OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: pbolduc on January 31, 2017, 03:32:15 am

Title: [SOLVED] OPEN VPN SSL - Problems accessing Internal Subnet from VPN Subnet
Post by: pbolduc on January 31, 2017, 03:32:15 am

Hi,
I'm new to the forums and to OPNSense. I just recently deployed this great appliance last week and followed the tutorial: ( https://docs.opnsense.org/manual/how-tos/sslvpn_client.html ) to setup a Road Warrior SSL VPN for remote roaming users.  The version of OPNsense I am running is:
OPNsense 16.7-i386
FreeBSD 10.3-RELEASE-p5
OpenSSL 1.0.2h 3 May 2016

I managed to get a remote client PC to connect to the SSL VPN using the Google Authenticator + Password but it doesn't provide access to the local subnet of the OPNsense network (192.168.25.X). My remote client PC virtual adapter gets assigned an internal IP address of:192.168.1.6 and a gateway: 192.168.1.5. The assigned 192.168.1.6 address is pingable on the client however the gateway address (192.168.1.5) is not. After connecting the tunnel successfully I checked my routing table on the remote client PC. The static routes appear correct, however I am not able to ping the gateway or the internal 192.168.25.x network of the OPNSense. I have created the necessary firewall rule mentioned in the tutorial above as shown in my attached screenshot. I am unsure of what needs to be done at this point and I have my suspicion I may need to include some type of local interface on the OPNSense for 192.168.1.X before the client will correctly identify the internal VPN traffic. Any help is much appreciated, please see my attached log file indicating the status of my VPN connection and the screenshot of my LAN firewall rule for 192.168.1.X Network. The type of VPN  I had created was set to a TUN device mode as per the tutorial documentation.

Regards,
Paul

Title: Re: OPEN VPN SSL - Connectivity Problems to Internal Subnet from VPN Subnet.
Post by: pbolduc on January 31, 2017, 04:33:05 pm

Hi Guys,

This was a problem with my configuration as my firewall rule for the VPN traffic was under the [LAN] interface when it should have been under the [OpenVPN] interface. I've moved the firewall rule and I have successfully established a TOTP SSL VPN connection. =) Now to see how long it remains connected with the TOTP.

One thing I did notice when setting up the SSL VPN server there wasn't an option for the Server Renegotiate time? Hopefully this won't be a problem.

*** Updated *** Well, sure enough after an hour of being connected to the VPN my connection was dropped. I know someone else had posted about this elsewhere on the forums. I'll try and dig to find the solution.


*** Updated ***

Okay found the setting I need to apply to the VPN Client (Viscosity). It was under the VPN connection properties -> Advanced under Extra OpenVPN configuration. The command I manually appended to the list was: reneg-sec 0.

Where can I find this configuration setting in the Web portal of OPNSense firewall. There doesn't appear to be a setting where I would expect to find it under: VPN-->OPENVPN-->SERVERS->EDIT SERVER -> ????

Title: Re: OPEN VPN SSL - Problems accessing Internal Subnet from VPN Subnet
Post by: franco on January 31, 2017, 09:14:08 pm

Hey there,

See my response in the other thread. Can we mark this [SOLVED]? :)


Cheers,
Franco

Title: Re: [SOLVED] OPEN VPN SSL - Problems accessing Internal Subnet from VPN Subnet
Post by: pbolduc on February 01, 2017, 12:10:19 am

Just to follow up: When the "Renegotiate time" option does not appear under the OPENVPN Server Settings the command "reneg-sec 0" entered manually into the advanced box has corrected the problem. I have now been connected an hr 1/2 without a disconnect. Thanks for the assistance. For anyone just joining this conversation both the VPN Client software and the router require this setting for OTP on VPN SSL.

Regards,
Paul