Messages

Hi,

I've noticed that if one of my 2 "grouped" openVPN connections drop LAN traffic also drops for a couple of seconds
the openVPN connections serve a seperate switch (separate physical interface port) the normal LAN interface (a different physical interface) is separated from the openVPN part.

- the WAN uplink is nice and stable no disconnects.
- When I disable the openVPN group all together the LAN is nice and stable, however the switch that is connected to the VPN has no connection to the internet (no surprise there ;) )

Could this be related to:
https://github.com/opnsense/src/issues/58

Im currently on OPNsense version 21.1.1

Any clue's would be helpful :)

Great thanks!

The vpn connections are currently configured in a group (as described in the settings of NilsS), so if one of the two in the group goes down the other takes over.
In my case I think that load balancing is a bit to enthousiastic and I need to increase the sticky timeout.

Update:
Seems that if I set both vpn connections in the loadbalancing group to Tier1 (as opposed to tier1 and tier2)  it does work.

There is one thing I don't get though, the configuration defines 3 gateway groups and only the load balancing group  is used in the rules, the two failover groups are not referenced is that correct?

Thanks allot!

Hi again :)

So with help of Koldnitz I was able to get my setup running (thanks!),
however after some testing I did find some odd behaviour (I think) the connection seems to be dropping intermittently, I think this is also what Koldnitz experienced when he mentioned:

"I turned off sticky connections and now I sometimes use both interfaces together (much faster). 
Fail over only randomly worked before and I have set it up to reconnect randomly to my VPN servers every 8 hours."

So I was wondering what do I need to change in order to do this? Turning off sticky is just deselecting a tick box however I'm not sure how to use both VPN connections simultaneously in order to increase speed and set the random reconnect every X hours.

Hi Koldnitz,

And thanks again! the addition of some extra rules (well basically the same as your example) did the trick!
I only had autogenerated DHCP rules and the rules from the "howto" so it was quite logical that my connection attempt failed.

Thanks a million!
:D

Hi Koldnitz,

Great!!! That did the trick! thank you very much :)I've also renamed the aliases per your advice, my original ones didn't make that much sense indeed  :-[

One thing left on the todo list is to be able to access a device that is connected to the VPN 
(behind that Cisco switch) through ssh from the 192.168.1.x/24 subnet so that I can check logs etc
or would this open up a can of worms?

Anyway, thank you very much for getting me up and running!

Hi Guys,

Seems that what I'm trying to do is almost the same as topics starter M4DM4NZ (thanks to Koldnitz for pointed me to this topic!)
And that is adding a VPN (Nord) enabled (physical) Interface, so that one of the ports on my opensense (supermicro) box is a VPN Interface that allows me to
connect it to a switch (plain cisco) and then use any switch port to attach a device that is then "protected/behind" the VPN connection

I've combined the guide from M4DM4NZ and NilsS to combine them into something that works for me, well i thought I did and of course it doesn't work ;)
I'm on OPNsense 20.7.7

Here we go:

STEP 1:
####################################################################
Firewall -> Aliases
[ hit the + sign to add a new alias ]
[ Type ]        Network(s)
[ Name ]        Firewall_Alias_LocalNetwork
[ Description ] All local Networks
[ Content ]
    192.168.1.1/24,192.168.2.1/24 (my current local networks)
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Network(s)
[ Name ]        Firewall_Alias_VPNNetwork
[ Description ] All Hosts/Networks that should use VPN
[ Content ]
    192.168.3.1/32
    (This one has got me confused a bit, it has netmask 255.255.255.255 aka 32 and that's just for 1 ip? I use 192.168.3.1/24 for my new Interface in step 6)
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Host(s)
[ Name ]        Firewall_Alias_Allowed_DNS
[ Description ] Allowed DNS Servers
[ Content ]
    103.86.99.100 (These are the ones from VPN provider NordVPN)
    103.86.96.100
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Port(s)
[ Name ]        Firewall_Alias_MS_Port_Block
[ Description ] Blocked MS Ports
[ Content ]
    137
    138
    139
    445
[SAVE]

STEP 2:
####################################################################
Firewall -> NAT -> Outbound
[X] Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)
## Used this option instead of:
##     Manual outbound NAT rule generation (no automatic rules are being generated)
## So that the automatically generated rules are not removed.
## Change the rest of the settings in step 10

STEP 3:
####################################################################
Setup Nord VPN connection, this is different then the original writeup (since I use Nord)
I've used the guide from:
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

However I've changed "Encryption Algorithm: AES-256-GCM" to "Encryption Algorithm: AES-256-CBC" in the TLS Authentication section
since I got a waring in the OpenVPN logs

