Show Posts
1
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: October 02, 2018, 09:59:34 pm »
I have been banging my head against a wall trying to get an AirVPN OpnSense gateway setup to work, with the help of this thread, and i think i might have stumbled across a bug/unexpected behavior that might explain some of the problems that people in this thread are having. The problem became apparent when trying to use policy-based routing to selectively send only some LAN traffic through the VPN tunnel.
In a nutshell, OpnSense seems to set the default gateway of the VPN interface (the one displayed under System/Gateways/Single, NOT the default gateway of the linux interface ovpnc1) to the subnet mask, leading to broken policy-based routing through that interface. I have reproduced the issue on a fresh 18.7.4 install inside a virtual machine, the steps i took are as follows:
After setting up outbound NAT for the VPN interface created in step 6, LAN packets that are sent through it via policy-based routing are routed to the 255.255.255.0 address, leading the system to silently drop them. If the gateway IP for the interface is manually set to the one pushed by the AirVPN server (as taken from the OpenVPN log file), everything works as expected and LAN traffic is successfully routed through the VPN.
The OpenVPN server attempt to push the following interface settings:
openvpn[79283]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.10.1,route-gateway 10.5.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.10.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'.
I assume the ifconfig command breaks OpnSense's parsing, leading to the subnet mask being mistaken for the gateway IP. The system interface ovpnc1 on the other hand has both its IP and gateway set correctly, as one would expect from seeing openvpn[51343]: /sbin/ifconfig ovpnc1 10.5.10.5 10.5.10.1 mtu 1500 netmask 255.255.255.0 up in the OpenVPN log.
Changing the IPv4 Configuration Type for the VPN interface from None to DHCP results in a VPN_DHCP interface being created instead of VPN_VPNV4 , also with Gateway and Monitor IP set to 255.255.255.0.
I have not reported this as a bug as i'm not fully sure that the issue isn't with my configuration. Feel free to move the post to a better location, this thread just seemed the most relevant place to post it.
In a nutshell, OpnSense seems to set the default gateway of the VPN interface (the one displayed under System/Gateways/Single, NOT the default gateway of the linux interface ovpnc1) to the subnet mask, leading to broken policy-based routing through that interface. I have reproduced the issue on a fresh 18.7.4 install inside a virtual machine, the steps i took are as follows:
- Start with a standard OpnSense install (default LAN and WAN interfaces with default settings). Follow the guide exactly until Step 4. There, also tick the options Don't pull routes and Don't add/remove routes.
- Continue to Step 6. Then, when creating the interface assignment, set IPV4 Configuration Type to None.
- Under System/Gateways/Single, edit the newly created VPN_VPNV4 gateway and set the Gateway option to dynamic.
- Apply changes and restart the machine to make sure everything is set correctly.
- After the restart, look under System/Gateways/Single. Both the Gateway and the Monitor IP of VPN_VPNV4 are set to 255.255.255.0, as shown in the attachment.
After setting up outbound NAT for the VPN interface created in step 6, LAN packets that are sent through it via policy-based routing are routed to the 255.255.255.0 address, leading the system to silently drop them. If the gateway IP for the interface is manually set to the one pushed by the AirVPN server (as taken from the OpenVPN log file), everything works as expected and LAN traffic is successfully routed through the VPN.
The OpenVPN server attempt to push the following interface settings:
openvpn[79283]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.10.1,route-gateway 10.5.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.10.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'.
I assume the ifconfig command breaks OpnSense's parsing, leading to the subnet mask being mistaken for the gateway IP. The system interface ovpnc1 on the other hand has both its IP and gateway set correctly, as one would expect from seeing openvpn[51343]: /sbin/ifconfig ovpnc1 10.5.10.5 10.5.10.1 mtu 1500 netmask 255.255.255.0 up in the OpenVPN log.
Changing the IPv4 Configuration Type for the VPN interface from None to DHCP results in a VPN_DHCP interface being created instead of VPN_VPNV4 , also with Gateway and Monitor IP set to 255.255.255.0.
I have not reported this as a bug as i'm not fully sure that the issue isn't with my configuration. Feel free to move the post to a better location, this thread just seemed the most relevant place to post it.