1
22.1 Legacy Series / OpenVPN Wizard Not Creating interface [potential bug]
« on: February 20, 2022, 10:55:23 pm »
Good afternoon!
I went through several OpenVPN setup tutorials and am confident I have almost everything setup correctly (internal CA, server certificate, OpenVPN Server with aforementioned server certificate, user with client certificate). I made a test connection from my phone using the OpenVPN client and importing the .ovpn profile. The connection was successful and I see it under the "Connection Status" tab.
This is where things get a little weird and I'm left with a few questions.
1. I've tried pinging back and fourth (from phone to servers, gateway, and vice versa). Looking through the firewall logs, I can see the traffic getting allowed. However, the response is never received. I ran a packet capture and checked it out in Wireshark and it said the same thing. I can see my ping requests going out (from VPN-ed client to the default gateway, or to a server it should have access to) but the response is never received. And this isn't unique to ping, I can't seem to receive any kind of response. But the traffic is definitely not getting blocked. I also cannot ping the VPN client from the firewall itself or servers behind the firewall, even though firewall logs show the traffic being allowed. I've tried pinging the client IP from all the different interfaces.
None of the tutorials I followed did anything with NAT so I'm thinking there may be a routing problem, but I don't know how to solve the problem. And this leads me into my seconds question...
2. I used the setup wizard to create the OpenVPN server. It did NOT create a new interface under Interfaces. However, looking at the interfaces under Firewall -> Rules, I do see a new one named "OpenVPN". But, if I go back to Interfaces and go to Assignments, I see that there is a new interface that is ready to be created. So I went ahead and added/enabled it. This resulted in a second OpenVPN interface being listed Firewall -> Rules.
Something tells me that I shouldn't do this, but I feel like the interface needs to be Enabled at the very least. Is there a reason why the Interface wasn't created by OPNsense but it still shows up under Firewall -> Rules?
3. During the setup for the OpenVPN server, it asked for the "IPv4 Tunnel Network" and the "IPv4 Local Network/s". I don't want the clients to have access to my LAN. I had already created a designated DMZ that I would allow them access to instead and put that CIDR into the IPv4 Local Network/s field. However, I don't understand the logic behind the "IPv4 Local Network/s" setting. I'm just going to create firewall rules for the OpenVPN interface to allow it access to where I want it to access. So what's the purpose behind this setting, why is it necessary?
I went through several OpenVPN setup tutorials and am confident I have almost everything setup correctly (internal CA, server certificate, OpenVPN Server with aforementioned server certificate, user with client certificate). I made a test connection from my phone using the OpenVPN client and importing the .ovpn profile. The connection was successful and I see it under the "Connection Status" tab.
This is where things get a little weird and I'm left with a few questions.
1. I've tried pinging back and fourth (from phone to servers, gateway, and vice versa). Looking through the firewall logs, I can see the traffic getting allowed. However, the response is never received. I ran a packet capture and checked it out in Wireshark and it said the same thing. I can see my ping requests going out (from VPN-ed client to the default gateway, or to a server it should have access to) but the response is never received. And this isn't unique to ping, I can't seem to receive any kind of response. But the traffic is definitely not getting blocked. I also cannot ping the VPN client from the firewall itself or servers behind the firewall, even though firewall logs show the traffic being allowed. I've tried pinging the client IP from all the different interfaces.
None of the tutorials I followed did anything with NAT so I'm thinking there may be a routing problem, but I don't know how to solve the problem. And this leads me into my seconds question...
2. I used the setup wizard to create the OpenVPN server. It did NOT create a new interface under Interfaces. However, looking at the interfaces under Firewall -> Rules, I do see a new one named "OpenVPN". But, if I go back to Interfaces and go to Assignments, I see that there is a new interface that is ready to be created. So I went ahead and added/enabled it. This resulted in a second OpenVPN interface being listed Firewall -> Rules.
Something tells me that I shouldn't do this, but I feel like the interface needs to be Enabled at the very least. Is there a reason why the Interface wasn't created by OPNsense but it still shows up under Firewall -> Rules?
3. During the setup for the OpenVPN server, it asked for the "IPv4 Tunnel Network" and the "IPv4 Local Network/s". I don't want the clients to have access to my LAN. I had already created a designated DMZ that I would allow them access to instead and put that CIDR into the IPv4 Local Network/s field. However, I don't understand the logic behind the "IPv4 Local Network/s" setting. I'm just going to create firewall rules for the OpenVPN interface to allow it access to where I want it to access. So what's the purpose behind this setting, why is it necessary?