Topics

I have 2 VLANs (example):

• VLAN1 - 192.168.1.1/24
• VLAN2 = 192.168.2.1/24

In VLAN2, I have a firewall rule that explicitely blocks all traffic (inbound), however, if I say RDP from devices in these VLANS from VLAN1 to VLAN2, I am able to make the connection, even through in my VLAN2 firewall rules I explicitely deny all traffic.

Looking at the firewall traffic, I have a floating rule that allows the traffic labeled "let out anything from firewall host itself" - I assume thus that because both of these VLANS have their gateways in the firewall, the inter-connection between VLAN's is allowed through their gateways?

How do I fix this? We definately want to restrict inter VLAN connections but also dont want to fiddle with built in firewall rules that can block unexpected traffic.
 

I'm trying to setup an openVPN server that will effectively only have access to 1 single VLAN. It should not be able to use the gateway as a WAN interface. I am trying to set it up so that the enduser cannot bypass the config we provide (noroute pull with a specific IP VS redirect-gateway def1) -

I have setup an openVPN server using the wizard:

- TCP port
- Listens for all interfaces
- Local network accessible only has the local network of the VLAN
- I have added the rule in the wizard to permit traffic from clients on the internet to the openvpn server process (I assume this rule is the one that allows for the public to connect to the actual VPN)
- I have not ticked the option to enable all traffic from connected clients to pass accross the VPN tunnel.

Following this, I created a test user, exported the config and can connect successfully. I then updated my local config to include redirect-gateway def1 so that I can test whether I can then use the firewall as a gateway to the public.

I can confirm that as things stand now, I can access the internet through the VPN, which I dont want (I did an IP check and can confirm the IP returned is the IP of the gateway).

I assume this is firewall rules, so had a look at the liveview so that I can try and estimate what is happening. When I access a specific website (knowing their IP address for the filter, the following rule is applied to allow th e traffic. The issue is that the src IP is the gateway IP, not a VPN IP:

|| || |WAN||2024-06-10T11:57:53|[GATEWAY IP MASKED]|[DESTINATION PUBLIC IP Masked]|tcp|let out anything from firewall host itself (force gw)|

The rule seems self explanatory, but I cannot disable the rule altogether as this will then stop the gateway from accessing the internet altogether. I simply just want to restrict the users connecting to the particular VPN from accessing anything accept a single IP in a VLAN already configured on the opnsense appliance.

As a further test, in the firewall live view I used the src IP 10.1.92.6, which is the IP assigned to the user. Interestingly enough the live view in the firewall shows no traffic for this particular IP, although the VPN user is connected to it. I expected some logs containing the IP, even when I try to access say a private IP.

I assume I am misunderstanding a core concept, so hope someone can help a brother out here as this seems like a simple setup but I am baffled with this :)

We have 3 interfaces:

• WAN
• LAN (10.0.10.1/24)
• 10GBLAN (10.0.20.1/24)

We're unable to route between the 2 networks connected to the opnsense box. From LAN I can access all LAN clients (as one should as they are all connected to the same switch).

On 10GBLAN (new network), I can ping the gateway and gain access to the internet (so in theory the LAN works)

I can however not ping from say 10.0.10.133 to 10.0.20.2 although I have an "allow all rule" in both interfaces (for testing obviously)

I am however able to from LAN (10.0.10.133) access the opensense firewall on 10.0.20.1, so access between LAN atleast to the firewall on the different subnet is working

Same counts for the other way around, if I try to access anything from the 10GBLAN (10.0.20.2) and try to ping 10.0.10.133 (for example), it does not work.

Both LAN and 10GBLAN has access to the internet, so I am able to break out to the internet from both switches meaning atleast the opnsense box recognizes both interfaces and clients as it's able to route out to the internet

If I look at the Live view, it appears that when I try to ping / access 10.0.20.2 from 10.0.10.133, (say https://10.0.20.2 which is working), in the live view my interface does not show LAN but rather WAN, so it appears that the opnsense server does not route traffic over the LAN / 10GBLAN interfaces but rather attempt to send the request over the internet.

I feel I can rule out firewall as when I for example ping, the ping request in live view is green or "Accepted" but it's not routing the traffic between the 2 switches but rather over the internet.

I am a bit baffled as the config looks identical of the interfaces and face value everything works.

Any ideas?

I have a number of 1:1 NAT's configured between WAN and LAN, and all of the WAN IP's are VIP's (IP's routed through my primary WAN IP).

When I connect to openVPN, I can access the LAN side, but none of the WAN VIP IP's are responding either to ping - I cannot even see the traffic within the firewall, almost as if my request is getting lost between openVPN and the routes.

In my local openVPN confige I have route-nopull and only route selected IP's through my VPN. In principle this works as I can still connect to the LAN using my VPN connection, but when we have services setup with an external DNS server (which points to the public IP), it's a tedeous task to keep updating local openVPN configuration.

