OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: jds on August 17, 2018, 07:44:59 pm
-
I have discovered a very strange problem---at least it seem strange to me, because there is no obvious relation.
Following the tutorial on setting up SSL VPN Road Warrior causes many outbound connections from my LAN
to timeout---especially from apple appliances. This is repeatable, and I pinpointed exactly where the problem
occurs: when adding the SSL Server.
Now the details. I followed the tutorial as exactly as possible found here for setting up the openVPN server:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
It worked beautifully, and I could reach my LAN from outside. But, this setup started causing immediate problems
with many, but not all outbound connections. I restored the configuration back to the beginning of this setup,
and connectivity to the outside from the LAN was again restored.
I again tried setting up the SSL VPN Road Warrior again, following the instructions exactly. Connectivity from outside
worked again, but there were again problems with LAN reaching outside on many connections. I restored the
setting once again, and then checked LAN connectivity to outside at every single step of the tutorial. In fact,
I even rebooted my firewall after each step to be sure. Doing this, I discovered that connectivity issues happened
after adding the SSL server. Connectivity was also a problem after rebooting. If I disabled the SSL server,
connectivity was restored. The tutorial does not mention what to select for "Peer Certificate Authority", but it seemed
obvious that this should be "SSL VPN CA". Otherwise, there was not much else to decide on.
I have set up OPNsense in a pretty standard way. After default bits, there were three modifications:
1) Backup for configurations on the cloud were added (which is extremely handy for debugging!).
2) An openVPN client was added.
3) I changed my DNS to use a pi-hole.
These things should not be related to the problem, but who knows? These took some work to set up, but
now work beautifully.
Any help is appreciated, because I really need access to this LAN from the outside.
-
No ideas? Am I posting in the wrong spot? Should I add more info? :P
-
I am not sure what would cause that issue.
If you can share what you did for Firewall -> NAT -> Outbound via a screenshot and any rules you've added via screenshots, that would probably be a good starting point.
-
Thanks for your help.
My NAT outbound rules are very simple so far. All I did was change the two automatically generated rules to manual and handle my outbound client VPN.
-
You look to be missing an outbound NAT for your LAN network. I have 1 setup for my HomeVPN network as well:
https://i.imgur.com/NH1ipkP.png
I have a separate client OpenVPN as well so that's my other interface you see.
-
OK, if I understand correctly, you have one subnet (192.168.2.0) that goes out your VPN, and a second
subnet (192.168.1.0) that goes out normally. For some reason, one of my interfaces looks incorrect,
and as you point out, there is a rule for outbound LAN missing. I have made those two changes, and
everything seems to work OK still (without the SSL server enabled). I enable to SSL server as the tutorial
suggests, and the timeouts return. I disable the SSL server, and everything works again.
Attached are my new NAT rules. The SSL setup is the same as in the tutorial.
-
Yes, to share more details.
My LAN Interface is 192.168.1.1 and LAN Network is 192.168.1.0/24
My HomeVPN Tunnel Network is 192.168.2.0/24 so when a HomeVPN Client connect, they get a 192.168.2.x address.
So Outbound NAT is needed for both of those on the WAN Interface to allow LAN and HomeVPN traffic out respectively.
I personally redirect all my traffic through the HomeVPN as well once I connect.
-
OK, it seems like I now have similar NAT outbound rules, except only one subnet. I still have timeout problems with the SSL OpenVPN server enabled.
-
I'm not following.
Can you share screenshots of your Outbount NAT like I did as well as what you've configured your for OpenVPN Tunnel?
-
There is a screen shot of my NAT rules above.
Here are a couple of screen shots of my openvpn server settings
-
What does this look like for you?
(https://i.imgur.com/jXWoFnoh.png)
-
Sorry, am I missing something? Isn't this what I attached above?
-
When I click on the 2 images, I see the OpenVPN Server Settings.
I'm looking for Firewall->NAT->Outbound picture.
-
I think you are missing the one above that. Here it is again.
-
Yes, so you'd want to delete the item on the OpenVPN Interface (your first line).
