28.95
Change the default gateway in OPNsense if this fixes the problem
Bart...
-
Shouldn't the NAT outbound rule and firewall rule take care of this? In some guide I read, it is not correct to set OpenVPN connection as the default route.
-
Try it, who cares if it is not correct ;)
You need to see if routing is the issue. The guides are written from the point of view that the VPN tunnel is used as a site-to-site connection that grants access to a limited set of networks at the far end (a.k.a. split tunnelling).
I think you are configuring the tunnel to take all your WAN traffic to a remote internet connection. Valid, but not typical.
If you do identify your issue as routing, you can then set up additional configuration to ensure that your default gateway survives a reboot. E.g. change the default gateway through a OpenVPN post-connection script and set OPNsense to allow default gateway switching.
Bart...
-
Normally you don't want to route all traffic through a VPN, so this needs a special setting on client side or a server-side config file with the option set, see https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
If you can't control the openvpn server (so you can't set that option), you then need to manually set the default route to the VPN server's IP. Beware that _all_ traffic get's routed, so you may also need to push DNS, WINS and such.