Messages

1

19.7 Legacy Series / Re: OpenVPN Setup on a single NIC?

« on: September 19, 2019, 06:17:32 pm »

I'll try and tear mine down and re-build it.  It being "fairly" simple like you said is what I would expect, I like to think I have a decent idea of what's going on here.  Maybe I'll try and move it inside the outer network so it's not double NATed as a test.  I'll double check my firewall rules and look for any other settings that could be amiss (NAT/gateways).  Thanks for your responses, I needed a reference implementation for me to corroborate against.

2

19.7 Legacy Series / Re: OpenVPN Setup on a single NIC?

« on: September 18, 2019, 06:47:46 pm »

If you use WAN only where do you "exit" OPNSense? Unless you stay inside the appliance ..

I have a setup running internally and I use LAN only. I use it for DNS/DHCP and I recently setup OpenVPN as well and I am currently setting up HAProxy with Let's Encrypt as reverse proxy. Works very well.

Using the WAN interface means you have to start looking into firewall rules/NAT etc (configure it or disable it) doesn't it? ANd you would have to go out to your LAN network via the WAN interface as well.

Your setup is basically where I am at (or headed) for now.  I am interested in using OPNsense as a firewall but that will probably happen along side some considerably large network changes I think need to happen later.  How does your setup expose OpenVPN?  Even just a conceptual description, and how OPNsense is configured might help me.

So I think I mentioned we have two NATs.  Outer network is say a 192 network.  It's gateway is bordering the internet (public IP on the other side).  Inner network is say a 172 network, it's gateway borders the 192 and 172 networks. 

• I have 1194 port-forwarded on the router in the 192 network to an IP in the 192 network let call it  192.168.1.50
• That IP is 1 to 1 NAT with an IP in the 172 network by the inner gateway.  Lets say that IP is 172.16.1.50.
   This IP is assigned to the LAN NIC on my OPNsense VM

Packets get through from the internet to the LAN interface on OPNsense (used packet capture utility in OPNsense), but OpenVPN does not seem to be aware!

I've deleted and re-configured the VPN server several times, followed the wizard, all pretty simple - I can't think of what i have misconfigured here.  Maybe its just a problem with our double NAT?

3

19.7 Legacy Series / OpenVPN Setup on a single NIC?

« on: September 16, 2019, 12:44:21 am »

I am only dipping my toes in to OPNsense so far.  I've set up a VM running it on a hyper-v server and just for now I am trying to set up the OpenVPN service for remote access.  I don't know if my setup is invalid, but I cannot find any info online to help me through this as it seems like every single setup is using OPNsense inline with their network (as a firewall duh!) rather than as a standalone node like I am... which could be the problem.

So I have set up the VPN using the wizard, I've got a LAN interface on my network, and the WAN interface is also on the same LAN!  BOth are virtual NICs provided by the hypervisor. 

• I am pretty much ignoring the WAN interface - OpenVPN is set to listen on ANY
• WAN is DHCP - the LAN is a static IP.
• I have a dual NAT setup, not something I set up.. just is what it is.
• I've port forwarded port 1194 on the outer NAT router to an IP that is 1 to 1 NATed on the inner NAT router
• Forwarded dest IP is 1-to-1 NAT to the IP assigned to my LAN interface on my OPNsense VM.
• I have run packet capture on the LAN interface and have seen UDP 1194 packets arriving on that interface when I try to log in using an openVPN client.
• I never see anything on the OpenVPN logs.

   

I really have no idea what I am doing I think!  Something is probably OBVIOUSLY wrong that I am not getting, please point it out so I can revel in my lack of understanding.

VPN Client:

Code: [Select]

Sun Sep 15 18:34:47 2019 TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]:1194
Sun Sep 15 18:34:47 2019 UDP link local (bound): [AF_INET][undef]:0
Sun Sep 15 18:34:47 2019 UDP link remote: [AF_INET][public ip of router at location where VM server is hosted]:1194
Sun Sep 15 18:35:48 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Sep 15 18:35:48 2019 TLS Error: TLS handshake failed
Packet Capture:

Code: [Select]

1 0.000000 [The public IP of my router while at home] [VM's IP on LAN interface] OpenVPN 60 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
2 2.351956 [The public IP of my router while at home] [VM's IP on LAN interface] OpenVPN 60 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
Details of one of the packets in capture:

Code: [Select]

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: [redacted], Dst:[redacted]
Internet Protocol Version 4, Src: [The public IP of my router while at home], Dst: [VM's IP on LAN interface]
User Datagram Protocol, Src Port: 61713, Dst Port: 1194
OpenVPN Protocol