OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Crazyachmed on May 28, 2018, 01:27:53 pm

Title: OpenVPN packtes not transmitted
Post by: Crazyachmed on May 28, 2018, 01:27:53 pm

Hi all!

I set up an OpenVPN tunnel from my OPNsense to a RaspberryPi located in a remote network for a Site-2-Site tunnel. The tunnel itself is established successfully, correct routes are installed on both sides.

What works:
- Ping from both sides inside the VPN tunnel network
- Ping from the remote side to *any* of the firewall interfaces
- Ping from local LAN box to remote VPN tunnel address

What does not work:
- Ping from the firewall (or any local LAN box) to the remote-LAN-address of the raspi.
- everything else ;)

At first I thought this was due to ip_forward issues on the raspi, but a trace shows that there are no VPN-data packetes egressing from the firewall when pinging the remote-LAN (they are when pinging the remote tunnel address). Although they are visible when tracing the tun interface on the firewall.

Since pinging from the remote side to all firewall interfaces is working I suspect something regarding the rules is wrong (the remote ping is only working because the return path matches an established fw-state?). I have enabled logging for all the default rules and for all IPv4 deny-rules on the Floating, LAN and OpenVPN tabs. There is nothing in the logs and I even can see the pass-state created when pinging from the firewall itself.

I have noticed some oddities:

- Matching on "OpenVPN Network" in rules does not work, I've used an Alias for now. Is the expected behavior?
- Successfull matching on the VPN-Interface IPs when using "This Firewall" seems to depend on some devine interference?
- I can not edit my other OpenVPN connections, because it failes with "local port in use". I use two servers with the same port, one is IPv4, the other IPv6

Does someone have an idea why my box doesn't send out the packets to the remote LAN? Can I or should I assign the tunnel interfaces under Interfaces -> Assignments? This would allow me to dumb down my ruleset.

Cheers,
Flo

Title: Re: OpenVPN packtes not transmitted
Post by: Crazyachmed on May 29, 2018, 07:22:32 pm

OK, so I managed to fix my issue. I needed to add a Client specific override and add the "iroute" option pointing to the remote LAN.

OpenVPN only shows this issue on very high verbosity levels. Basically the kernel route is installed by the Remote LAN option under the server tab, but OpenVPN also needs an internal route.