Show Posts
1
18.7 Legacy Series / Unable to route traffic over OpenVPN client
« on: January 02, 2019, 01:26:28 am »
Hi,
I'm having issues getting an OpenVPN client to work (I am using ProtonVPN). I previously had this running on pfSense and I'm trying to get the same setup going on OPNsense. I've followed a number of tutorials as well as the HOWTO guide posted on these forums here but I'm stumped! Any help would be appreciated!
I undid all the changes from those tutorials and started from scratch. I have a basic config set up on one of my VLANs ('SERVERNET', 10.1.10/24) to try and figure this out. Can anyone see where I might be going wrong?
Info:
OpenVPN Client
Provider: ProtonVPN
Don't pull routes: checked
Don't add/remove routes: unchecked
Connection shows as UP in Connection Status
Interfaces & Gateway
ovpnc1 attached to new VPN_WAN interface
IPv4 Configuration Type: None
Gateway: VPN_WAN_VPNV4 on interface VPN_WAN
IP address from OpenVPN client shows correctly on gateway
VPN_WAN_VPNV4 has been added to a Gateway Group called VPN_GROUP
Firewall Rules
I'm using 'SERVERNET' VLAN (10.1.10.0/24) to test with a rule that all non-local traffic is to use the VPN_GROUP gateway group. There is only one other rule for my local networks to talk to each other. See screenshot for more details.
There are no port forward or floating rules for this network.
N_LOCALNETS is an alias of all local networks (10.1.50.0/26, 10.1.20.0/25, 10.1.0.0/24, 10.1.10.0/24)
Firewall -> Settings -> Advanced
IPv6 Options: Allow IPv6: checked
Gateway Monitoring: Skip rules when gateway is down: checked
Outbound NAT
Mode: Hybrid outbound NAT rule generation
I added additional rules for VPN_WAN interface with all local networks as sources, Source/Source Port/Destination/Destination Port as *, and NAT Address as Interface Address
System DNS
I added the VPN provider's DNS (10.8.8.1 and 10.8.1.0) under System -> Settings -> General for the VPN_WAN_VPNV4 gateway. I also tried with public DNS as well in case this was an issue.
DHCP DNS for SERVERNET is left empty in DNS settings and shows as 10.1.10.1 on my clients on this network.
Unbound DNS Resolver
Enable Forwarding Mode: checked
Screenshots of Gateways, Firewall Rules and Outbound NAT attached.
Does anyone have any ideas why I can't get this to work? If I remove the VPN_GROUP gateway group from the rule, I can access the internet over WAN from the SERVERNET machines. I also added logging to the rule and can see that the outbound traffic from those machines is being matched against the 'Force traffic over VPN' rule and allowed to pass but there seems to be no response back. I have a feeling it's a NAT issue and that there is no return path... but I am a little stumped as to where to go from here!
Thanks in advance for any help!
I'm having issues getting an OpenVPN client to work (I am using ProtonVPN). I previously had this running on pfSense and I'm trying to get the same setup going on OPNsense. I've followed a number of tutorials as well as the HOWTO guide posted on these forums here but I'm stumped! Any help would be appreciated!
I undid all the changes from those tutorials and started from scratch. I have a basic config set up on one of my VLANs ('SERVERNET', 10.1.10/24) to try and figure this out. Can anyone see where I might be going wrong?
Info:
OpenVPN Client
Provider: ProtonVPN
Don't pull routes: checked
Don't add/remove routes: unchecked
Connection shows as UP in Connection Status
Interfaces & Gateway
ovpnc1 attached to new VPN_WAN interface
IPv4 Configuration Type: None
Gateway: VPN_WAN_VPNV4 on interface VPN_WAN
IP address from OpenVPN client shows correctly on gateway
VPN_WAN_VPNV4 has been added to a Gateway Group called VPN_GROUP
Firewall Rules
I'm using 'SERVERNET' VLAN (10.1.10.0/24) to test with a rule that all non-local traffic is to use the VPN_GROUP gateway group. There is only one other rule for my local networks to talk to each other. See screenshot for more details.
There are no port forward or floating rules for this network.
| Pass/Block | Proto | Source | Port | Destination | Port | Gateway | Description |
| Allow | IPv4 * | SERVERNET net | * | N_LOCALNETS | * | * | Default Allow any local traffic |
| Allow | IPv4 * | SERVERNET net | * | * | * | VPN_GROUP | Force traffic over VPN |
N_LOCALNETS is an alias of all local networks (10.1.50.0/26, 10.1.20.0/25, 10.1.0.0/24, 10.1.10.0/24)
Firewall -> Settings -> Advanced
IPv6 Options: Allow IPv6: checked
Gateway Monitoring: Skip rules when gateway is down: checked
Outbound NAT
Mode: Hybrid outbound NAT rule generation
I added additional rules for VPN_WAN interface with all local networks as sources, Source/Source Port/Destination/Destination Port as *, and NAT Address as Interface Address
System DNS
I added the VPN provider's DNS (10.8.8.1 and 10.8.1.0) under System -> Settings -> General for the VPN_WAN_VPNV4 gateway. I also tried with public DNS as well in case this was an issue.
DHCP DNS for SERVERNET is left empty in DNS settings and shows as 10.1.10.1 on my clients on this network.
Unbound DNS Resolver
Enable Forwarding Mode: checked
Screenshots of Gateways, Firewall Rules and Outbound NAT attached.
Does anyone have any ideas why I can't get this to work? If I remove the VPN_GROUP gateway group from the rule, I can access the internet over WAN from the SERVERNET machines. I also added logging to the rule and can see that the outbound traffic from those machines is being matched against the 'Force traffic over VPN' rule and allowed to pass but there seems to be no response back. I have a feeling it's a NAT issue and that there is no return path... but I am a little stumped as to where to go from here!
Thanks in advance for any help!