OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: sporkman on October 11, 2018, 12:47:46 am

Title: OpenVPN client firewall rules
Post by: sporkman on October 11, 2018, 12:47:46 am
I'm still migrating from that other *sense, so bear with me...

At home, I have my current firewall setup as an openvpn client to 3-4 sites.  Those sites are all just openvpn running on FreeBSD, not any sort of firewall distro. This works, but my current config is ugly, with a mess of NAT rules, some weird magic to make firewall rules work on the openvpn client interfaces, and other things that were really just arrived at by accident.

I was looking at the docs and it's not totally clear to me - how is firewalling on the openvpn client interfaces handled? Can I treat it like any other interface or is it "special" because it's openvpn (which admittedly complicates things - it basically has its own internal routing table).

If it matters, I also run openvpn as a server on this same firewall for remote access.
Title: Re: OpenVPN client firewall rules
Post by: franco on October 17, 2018, 10:43:21 pm
From the firewall perspective it works like any other device: outbound traffic through your VPN tunnels is always allowed, inbound traffic is managed via "OpenVPN" auto-interface in firewall rules. This one clusters all your VPN so adding a pass all will pass all incoming tunnel traffic. Usually what you want, but not always. :)

Title: Re: OpenVPN client firewall rules
Post by: sporkman on October 18, 2018, 05:38:12 am
I'm having a hard time with this.  I remember in **sense I had to do a whole bunch of nonsense.  So far not having luck with this setup either.

I know about the OpenVPN tab, but I thought that only applied to the server. I'm happy with how the server portion works - this is a home firewall and I use the OpenVPN server if I want to work from a coffeeshop or whatever.  Works great, no complaints.

My understanding is that the OpenVPN firewall tab is only for the main server interface.  I have 3 OpenVPN client instances to bring up, that's where I run into issues.

Currently I'm not even getting as far as having the firewall pay attention to the pushed remote routes from the servers it connects to. They show up in the system routing table, but they are not being used - I know this because when I ping an IP that should be reached over the VPN I occasionally get back answers like this:

Request timeout for icmp_seq 3186
76 bytes from b3312.nwrknj-lcr-22.verizon-gni.net ( Destination Net Unreachable

So my packet being sent to is not following the route I see in the opnsense routing table, it's heading out the default gateway - at least that's the only explanation I have for one of my ISP's routers to be replying to the ping...
Title: Re: OpenVPN client firewall rules
Post by: sporkman on November 01, 2018, 08:15:58 pm

I have the point to point link setup. My main issue is why my packets don't follow the routes and instead end up heading out the default gateway.

So what's causing the traffic to flow via default gw instead of the routing table? NAT (prior to routing table)? Something in OpenVPN's internal routing table not working?

Here's some quick screenshots showing:

Title: Re: OpenVPN client firewall rules
Post by: sporkman on December 02, 2018, 03:00:22 am
Just another bump - I can't be the only one here doing site to site with openvpn, can I? :)