So question time:

• Has anyone setup something similar where they're able to connect to the openVPN server and still have access to the WAN virtual IPs?
• My next option seems to be running a DNS server in opnsense so that connected VPN clients can hopefully get the record from the internal DNS VS external one. I am however only getting this to work if I change my network settings on my laptop and change my WIFI / lan DNS to point to the WAN IP of the gateway. If I don't, my network interface disregards the internal DNS and still points to the external DNS servers (like 8.8.8.8)
  

What is the correct / recommended / "industry norm" when it comes to this kind of setup? I imagine I am not configuring my various services correctly or the way it was intended on working.

We're setting up HA and want to ensure that all of our VPN traffic is routed through a CARP IP instead of the default WAN IP of the master firewall.

For sake of demo, I am using the following IP's:

- WAN IP: 129.232.0.2 (this is the new WAN IP)
- CARP IP: 129.232.0.1 (this is the old WAN IP which is now added as a CARP IP through which I want all my vpn traffic to go)

1. I changed the WAN IP to the new WAN IP 129.232.0.2
2. I added the old WAN IP as a CARP IP 129.232.0.1
3. I changed my VPN config's interface to a single IP 129.232.0.1 (so that our VPN configs don't need an update)

As expected all of my VPN traffic is now routed through 0.2 but I need to change this to 0.1

I assume I need to add an outbound route under NAT and attempted the following:

Code Select Expand

WAN openVPNInternal net * * * 129.232.0.1/32 * NO OpenVPN route to the original static IP

Even after restarting openVPN and applying changes, my traffic is still routed through 0.2 instead of 0.1

Any advice / tips / helping hand will greatly be appreciated :)

I have 2 openVPN servers:

VPN1 - 10.1.11.0/24
VPN2 - 10.1.90.0/24
LAN - 10.1.10.0/24

VPN1 I want to allow full access to the LAN network, for VPN2, I want to restrict this traffic to only a select set of IP Addresses on LAN (say for example IP 10.1.10.44, rest should all be blocked).

I am currently able to ping any IP on the 10.1.10.0/24 range from both VPN services, regardless what I apply for the rules.

My setup was:

• I created an interface for both vpn's so that I can manage rules independantly

My rules are (per interface):

[openVPN]:
Block all traffic where the source is VPN2, destination set to all
I dont have any other rules (so realistically all traffic should be blocked on the openVPN interface)

[VPN1]
All allow traffic, all sources to all destinations

[VPN2]
1 allow rule where source is * and destination is a specific external IP (wanted to see if the VPN routes and it does route the correct IP here)
No other rules, thus I believe all traffic should be blocked

[LAN]
1) Source VPN2 with * destination blocked
2) Source * with * destination allowed (I am worried I lock myself out of the network)

What I am expecting is that VPN1 should work as expected (which it's doing) but VPN2 should not be able to ping any IP's on LAN at all and only have traffic allowed to the 1 external IP I have setup (this seems to work)

What am I missing here? How do I setup "VPN Specific" rules?

I have the following:

- WAN IP 129.232.150.165
- My ISP is routing a 129.232.150.168/29 through the WAN gateway 129.232.150.165
- I want to setup 1:1 NAT so that traffic between 129.232.150.170 and an internal IP on a different interface (fibreLAN) with IP 10.1.31.2

I have:

1) Created a virtual IP, I am however not sure if I need to individually add all the IP's from my virtual IP range (129.232.150.169 - 129.232.150.174) or if I can add the entire range as a virtual IP (thus 129.232.150.168 / 29) - If individually, should I then set my IP as a /32 or do I leave each individual virtual IP still within the /29?

2) My next step is to setup a 1:1 nat - I am however not sure if I have my following iterms correct:

- In my case, must the external network be the actual IP address I wish to forward from the WAN side (for example 129.232.150.170?)
- Or must the source IP be 129.232.150.170 or must this be the internal / private IP on the fibre side
- Lastly, the destination, should this me the fibre IP or must this be set as "any" (I got this from a youtube channel)
- AFter setting up the NAT, is there still any reason to add additional firewall rules for individual services? If so, what would be the source / destination network?

I have tried a number of options but I simply cannot get it working. I am expecting to ping for example 129.232.150.170 and have it ping the internal host, but no luck.

[openvpn connect (version 3)]

I've recently made the jump from PFSense to OPNsense and very impressed, so much so that I've setup a blade in our cabinet and would like to explore using this as a permanent firewall in our environment.

I am trying to setup a remote access VPN (openVPN) so that I can connect to the LAN interface connected to the servers in our cabinet. I would like to use both authentication + TLS authentication.

