OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: seamus on February 15, 2018, 07:28:48 am
-
Still working through the SSL VPN setup "How-To" guide (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html).
Trying to follow the guide in Step 2, "Firewall Rules" - to allow traffic from the VPN clients to the LAN interface. Specifically, in the rule for the OpenVPN interface, it seems that I'm missing something because I do not see an "OpenVPN Clients" option in the drop-down for that firewall rule (as shown in the "How-To guide"); all I get is the phrase "Nothing Selected".
Could it be that the guide has omitted a step for creating an OpenVPN client?
-
Could be an out of date doc. Are you running Opnsense 17 or 18?
BTW, it's often easier, unless you have some really complex OpenVPN setup to use the wizard to do all the work for you.
-
Sorry, here's my version info:
OPNsense 18.1.2_2-amd64
FreeBSD 11.1-RELEASE-p6
OpenSSL 1.0.2n 7 Dec 2017
Re "wizards": Perhaps that is easier, but wizards in general have not served me well. I thought the advantage of following the How-To would be to gain a better "feel" for how things are organized... a learning opportunity, if you will.
Anyway - I pressed ahead with things, ignoring the difference I noted, and found I actually can connect to my OpenVPN server! Next problem is figuring out how to actually connect to resources on the network from my client machine. The client machine's IP is 10.10.0.6, and my LAN is 192.168.1.0/24... so there must be another step (or two) required to route my packets to their destination on the LAN.
-
Just have a default OpenVPN rule IPv4 Any to Any and the same for the LAN rule.
What you could do is run the wizard and note the differences.
-
Thanks for your suggestions. I've attached screenshots of my OpenVPN and LAN firewall rules. Does anything in these rulesets look incorrect/incomplete?
It seems I get a successful connection to the firewall from my "Road Warrior" laptop, but then I'm sitting there with this IP address (10.10.0.6) that won't route on the local network.
And which wizard are you talking about? the OpenVPN Server wizard, or one of the others? Is this what people here use - the wizards?
-
Needed a second reply to get the 2nd screenshot
-
People round here use whatever they like, some will write it all manually, some will use the wizard and some will do a bit of both, that's what I do.
Change your rules source from lan.net to any, that should fix you. The Lan.net will only allow that network, e.g. 192.168.1.0/24, you want to allow all networks that are Lan side to talk to each other.
-
Thanks again, but there's still something missing. I've attached a copy of the fw ruleset change - is this what you meant?
-
And here's a shot of the connection status, if that's of any use
-
Have you also checked the rules for the VPN itself?
same principle applies
-
Oh, a few other items that might be relevant:
1. Cannot ping anything on the LAN (192.168.1.0/24)
2. I can reach hosts outside the LAN! (e.g. google.com)
3. I've set up this fw to use DNS forwarding - not the DNS resolver (why? I've always done it this way, and it's always worked well as I have a Windows DC on the LAN.
-
Have you also checked the rules for the VPN itself?
same principle applies
Here's my VPN ruleset...
-
Here's a quickie, your 'Road Warrior' laptop, apart from it's VPN connection, what other connections does it have, i.e. has it got the same LAN range as the opnsense LAN?
-
Are you also seeing these..
-
OpenVPN Rule generated by the wizard.
-
Here's a quickie, your 'Road Warrior' laptop, apart from it's VPN connection, what other connections does it have, i.e. has it got the same LAN range as the opnsense LAN?
Checking my "Network" widget in System Preferences (Mac OSX) shows that the WiFi connection is to an Xfinity AP outside my fw, and my WiFi has the address 10.241.70.36
-
Are you also seeing these..
Yes - see attached
-
Have you also checked the rules for the VPN itself?
same principle applies
Thanks for all of your help. It feels like my VPN is behaving pretty much as I had hoped, which is to say that I can now connect to hosts on my LAN from the VPN, and I can reach the Admin port on OPNsense. Some issues and questions remain wrt DNS for the VPN client to find hosts on my LAN, and an odd thing with the printer. But I shall mark this issue solved, and open a new thread for the other issues if I can't resolve them quickly.
-
OK, now you have it manually working, make some notes, backup the config with a name that tells you what it is then delete the VPN and use the wizard to create a new one. Note any differences.
As I said, I use the wizard then tweak.
-
OK, now you have it manually working, make some notes, backup the config with a name that tells you what it is then delete the VPN and use the wizard to create a new one. Note any differences.
As I said, I use the wizard then tweak.
Thank you again. I think that is an excellent suggestion, and I shall follow it.