STEP 4:
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ]                 Peer to Peer (SSL/TLS)
[ Protocol ]                    UDP4 (As mentioned in the Nord guide)
[ Device mode ]                 tun
[ Interface ]                   WAN
[ Server host ]                 xxxxx.nordvpn.com
[ Server port ]                 1194
[ Retry DNS resolution ]        [X] Infinitely resolve remote server
[ User name/pass ]              Copied from by Nord Account page
[ TLS Authentication ]          [X] enable authentication of TLS packets
[ Peer Certificate Authority ]  As per the Nord guide
[ Encryption Algorithm ]        AES-256-CBC
[ Auth Digest Algorithm ]       SHA512 (512-bit)
[ Hardware Crypto ]             No Hardware Crypto Acceleration
[ Compression ]                 Disabled - No Compression
[ Disable IPV6 ]                [X]
[ Don't add/remove routes ]     [X]
[ Description ]                 NordVPN_1
[ Advanced ]
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
[ Verbosity level ]             3 (recommended)
[SAVE]

STEP 5:
####################################################################
VPN -> OpenVPN -> Clients: [ NordVPN_1 -> clone ]
[ Server host ] use a different server
[ Server port ] 1194 used the same port, not sure if the tip to use a different port holds for Nord as well?
[ Description ] NordVPN_2
[SAVE]

STEP 6:
####################################################################
Interfaces -> Assignments
New interface: ovpnc1       [ + ]
New interface: ovpnc2       [ + ]
[ OPTx ]
    [ Enable Interface ]        [X]
    [ Description ]           NORDVPN1
    [ Block bogon networks ]    [X]
[SAVE]

[ OPTx ]
    [ Enable Interface ]        [X]
    [ Description ]           NORDVPN2
    [ Block bogon networks ]    [X]
[SAVE]

And I've added a new Interface called NORD:
[ OPTx ]
    [ Enable Interface ]        [X]
    { Device ]                  igbX (in my case)
    [ Description ]           NORD
    [ Block bogon networks ]    [X]
    [ IPv4 Configuration Type]  Static IPv4
    [ IPv4 address ]            192.168.3.1/24
    [ IPv4 Upstream Gateway ]   Auto-detect
[SAVE]

Services -> DHCPv4 -> NORD
[ Enable ]                      [X]
[ Range ]                       [ 192.168.3.11 - 192.168.3.244 ]

STEP 7:
####################################################################
System -> Gateways -> Single
[ NORDVPN1_VPNV6 ]
    [ Disabled ]    [X]

[ NORDVPN2_VPNV6 ]
    [ Disabled ]    [X]

[ NORDVPN1_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

[ NORDVPN2_VPNV4 ]
    [ Disabled Gateway Monitoring ]    [ ] uncheck

STEP 8:
####################################################################
System -> Gateways -> Group

[ + Add ]
[ Group Name ]          GRP_NORDVPN
[ Gateway Priority ]
    [ WAN_GW ]              [ Never ]
    [ NORDVPN1_VPNV4 ]       [ Tier 1 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_LOADBALANCE
[SAVE]

[ + Add ]
[ Group Name ]          GRP_NORDVPN_1_2
[ Gateway Priority ]
    [ NORDVPN1_VPNV4 ]       [ Tier 1 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 2 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_FAILOVER_1->-2
[SAVE]

[ + Add ]
[ Group Name ]          GRP_NORDVPN_2_1
[ Gateway Priority ]
    [ NORDVPN1_VPNV4 ]       [ Tier 2 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_FAILOVER_2->-1
[SAVE]

STEP 9:
####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ]          [X] Skip rules when gateway is down
    # Does this mean that traffic will go over the "normal" connection (non VPN) in case the VPN tunnel fails?
    # OR does this mean that the rest of the network (in my case the LAN) will continue to function if the VPN Tunnel is down
    # A kill switch would be nice, so if the VPN Tunnel fails (in this case, if both of them fail because we defined a group of 2) i want interface NORD to
    # have no connection.
[ Sticky connections]   [X] Use sticky connections (for load balance group)

STEP 10:
####################################################################
Firewall -> NAT -> Outbound
[+ Add]
    [ Interface ]           NORDVPN1
    [ TCP/IP Version ]      IPv4
    [ Protocol ]            any
    [ Source address ]      Firewall_Alias_LocalNetwork
    [ Destination invert ]  [X]
    [ Destination address ] Firewall_Alias_LocalNetwork
    [ Translation/target ]  Interface address
[SAVE]

[ NORDVPN1 ] [CLONE]
    [ Interface ]           NORDVPN2
[SAVE]

STEP 11:
####################################################################
Firewall -> Rules -> NORD (The new interface I added in step 6)
[+ Add]
    [ Action ]                  block
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination invert ]      [X]
    [ Destination ]             Firewall_Alias_LocalNetwork
    [ Destination port range]    Firewall_Alias_MS_Port_Block
    [ Description ]             Block MS CIFS/SMB
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

[+ Add]
    [ Action ]                  pass
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination ]             Firewall_Alias_Allowed_DNS
    [ Destination port range]    DNS DNS
    [ Description ]             Allow traffic to allowed DNS Server
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