You can create another entry for the WAN interface with the subnet 10.10.0.0/24 which is your tunnel network.
Your outbound access breaks because you added a NAT on the OpenVPN interface.
-
If I do as you suggest, I lose all internet access.
-
Can you share a screen of what you have before you apply that causes you to lose all internet access?
-
Wasn't clear on what you wanted, but attached are two screen shots: one that allows internet access, one that does not, appropriately labeled.
-
To make sure I'm following when you apply that second policy, your LAN clients lose the ability access the internet?
-
yes
-
I think I missed a key point to your config.
Did you add a OpenVPN Client or a OpenServer Server?
-
Both! The client works fine. It is adding the server that causes problems.
-
Ok. You have me pretty confused. In your OP, you linked to a guide running an OpenVPN server on your router so the config I shared/suggested would make sense and work for that.
If you are configuring a Open Client on your router and using that to route traffic, that's a much different config and what you are seeing makes sense.
So from a big picture, what are you trying to setup and accomplish?
I personally have my setup as an OpenVPN server on my router for remote access in and an OpenVPN client for TorGuard that I route specific IPs through (all my torrent traffic).
-
I believe that my original post did explain that I am trying to set up on openvpn server on a firewall that already has an openvpn
client, which sounds similar to what you have. I am not seeking help in setting up the client---that already works. It is setting up
the server that causes some strange problems.
-
You want to not use the OpenVPN tab for anything. You want to create interfaces for your OpenVPN server client.
(https://i.imgur.com/rrajS1Vh.png)
opnvpnc1 is my client
opnvpns1 is my server
Do you plan to route all your traffic through your VPN client?
I have a set of rules that route my specific LAN IPs through my OpenVPN client gateway:
https://i.imgur.com/7a5ICteh.png
I do not route my HomeVPN Server traffic through the VPN as it just goes through the regular WAN.
(https://i.imgur.com/lUsmVvMh.png)
Since it goes through the regular WAN, the tunnel network 192.168.2.0/24 gets a NAT on my WAN interface.
If I wanted my OpenVPN server to go through my VPN, I'd change the gateway from the default to the VPN gateway and give it a proper NAT.
I'm guessing your traffic, all of it, goes through your VPN, which is why the OpenVPN NAT interface you have works. The problem with using that is that is for all OpenVPN and as you see, it breaks things if you configure it there.
I also toggle this setting off so if my client VPN is down, no traffic goes out:
(https://i.imgur.com/QITkIUYh.png)
-
This is quite different from any of the tutorials or documentation that I have seen.
Which means that I am a bit lost on setting up the details now. Do you have any
place to point me on such a setup?
-
I think every tutorial I've seen talks about setting up a single server or a single client.
TorGuard posts a tutorial for pfSense that I used as a starting point:
https://torguard.net/knowledgebase.php?action=displayarticle&id=208
Same concepts basically. The overlying goal is you do not want to use the OpenVPN tab for anything. Each time you create a VPN interface, map it back to the OpenVPN server or client as an interface and apply any rules or NAT for that specific interface.
If you use the OpenVPN tab, that's global for everything and you will not be able to NAT different nor create any rules for the server or client specifically.
-
I did not have time to get to this the past couple of days, but am now trying again.
These comments were very useful, and I am almost there. At first I was a bit
confused by the comment about not using the OpenVPN tab for anything, since the
tutorial you point to does use that part of the menu. I am still not sure what you mean
by that, but at any rate I use the OpenVPN tab on the menu to setup both the client
and the server. Then, as you write, I add two new interfaces for the server and the client.
Then, I set up my NAT firewall outbound rules using these interfaces. As soon as I
use this new OpenVPN client interface for my NAT rule, my timeout problems go away.
In other words, I can enable the SSL server for my OpenVPN server, and the outbound
traffic still works fine. This is great progress, and your comment about interfaces was key!
As you say, there are no (known) tutorials that have both client and server setups for
openvpn. Unfortunately, the tutorial for opnsense OpenVPN server setup does not suggest setting up
the NAT rules for openvpn through the interface. Worse, there is no help for setting
up the client, except for pfsense, and it also fails to mention the interface bit. Maybe there
is a way to help them improve the tutorial.
