OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: sporkman on October 11, 2018, 12:47:46 am
-
I'm still migrating from that other *sense, so bear with me...
At home, I have my current firewall setup as an openvpn client to 3-4 sites. Those sites are all just openvpn running on FreeBSD, not any sort of firewall distro. This works, but my current config is ugly, with a mess of NAT rules, some weird magic to make firewall rules work on the openvpn client interfaces, and other things that were really just arrived at by accident.
I was looking at the docs and it's not totally clear to me - how is firewalling on the openvpn client interfaces handled? Can I treat it like any other interface or is it "special" because it's openvpn (which admittedly complicates things - it basically has its own internal routing table).
If it matters, I also run openvpn as a server on this same firewall for remote access.
-
From the firewall perspective it works like any other device: outbound traffic through your VPN tunnels is always allowed, inbound traffic is managed via "OpenVPN" auto-interface in firewall rules. This one clusters all your VPN so adding a pass all will pass all incoming tunnel traffic. Usually what you want, but not always. :)
Cheers,
Franco
-
I'm having a hard time with this. I remember in **sense I had to do a whole bunch of nonsense. So far not having luck with this setup either.
I know about the OpenVPN tab, but I thought that only applied to the server. I'm happy with how the server portion works - this is a home firewall and I use the OpenVPN server if I want to work from a coffeeshop or whatever. Works great, no complaints.
My understanding is that the OpenVPN firewall tab is only for the main server interface. I have 3 OpenVPN client instances to bring up, that's where I run into issues.
Currently I'm not even getting as far as having the firewall pay attention to the pushed remote routes from the servers it connects to. They show up in the system routing table, but they are not being used - I know this because when I ping an IP that should be reached over the VPN I occasionally get back answers like this:
Request timeout for icmp_seq 3186
76 bytes from b3312.nwrknj-lcr-22.verizon-gni.net (100.41.220.228): Destination Net Unreachable
So my packet being sent to 10.77.77.2 is not following the route I see in the opnsense routing table, it's heading out the default gateway - at least that's the only explanation I have for one of my ISP's routers to be replying to the ping...
-
Anyone?
I have the point to point link setup. My main issue is why my packets don't follow the routes and instead end up heading out the default gateway.
So what's causing the traffic to flow via default gw instead of the routing table? NAT (prior to routing table)? Something in OpenVPN's internal routing table not working?
Here's some quick screenshots showing:
- the vpn client is connected
- routes are in place
- the remote end can ping the opnsense tunnel IP
- ping to an IP on one of the networks that should be routed to vpn but is instead following the default route
-
Just another bump - I can't be the only one here doing site to site with openvpn, can I? :)