Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ggriff

Pages1
#1
20.1 Legacy Series / Re: Restrict VPN Client to Client Access
April 25, 2020, 03:35:29 PM

Ok so using Topology subnet I can at least see ICMP traffic with tcpdump:

Code Select
23:25:27.881576 IP 172.23.8.2 > 172.23.8.250: ICMP echo request, id 26390, seq 0, length 64
23:25:27.881609 IP OPNsense.localhost > 172.23.8.250: ICMP echo request, id 61533, seq 0, length 64

So traffic from 172.23.8.2 hits the firewall and it is sent to 172.23.8.250

My concern is tha the source address is not in the same subnet meaning the device at 172.23.8.250
does not send the reply back over the tunnel (I can't use Wireshark on the tunnel interface)
#2
20.1 Legacy Series / Restrict VPN Client to Client Access
April 16, 2020, 03:58:30 PM
Hope someone can help with this:

The goal is to restrict VPN client to client access with specific firewall rules

So when un-ticking the VPN server "Inter-client communication" I can no longer ping
other clients and can only ping the VPN interface IP which makes sense.

The problem:
I have enabled all traffic on the OpenVPN interface and all traffic on the TAP interface but can't
ping other clients anymore. I have read that IP forwarding needs to be enabled for this to work.

via the console IP forwarding seems to be enabled already?
Code Select
root@OPNsense:/etc # sysctl -w net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1

Found this link https://serverfault.com/questions/736274/openvpn-client-to-client
that explains a solution but involves IPTABLES.
#3
20.1 Legacy Series / Re: Outbound NAT (SNAT) on the tunnel interface is not working
March 24, 2020, 12:17:24 PM

@mimugmail Thank you very much! This works now!

Strange thing is when I was still running OPNSense v19.7 I tried TAP1 & LAN as interface and neither worked...
#4
20.1 Legacy Series / Outbound NAT (SNAT) on the tunnel interface is not working
March 24, 2020, 07:21:19 AM
What I'm trying to achieve:
Client connected to OpenVPN server can access other machines on the LAN

Status:
VPN Client can connect and the LAN network is pushed to the client.
Routing table is setup correctly on the client 192.168.16.0/24 -> 172.30.10.1

Problem:
When pinging a machine on the LAN network from the VPN Client the
ping reply can't be routed back because the traffic has a source IP of 172.30.10.X
I have enabled outbound NAT'ing on the TAP1 interface but it is not overwriting the source IP?

Main Router
Public IP: 1.2.3.4
Port Forward 1194 to 192.168.12.177

OPNSense Router: OPNsense 20.1.3-amd64
Server Mode: Remote Access (SSL/TLS)
Dev Mode: Tun
Topology: Subnet
WAN   192.168.12.177/24 (GW: 192.168.12.1)
LAN   192.168.16.25/24
TAP1   172.30.10.1/24

Outbound NAT Rule: // Hybrid Outbound NAT
Interface:   TAP1
Source:      172.30.10.0/24
Destination:   LAN net
NAT Address:   LAN Address

Tcpdump –i ovpns1:
16:19:52.669289 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1447, length 40
16:19:57.526968 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1448, length 40   

Can anybody shed some light on this please?
Pages1