OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: cake on November 27, 2016, 07:29:02 am

Title: opnsense blocking openvpn [SOLVED]
Post by: cake on November 27, 2016, 07:29:02 am
Hello, my setup is very basic. It is also unattended for months at a time. Being back from abroad I noticed something is blocking openvpn clients on the lan to server(s) on Internet. Clients will connect to vpn on Internet according to (linux terminal) sudo openvpn --config *.ovpn,  I don't think its a dns problem, because one of my devices uses dnscrypt, and that also does not work. Looking for a obvious setting before I spend half a day or better blindly trying stuff out.

My config's are correct for openvpn client(s) and server(s), tested it out on different network without opnsense in the middle. I'm sure opnsense is blocking it.
Title: Re: opnsense blocking openvpn
Post by: fabian on November 27, 2016, 07:59:38 am
You should be able to see what OPNsense blocks from the firewall log.
Maybe something is wrong with your rules on the OpenVPN interface.
Title: Re: opnsense blocking openvpn
Post by: cake on November 27, 2016, 09:36:34 am
You should be able to see what OPNsense blocks from the firewall log.
Maybe something is wrong with your rules on the OpenVPN interface.
Thanks, I like the easy rule:pass traffic button in the log area. I have for troubleshooting on both [rules | firewall]  LAN2 and WAN tabs, * * * *  allow every port, source and destination. rebooted, Still blocked in the log, and clicking to make blocked connections with easy rule isn't helping.

I get to "Initialization Sequence Completed" in the openvpn status (fully connected) however no traffic, I can only icmp ping router with opnsense on it, nothing past it. I was hoping for a obvious setting I overlooked. :-) Also I am recieving the push DNS from openvpn server.conf  --> PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ifconfig 10.8.0.122 10.8.0.121'

bewildered
from the log-- "The rule that triggered this action is:

@63 pass out log route-to (em0 192.168.101.1) inet from 192.168.101.183 to ! 192.168.101.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
Title: Re: opnsense blocking openvpn
Post by: fabian on November 27, 2016, 11:53:58 am
from the log-- "The rule that triggered this action is:

@63 pass out log route-to (em0 192.168.101.1) inet from 192.168.101.183 to ! 192.168.101.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"

You should look for pass in rules from your OpenVPN Network / Interface. Can you try this rule in the floating tab:
Code: [Select]
pass in quick inet from your_openvpn_net/netmask to anyto make sure it is not the firewall blocking your traffic. Don't select any interface on the page so the rule is valid for all interfaces.

Kind regards

Fabian Franz
Title: Re: opnsense blocking openvpn
Post by: cake on November 27, 2016, 12:14:58 pm
Thanks for your help Franz. I have **** in the floating tab of firewall already. Its operator error, since nobody else has any issues.
My vps log says lzo compression errors, and I set it up to not use lzo also use the  push lzo no directive.
I think my vps provider is poor, every time they restart it, something gets broke it seems. lol

EDIT: It was problem with openvpn MTU size.