OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: sebastian on June 12, 2017, 02:10:36 pm

Title: OpenVPN server starts in wrong order - need to force outgoing traffic
Post by: sebastian on June 12, 2017, 02:10:36 pm
I have 1 OpenVPN server, and 2 OpenVPN clients.
One of these OpenVPN clients are considered WAN (call this WANVPN2).

Roadwarriors should be able to connect to the OpenVPN server by connecting from the external IP of WANVPN2.

Now I stumbled upon a problem, and that is, that the OpenVPN server starts before the OpenVPN clients had the chance to connect. Thus the server will then receive traffic from WANVPN2, and then attempt to send this traffic out of WAN. Of course it does not reach the client (and if it reach the client, the client will obviously discard it).

Only way to remedy this, is to click 2 times on the green play button on the "OpenVPN server" definition. (restarting the server from the process list in dashboard won't help, only that helps is to disable OpenVPN server and reenable it).

This happens every reboot. Otherwise its totally fine.

I have a solution, and that is to add a floating rule, that will force any UDP-traffic from the firewall itself, with a source port of 1194, to exit through the WANVPN2 interface.
But even after adding a floating rule, with "quick matching" added, I get the following in the log:

@96 pass out log all flags S/SA keep state allow-opts label "let out anything from the firewall host itself"

Which means a inbuilt rule triggers. Any way to override this rule and tell the firewall that any "firewall:1194" packets should be treated differently?