OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: zanga on December 08, 2017, 09:38:18 pm

Title: SSL VPN
Post by: zanga on December 08, 2017, 09:38:18 pm

Hello,

I followed this guide however on Step 2 - Firewall Rules - allow traffic from the VPN clients to our LAN interface, I don't see the OpenVPN clients drop down mentioned in that screenshot.

WAN has a 192.168.1.0/24 IP (will be moved to a real IP)
LAN has 192.168.2.0/24 IP
VPN has 10.10.0.0/24

The VPN connection is established, I get a 10.10.0.x IP, but I can't reach any of the 192.168.2.x IP from the LAN.

Any idea what I might be missing?
Thank you !

Title: Re: SSL VPN
Post by: fabian on December 08, 2017, 09:39:28 pm

A pass firewall rule maybe?

Title: Re: SSL VPN
Post by: xinnan on December 09, 2017, 12:54:06 am

If there is no "pass any" rule for the VPN you can have problems.

Also, with IPs like:

WAN has a 192.168.1.0/24 IP (will be moved to a real IP)
LAN has 192.168.2.0/24 IP

You can have problems if you are trying to access the VPN from another network that includes 192.168.1.0/24 IP

You probably already know this, but lets say you are at your friends house or some office and the network there is 192.168.1.0/24 IP

Then you access your VPN remotely.

And you try to go to the remote 192.168.1.0/24 IP network.  Odds are it either won't work at all or will work only intermittently.  I wouldn't use 192.168.1.0/24 IP for anything ever.  Not even for testing. 

Title: Re: SSL VPN
Post by: zanga on December 09, 2017, 09:01:16 am

Thank you for your replies !

I thought the pass rule is the one on step 2
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
The one for the LAN interface.
Is there another one that's missing ?

You are correct with the 192.168.1.0 network, indeed it's only used for testing and the odds are this might actually be the issue if the pass rule is already there.

Title: Re: SSL VPN
Post by: xinnan on December 09, 2017, 10:33:47 am

There should be 1 rule added on the WAN to allow outside access to the VPN

1 rule added on the VNP interface to allow access to "ANY/ALL"

And your LAN should have already had an allow all rule.

If you did all that, it may be a conflict caused by that often used subnet.

Title: Re: SSL VPN
Post by: zanga on December 10, 2017, 11:06:59 am

I added the VPN access rule on the WAN ANY/ALL 1194
And on the VPN tab permit from the 10.10.0.0/24 to all

The guide doesn't mention anything on the LAN tab.

Also, for some reason I don't see that OpenVPN clients drop down.