I have done the following so far:

1) I created a CA
2) I have created a server certificate which uses the CA created above
3) I have configured a openVPN server with the following:

- Remote Access (SLL/TLS + User Auth) that uses local database
- UDP
- TUN
- interface is set to any
- 1194 local port
- TLS Authentication is enabled with encryption
- CA is the CA created in step 1
- Server Certificate set to the cert created in step 2
- Strict user / CN matching is disabled
- IPv4 Tunnel is set to 10.1.101.0/24 (this is the network I wish for my VPN clients to be assigned an IP address when connected)
- IPv4 Local Network is set to a /24 which I want to access (these would be the server IP range)
- Dynamic IP
- Address Pool is enabled
- DNS is set to 8.8.8.8
- All other settings are default
5) I created a firewall rule on the WAN input to allow traffic to all (I will change this once I get the VPN working, I just wanted to ensure issues are not related to the firewall itself)
6) I created a user under Access > Users

- User is part of admins
- I created a user certificate that uses the CA created in step 1, certificate type is a Client Certificate

7) I then did a client export under VPN > OpenVPN with my

- hostname being the WAN IP and port 1194
- I disabled validate server subject
- All other settings are default

My config looks like this (with just the remote and pkcs12 filename changed):

Code Select Expand

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote MYWANIP 1194 udp
lport 0
auth-user-pass
pkcs12 changed.p12


I then tried the following 2 openVPN clients:

openvpn connect (version 3)

This was quite a tricky one to try and figure out and still dont know if I got it right

1) I imported the config which told me that it could not assign a certificate and key - AFter some troubleshooting I managed to import it via command line - I took the "changed.p12" file that came with the bundle and imported it with the flag --import-certificate=<path-to-certificate>
2) When I however try and connect, I immediately get the following error: "ssl_context_error: OpenSSLContext: CA not defined"

I cannot imagine that OPNsense export would not include the certiticate authority as part of the p12 file so imagine this to be a bug?

openvpn GUI(version 2.5)


Having had no success with openVPN connect in the past and normally getting better data from the openVPN GUI console, I opted to install the GUI, stored my config files (ovpn and pk12 file) in the config folder for openVPN which allows me to connect to it.

Trying to connect:
1) I am prompted for my credentials and then get the following recurring messages:

Code Select Expand

Sat Jul 30 11:19:42 2022 UDP link remote: [AF_INET]GATEWAYIP:1194
Sat Jul 30 11:19:42 2022 VERIFY ERROR: depth=0, error=self signed certificate: CN=OPNsense.localdomain, C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense self-signed web certificate, serial=195040175418146406786703695850969686114336621681
Sat Jul 30 11:19:42 2022 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sat Jul 30 11:19:42 2022 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jul 30 11:19:42 2022 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 30 11:19:42 2022 TLS Error: TLS handshake failed
Sat Jul 30 11:19:42 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 30 11:21:02 2022 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.


And this is where I am, I dont know what I am missing as I am sure I followed the instructions correctly but cannot get this working. Any ideas?

I'm using the Client Export to export my VPN users, works perfectly. The package contains the ovpn, pk12 and tls.key file - Config works on Windows, but when trying to run on Linux (in my case a centOS 7 server), I get the following error:

Code Select Expand

2022-04-10 15:38:39 >> Connection, Client connecting
2022-04-10 15:38:39 Client DEBUG: OpenVPN core 3.git:HEAD:7765540e linux x86_64 64-bit
2022-04-10 15:38:39 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2022-04-10 15:38:39 Client -- ERROR --: Connection failed: ssl_context_error: OpenSSLContext: CA not defined
2022-04-10 15:38:39 Client DEBUG: Connection failed: ssl_context_error: OpenSSLContext: CA not defined
Session closed

My config looks like this:

Code Select Expand

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote IP 1194 udp
lport 0
remote-cert-tls server
auth-user-pass
pkcs12 user.p12
tls-auth user-tls.key 1

I assume this may be because the client export is exporting config for Windows, hence the p12 file. Any ideas how to get this resolved?

Out of the box setup, both clients can connect (set out a network 192.168.231.0/24):

Client A gets 192.168.231.10
Client B gets 192.168.231.11

Both can ping the gateway and access the gateway (192.168.231.1) but they have no access to eachother. I have opened rules under "openvpn" with no difference. What am I doing wrong?

I need to setup a VPN between a single device at office A to connect to 2 - 3 devices at site B. I using openVPN but unable to get a successful connection with log indicating:

Code Select Expand

2022-03-25 19:38:38 open_tun
2022-03-25 19:38:38 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-03-25 19:38:38 ERROR: --dev tun also requires --ifconfig
2022-03-25 19:38:38 Exiting due to fatal error

My local config looks like this:

Code Select Expand

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote REMOTESITEIP 1194 udp
lport 0
remote-cert-tls server
pkcs12 Acme_DC_VPN_intellihost.p12
tls-auth Acme_DC_VPN_intellihost-tls.key 1

On the server side, I have the following:

• Peer to Peer
• UDP
• TAP
• IPv4 Tunnel Network: 192.168.231.0/30
• I want to give access to network 192.168.230.0/30

From what I can gather, I need to specify in my config file what IP address the connecting device would get (I assume then in the 192.168.231.0/30 range like 192.168.231.2? I am able to connect fine using TUN, TAP however gives the above.