1
Virtual private networks / OpenVPN. Remote-Access. tap/L2 works tun/L3 doesn't
« on: August 11, 2021, 10:17:23 am »
Hi forum.
I'm new to OPNSense, although I've been using OpenVPN in Linux for years... I need some light/advice here:
My Tap/Layer2 setup for remote-access works flawlessly, like in Linux... no problem... this setup, in Linux, uses to be 'the hard/weird one', being OpenVPN defaults clearly geared towards routed/tun setups (which mostly work out of the box).
Here but, the tun/routed setup is not working, and I'm failing to understand why.. here's a t-shoot woking/non-working list:
- SSL Connection stablished: OK
- IP assigned from the pool: OK
- Traffic reaching OPNSense's VPN server interface: OK
- Traffic being FORWARDed towards LAN, DMZ servers: OK
- Reply traffic from LAN/DMZ hosts reaching OPNSense: OK
- No firewall drop/reject of intended traffic: OK (or, at least, I'm failing to detect that case)
- Pinging the OPNSense¡s VPN server interface: FAIL
- Reply traffic from LAN/DMZ leaving back over VPN server interface: FAIL
- Reply traffic from LAN/DMZ leaving back through WAN: Not detected (or, at least, I'm failing to detect the case)
What's going on? .... To me, It is like a routing problem, with OPNSense discarding the packages at output time.
My problem is that my routing concepts are based on CISCO an Linux networking principles, and I feel I'm failing to understand the routing logic on OPNSense.
- Why OPNSense declares a gateway for the VPN server interface? it is NOT, it is a directly connected network for remote access... maybe I'm configuring the server wrong... it is not a site-to-site
- Why on the routing table I see an entry for the client IP? ...again, looks like a site-to-site setup...but it is not.
Hope you could point some light here.
Thank you in advance.
Cheers
I'm new to OPNSense, although I've been using OpenVPN in Linux for years... I need some light/advice here:
My Tap/Layer2 setup for remote-access works flawlessly, like in Linux... no problem... this setup, in Linux, uses to be 'the hard/weird one', being OpenVPN defaults clearly geared towards routed/tun setups (which mostly work out of the box).
Here but, the tun/routed setup is not working, and I'm failing to understand why.. here's a t-shoot woking/non-working list:
- SSL Connection stablished: OK
- IP assigned from the pool: OK
- Traffic reaching OPNSense's VPN server interface: OK
- Traffic being FORWARDed towards LAN, DMZ servers: OK
- Reply traffic from LAN/DMZ hosts reaching OPNSense: OK
- No firewall drop/reject of intended traffic: OK (or, at least, I'm failing to detect that case)
- Pinging the OPNSense¡s VPN server interface: FAIL
- Reply traffic from LAN/DMZ leaving back over VPN server interface: FAIL
- Reply traffic from LAN/DMZ leaving back through WAN: Not detected (or, at least, I'm failing to detect the case)
What's going on? .... To me, It is like a routing problem, with OPNSense discarding the packages at output time.
My problem is that my routing concepts are based on CISCO an Linux networking principles, and I feel I'm failing to understand the routing logic on OPNSense.
- Why OPNSense declares a gateway for the VPN server interface? it is NOT, it is a directly connected network for remote access... maybe I'm configuring the server wrong... it is not a site-to-site
- Why on the routing table I see an entry for the client IP? ...again, looks like a site-to-site setup...but it is not.
Hope you could point some light here.
Thank you in advance.
Cheers