Messages

Ok, so long story short, I don't know what the problem was while my clients couldn't connect to the Internet, but it was gone the next day. I am using static IP addresses now, because the OSes of my clients are heterogenous (Windows, macOS and Linux) and only on Windows I got the hostname resolution running reliably.

Hi,
I am running a Road-Warrior setup which runs pretty fine, except that sporadically the DNS for my local network is not working on my VPN-clients. Sometimes they can ping e.g. host01.mylocaldomain.lan and sometimes they can't.

As a workaround I tried to set static DHCP leases for my local network hosts and on top of this override DNS entries for those static IPs (I am using Unbound DNS). But then my local clients (e.g. host01) aren't able to reach the Internet. I already tried to fix this by setting the gateway explicitely but without success.

Hopefully somebody can give me a hint. Thank you very much for your time.

Kind regards

Hi there, has the issue been solved? If so, I am curious how. Kind regards.

[For single WAN interfaces a gateway must be created but set to auto-detect]

I think that if a specific address is not entered for the WAN gateway, the default is none.

I have a rather similar setup than you and for my case, setting a GW explicitely did not work. Only if I disabled it I was able to establish an Internet connection for clients in my LAN. Moreover and independently of that, the documentation of OPNsense (when you click the info icon of your WAN interface IPv4 Upstream Gateway section) says:

If this interface is a muti-WAN interface, select an existing gateway from the list or add a new one using the button above. For single WAN interfaces a gateway must be created but set to auto-detect. For a LAN a gateway is not necessary to be set up.

Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.

Hopefully you will finally get it up and running ;)

Hi bulldog,

When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface (...)

the gateway of your OPNsense WAN interface should not be its LAN interface. When you only have one WAN interface then set this option to Auto-detect (default).

(...) I then answered no to the question to use the LAN gateway address for DNS.

Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?

Kind regards, David

Thanks for the offer.  At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings.  However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN.  I did check

I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.

So I finally found my solution  :D

First of all, thank you Bart for your patient support.

I couldn't get it working until I set a manual NAT rule for my WAN interface which masked everything going out. Can anybody tell me, why this is necessary? Before the deployment of my OPNsense it was setup in a lab environment and clients did have internet access without this NAT rule. Now I need it for both, LAN and VPN connected clients to access the internet.

Best regards, David

Good morning,

Are you redirecting the gateway on the VPN clients? It's under 'tunnel settings' on the VPN server page.

Yes, as I wrote above, I enabled this option.

Try taking out the source restriction in the VPN firewall rule (replace 10.0.0.0/24 with *). The client may not use the VPN address as its source IP.

I already generalized this and other restrictions in the firewall rules to avoid any interfering.

If nothing improves, it's worth running a packet capture on the OpenVPN interface to further analyse the traffic.

I am with you. Let's see if this will bring me some more insight.

All the best, David

Hi David,

OPNsense is fine as far as routing is concerned since it has interfaces on 10.0.0.0/24 and 192.168.0.0/24. Can you check for updates from the web interface dashboard? If so, then OPNsense has internet access.

Do you have a router further upstream, or does OPNsense have a public (non-RFC1918) WAN IP address?

Bart...

Hi Bart,
OPNsense itself has internet access: I can ping hosts, check for updates and make nslookups for example.

I have a further router in front of the OPNsense - a FRITZ!Box 6490 Cable from my ISP (Unitymedia) which instructs me to set the public (non-RFC1918) IP address as manual IPv4 WAN address to make OPNsense directly accessible from the Internet. Furthermore, to avoid any interfering of the FB I set my OPNsense as exposed host, which results in an deactivated firewall of the FB regarding the OPNsense.

Kind regards (and ty for answering me on sunday), David

Yes, I can ping by fqdn and ip from the client side, but can't open websites.  Your help would be greatly appreciated.

Frank

As I mentioned check your logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?

If you can ping extern hosts by IP and DNS but are not able to reach websites via HTTP/S, than this kind of traffic might get blocked/dropped somehow.

When you approve the question from Evil_Sense then I would look into the Firewall logs when you try to access an external website from a local client in the LAN and see how your firewall handles this.

Greetings, David

Logs deines OpenVPN Servers, als auch Clients, wären hilfreich.

Btw: auch wenn es extrem unwahrscheinlich ist, aber ich bin noch auf diesen alten Beitrag gestoßen, welcher einen Bug in Kombination mit CRLs bei v17.1 beschreibt: https://forum.opnsense.org/index.php?topic=4475.0
Nicht dass du eine alte Version <= v17.1 und zufälligerweise auch CRLs in Verwendung hast ;)

Hi,

during my testings with OpenVPN is recognized, that the Redirect Gateway option excludes the Local Network setting when I am creating or editing an OpenVPN service. But it does not when I am in the setup wizard. See screenshots attached.

Is this desired behavior?

Greetings, David

Hi David,

If you can ping your WAN IP but not beyond, then there is likely to be a routing issue. Make sure that the route to and from the internet edge router is either by default gateway, static route, or some form of dynamic routing protocol.

Bart...

Good morning,

sorry for the confusion, but I tested it right now and must confess that I am not able to ping the WAN IP address of my OPNsense by a VPN client.

Regarding the routing topic: shouldn't it be enough to set my IPv4 Tunnel Network to 10.0.0.0/24 and my IPv4 Local Network to 192.168.0.0/24? I thought this would result in proper routes for my VPN clients?
Btw I've enabled Gateway redirect because I want all traffic from the client sent through the VPN. So the Local Network option is hidden.

My current routes at the VPN client are as follows:

route add -net <WAN_IP> 192.168.2.1 255.255.255.255
route add -net 0.0.0.0 10.0.0.5 128.0.0.0
route add -net 128.0.0.0 10.0.0.5 128.0.0.0
route add -net 192.168.8.0 10.0.0.5 255.255.255.0
route add -net 10.0.0.1 10.0.0.5 255.255.255.255

With this I am only able to ping the VPN tunnel GW (10.0.0.1) and the LAN interface of my OPNsense. But not any further external IPs.

Kind regards, David

@bartjsmit: thanks for pointing this out.

Today I tested the productive setup and at least the VPN connection establishment worked fine.  :)
So it seems that the problem existed because I was testing this with a private WAN IP. Nevertheless, I do not know why...

Unfortunately, I stumbled across another problem which seems to be an erroneous firewall rule configuration: my VPN client (10.0.0.0/24), as well as clients in the local network (192.168.0.0/24) at the deployment location can't access the Internet. All they are possible to do is access everything in the local network including the WAN IP. But any access beyond this is not possible.

My firewall rules are attached and named accordingly.

I am pretty certain that I have made a mistake regarding the rules.

Thank you for any help.

Best regards, David