[+ Add]
    [ Action ]                  pass
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                any
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination invert ]      [X]
    [ Destination ]             Firewall_Alias_LocalNetwork
    [ Description ]             Force traffic over VPN
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

STEP 12:
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ]                   NORD
[ TCP/IP Version ]              IPv4
[ Protocol ]                    TCP/UDP
[ Source ]                      Firewall_Alias_VPNNetwork
[ Destination invert ]          [X]
[ Destination ]                 Firewall_Alias_Allowed_DNS
[ Destination port range]        DNS DNS
[ Redirect Target IP ]          single Host or Network
                                103.86.96.100 (picked one of the 2 NordVPN DNS servers)
[ Redirect Target Port ]        DNS
[ Description ]                Redirect all DNS to allowed DNS
[SAVE]

After this I did some checks:
VPN -> OpenVPN -> Connection Status
Both are "UP"

System -> Gateways -> SIngle
All Green

I've added some widgets on the Dashboard page and:
Gateways all green
Interfaces connected and have an IP
OpenVPN
All green and Remote/Virtual IP is present

However... When I connect a device to the Switch (that is connected to the NORD interface on the OPNSense box) I get "nothing"
(the device is configured to use DHCP and gets an IP address so at least that part works ;) )

I've no Internet at all (can't ping 8.8.8.8 for example)
And I cant ping any of the internal IP's
192.168.1.1
192.168.2.1
192.168.3.1

The only thing that I can ping is the switch on 192.168.3.254 however that's kind of expected ;)

I think I made some kind of mistake between step 9 and 12

Any Hints would be appreciated :)

Hi Koldnitz,

Apologies for the late reply!
I was busy taking over some project tasks for a couple of colleagues that got Covid (they are doing fine now :)).

Thanks! the link was certainly useful, I've modified it a tiny bit for NordVPN and the Gateway's seem to be up (al green) connection ok and the VPN log seems to be ok.

The other part I've changed is to add a new NIC (renamed it to NORD) and apply the firewall rules on that one (Instead of LAN as mentioned in the howto) I've added DHCP for the new (NORD) nic under services
However no go, when I test the connection I get a new IP however no access (Internet/LAN/DNS) so I must be doing something pretty stupid...

The LAN interface still works :) so that's something
(I did have to add the previously automatically generated Firewall rules for LAN manually, since I've enabled "Manual outbound NAT rule generation" as stated in the HowTo)

Any Ideas would be welcome  :D

Kind regards!

Hi OPNSense experts,

Some time ago I posted a question
https://forum.opnsense.org/index.php?topic=17247.msg78386#msg78386
and got very useful awnsers (thanks!)
Now, months later... I'm attempting to add NordVPN
(openvpn) to my opnsense box and assign it to a new ethernet port on my box (still have 8 nics available) so that I can link it to a switch and plugin a wired divice and have a VPN connection.
If this works I would like to do the same trick with my corporate VPN.

When looking at the guide on:
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm
it seems that this enables VPN for all interfaces? I want to leave my current LAN unaffected (including DNS settings).
And only have the openvpn tunnel exist for a new currently unassigned ethernet port.

What would I have to change? Or is there a guide/hints/tips to get a setup like this.

Thanks!

Thanks, hmm virtualization might be a good idea indeed maybe I'll take a look on https://dietpi.com/ seems to have a VM image with Pihole.
And should it be possible to dedicate 1 interface to a VPN tunnel and leave the LAN port unaffected?

Hi, I'm probably asking a stupid question so my apologies beforehand.
I've just installed a new OPNSense box for my homelab (small super micro 19inch box with a couple of nics) and that works fine, I've added Pi-Hole on a raspberry Pi4
And just assigned one of the nics of the OPNSense box and connected the Pi to that directly (new ip range).
The static IP of the Pi-hole box is set as the DNS for the LAN interface and the general DNS is set to OpenDNS servers.

Although this seems to work, it feels a bit sloppy.
Oh, the reason for using one of the OPNSense box NICs for the Pi as opposed to directly plugging the Pi into the Lan switch is just aesthetics, so probably not the best reason.

1. Would it be better to use 2 bridged NICs as LAN and connect 1 port to the Pi and the other to the switch where the rest of the equipment is connected? (I read the bridging NICs is not advised?)

2. Forget about a separate NIC on the OPNSense box and just link the Pi to the Switch connected to the LAN port

3. Keep my current setup.

The thing is that I would like to use one of the (10 available on the OPNSense box) NICs for VPN where I just connect this port to a separate Switch (I've 2 more available in my rack) so that I end up with 1 switch connected to the LAN port of OPNSense and 1 switch connected to the (to be configured) VPN port of the switch.
The reason for all of this is that I would like to he able to plug in one or more test machines that just connect to my corporate VPN while leaving the normal LAN unaffected.
The normal lan should be served by the PiHole DNS and the VPN, well by the VPN.
I'm not sure how I could set this up.

Kind regards!