OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: raklik on March 16, 2018, 03:07:30 pm
-
Hi guys, I have a pretty simple configuration, yet I was not able to make it work. I have following configuration:
OPNSense
10.20.10.0/24 _______________________ 10.10.50.0/24
PC ------------> LAN | WAN | openVPN Client --> Network in openVPN
Basically I need to access from PC, devices located in the openVPN network. On the OPNSense, vpn is connected and network 10.10.50.0 is accessible. I don't want to redirect the traffic from 10.20.10.0 trough vpn, just to access the vpn network. I presume that is a firewall issue, but I couldn't make it work. I was also looking on the forum and did not find a similar topic.. I guess my issue is too simple. :)
Any suggestion?
-
Is the 10.20.10 network defined in OPNsense as a LAN network? If so you will need to have a pass rule on the 10.20.10 network in OPNsense to the OPNVPN network.
-
thanks for quick reply. Is not defined as interface. Does it has to be? I cannot use the access directly from the service?
-
If it is not defined in OPNsense then it is considered as an external network and unless you have a layer 3 switch which does routing outside OPNsense the client has no way to know how to find the OVPN network. It might be helpful if you can post a simple pictorial representation of your network.
In most cases to allow a external network to communicate to an Network defined in OPNsense you will have to do a port forward.
-
I tried now to create the interface OPT2 which will match the vpnc1 connection.
My configuration follows pretty much the same schema as https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html which is a site to site connection.
What is interesting is that in documentation is nothing else on firewall client side, just set up the incoming network on that vpn. More over, there is not interface configured for openvpn service.. this confuses me.
-
Your post is somewhat confusing. Earlier you had stated that you do not want the traffic to flow through the tunnel, and it is on a LAN network. But the configuration that you are mentioning is a site to site VPN using two OPNsense boxes across a router and there is no OpenVPN client involved. So a pictorial representation of you network would be helpful
-
Sorry for confusion created, trying to describe my issue better, I will make a graphical representation of my network for better understanding. But just to mention, the link I added to previous message, it is involving an openvpn server and an openvpn client. At least from my understanding, the SSL VPN tunnel is created by openvpn, where side B is a client connecting to side A, same thing I need, traffic not being redirected.
Anyway, I will return later with a better image, thanks a bunch for trying to help!
LE: I put up the network diagram, hope I did not missed anything.
-
This looks fairly simple. The few things that you would want to check would be
(i) The PC should have a route to the network 10.10.50.0 which will point to one of the interfaces in OPNsense if the PCs network is not part of OPNsense.
(ii) on the interface which the PC traffic is landing there should be an pass rule which allows traffic from 10.20.10.0/24 to 10.10.50.0/24
(iii) There should be a route within OPNSense which will direct traffic to the tunnel enpoint
-
(i) The PC should have a route to the network 10.10.50.0 which will point to one of the interfaces in OPNsense if the PCs network is not part of OPNsense.
I have a dhcp service running for the 10.20.10.0 network, is there any way to push the route from opnsense to not have to create for each device local routes?
I mean, there has to be a way for "route add from lan net to location2 net via openvpn interface", I just don't know the way how should be added in opnsense.
(ii) on the interface which the PC traffic is landing there should be an pass rule which allows traffic from 10.20.10.0/24 to 10.10.50.0/24
This is working, already tested
(iii) There should be a route within OPNSense which will direct traffic to the tunnel enpoint
I tried so many places to add the route, none is working. Can you give me an example? Adding the route in the Routes section is enough? Do I also need to open firewall? Which of interfaces I should add the firewall rule if so?
Thanks again for your reply!
-
Let me try to simulate your configuration. On a secondary note is there any specific reason why you are using OpenVPN for the site-site configuration? If port blocking is not an issue, IPsec would be better off as it has lower overheads.
-
The openvpn server is already configured in location B, where other devices are running. Would mean to set up a dedicated ipsec service just for this tunnel or reconfigure the whole network in this perspective.
-
Looks like a NAT is missing. You will have to have an outbound NAT configured on the OPNsense machine as since your PC network is outside of the network defined by OPNsense the return packets from the remote site does not know where to go.
-
OK, got an idea how that outbound NAT rule it might look? Is it just the NAT I'm missing.. I'm wondering?
-
Look here. https://forum.pfsense.org/index.php?topic=83907.0 you will be able to do something similar in OPNsense
-
well.. tried suggested outbound method.. did not work. I might have to end up using opnsense since I cannot find a way of doing this simple thing. From description and sections of interface is not clear where the rule should be applied, on which interface and so on.. sad.
-
I mean, something in documentation is incomplete. Again, I followed the steps as in https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html since is exactly what I'm trying to achieve. This can be seen in the print screens attached. Did I missed anything as per documentation?
The server is a pure openvpn, tested with pc and android is working. More over, Openvpn client in OpnSense is connected.
There is a slight change in IP networks. Basically now I have:
Client, location A 10.10.10.0/24
Vpn net 10.10.30.0/24
Server, location B 10.10.20.0/24