Anyway, now I have good access out of the LAN through my OpenVPN client. I can also
login to my network from outside using the OpenVPN server, 2FA (TOTP), and a static IP
from freemyip. However, when logged in, I do not yet have access to everything (or really
almost anything) on my LAN. Almost certainly this is a NAT firewall rule, which I don't fully
understand yet. There is (again) a conflict between your setup and what is in the tutorial
here. For example, the tutorial suggest opening port 1194 to the WAN, but you have no
such rule. Also, you do not have any NAT rule for the OpenVPN server, that I can see---
only for the client. I am sure that it is something simple, but am afraid to mess too much
with NAT rules that are currently almost working. Attached is my NAT rule setup. Do
you have any suggestions? Especially anything that would educate me about how
these are supposed to work?
Thanks again for your help.
-
I spoke too soon! Without making any (known) changes, I do NOT have access to my OpenVPN server. So, a couple of
simple questions:
1) In setting up the OpenVPN server, do I use the WAN interface, or the OpenVPN Server interface?
2) Do I use the UDP protocol or the UDP4 protocol?
3) What exactly is the NAT firewall outbound rule?
All of the tutorials get very vague at this last point, only showing the table, but each rule has a screen of
more settings than show up in the table. Hence, I am scared to mess with these and lose all access to
the internet from my LAN (and invoking the wrath of she-who-must-not-be-contradicted).
-
Got it! I was being stupid and trying to open up the port in firewall -> NAT -> outbound, instead of going to firewall -> NAT -> rules,
and putting two rules there: one to open up port 1194 on the WAN interface for IPv4 UDP, and a second rule for OpenVPN Server
interface to allow traffic from my server subnet (10.10.0.0/24) to everything. Now I can VPN in, and have access to the whole LAN.
Yeah! All of the bits and pieces are out there once I added your key point of going through the interfaces. Not sure I could reproduce
the whole thing, though.
Many thanks!
-
Yeah, at some point, I want to document and share what I did as I struggled quite a bit on using a HomeVPN Server and connecting a OpenVPN client as well. It took me quite some time to get port forwarding and everything to work so I have a nice backup of it now should I need to go back.
Happy to hear you got everything working!
-
That would be great if you could document that. Let me know if you have want to double check anything with my settings.
I was so happy about getting it working, that I made a small donation to opnsense.
I hate to be too greedy, but it would great if I could get my outside clients (e.g., my phone) to go out my router through
the VPN when I am logged in from outside. Just clicking that button on the OpenVPN SSL server was not sufficient. I even
tried adding a firewall NAT rule, but that didn't do it either. Have you tried?
-
So to rephrase, you'd go:
Remote Client through OpenVPN SSL Server -> OPN Router -> Out via OpenVPN Client (PIA/Torguard/etc)?
For me, I would have a rule under my HomeVPN Interface that routes out via my default gateway. You should be able to change that to the OpenVPN Client Gateway that is setup.
I'm home now so I can't test it but assume that is all it would be changing.
-
Yes, that is exactly what I want to do. How would that be done? I tried making a bridge between the client
and server, but that did not work.
-
So for me, my OpenVPN Server Tunnel network is 10.0.8.0/24 so I added an Outbount NAT for that through my TorGuard Interface:
(https://i.imgur.com/r2QrggNl.png)
I added a rule to allow my HomeVPN to use the default gateway so it can do DNS and such and changed the 2nd rule to make it go out the TorGuard VPN and validated my IP address was from TorGuard:
(https://i.imgur.com/sMJLbfwl.png)
-
Brilliant! The NAT outbound rule worked. I did not need the second rules when I used the button that redirects gateway in the
OpenVPN server. If I tried your second set of rules, I ran into problems. However, now away from home, I can log into my
network with 2FA, and access everything at home, and, if I so elsewhere, I get the ad blocking of my piholes, and everything
through the VPN. Great. Many thanks.