Messages

Hi, I can't figure out how I need to configure OPNSense to work in this scenario.

I have an OPNSense server that has configured three networks and one vpn (in addition to the WAN):

LAN: 10.50.140.0/24
OPT1: 10.10.43.0/24 - > Router A
OPT2: 10.10.44/24 -> Router B
VPN: 10.100.140.0/24

The two OPT networks are connected to two other routers, respectively.
On OPNSense I configured a VPN and set the three networks as local networks.
On Router A and B I configured a static route from the VPN network to the respective OPNSense IP.

However I cannot reach the computers on OPT1 and OPT2. If I do a traceroute I see that the request stops at the ip address of the vpn server (OPNSense):

traceroute to 10.10.44.204 (10.10.44.204), 64 hops max
  1   10.100.140.1  24,026ms  23,306ms  23,625ms
  2   *  *  *
  3   *  *  *
  4   *  *  *
  5   *  *  *

What did I forget to configure?

Thanks

Hi, I have this scenario:

OPNSense as Gateway with 2 phisical network cofigurated like this:

eth0 -> WAN -> brdige1
eth1 -> OPT1 -> bridge2
---    -> LAN -> bridge3

On the LAN i set all my server and on OPT1 are the desktop pc.
I create a OpneVPN that share LAN adress and OPT1 adreses (Local Network). From VPN i can access LAN clients but not OPT1.
I open all ports (for test) in the firewall settings but no way.
OPT1 is connect to another gateway where all pc are connect. Is this the problem? I need to set some routes to that gateway?

Thanks

Hi,
This looks like a firewall issue, more than a VPN server issue.
Could you have a look in the firewall logs ?

You are right. My fault. I forgot the old gateway on. Shutting down that one all works. Thanks a lot.

Already unflaged.

OPNSense has 2 networks:
WAN: 192.168.1.0/24 (my home network)
LAN: 10.50.140.0/24 (internal network).

The client is a pc connect via Wifi on network 192.168.1.0

Hi, i have a fresh install of OPNSense updated to 24.1.9. I try to create a OpenVPN server using the new "Instances" section following this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

When from my client i try to connect i get this message and it not work.

TCP/UDP: Incoming packet rejected from [AF_INET]79.20.110.xxx:11194[2], expected peer address: [AF_INET]192.168.1.xxx:11194 (allow this incoming source address/port by removing --remote or adding --float)

What i mssing?
Thanks

Thanks Bart, set it to 1400 works perfect.

But I don't understand why with old linux distro this setting is not necessary instead with the new ones it is.

I also tried with the last Fedora (38) but same result. I can connect to the VPN, i can ping the servers over VPN, but i cannot connect to them (tried http and ssh). On old linux distro releases works.

I never changed MTU parameters. Cuold be a new default openvpn settings. I not much experience with MTU, what i need to check exaclty?

I also tried Bart suggestion and with "File Only" the VPN connect correctly (also removing the legacy options).

But I cannot connect to resources over vpn. For example I have an http server that i can ping but i get timeout if i try to connect with the browser.

With Ubuntu 22.04 i have no problem (with the seme vpn config files) but on Ubuntu 23.04 (and Debian 12) not work.
I'll try with a non debian-based distro like Fedora if there is the same problem.

Thansk for your help.

I tried what cookiemonster suggest. Adding the legacy options i can connect to VPN but I cannot access resources over VPN.
Later I try what propose Bart.

But why OPNsens cannot update support for newer openvpn/opensssl versions?

Here the option available in the Client-Export page. I use the Archive option. I also tried to use the Viscosity option and extract files from the viz file but same result.

Thanks Bart I tried what you suggest but each commands give this error:

Code Select Expand


Error outputting keys and certificates
40B7EC78967F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

I'm using Ubuntu 23.04 with OpenVPN 2.6.1 and OpenSSL 3.0.8 7

Hi, I'm using the last stable release of OPNSense (23.1) as vpn server. From the last linux distros (Ubuntu 23.04, Debian 12, etc) with OpenVPN >= 2.6 I cannot connect with the exported configuration. It seems that there is a problem with PKCS12.

This the error i get:

Code Select Expand

...
2023-07-24 20:20:06 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-07-24 20:20:06 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-07-24 20:20:06 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-07-24 20:20:06 Error: private key password verification failed
2023-07-24 20:20:06 Exiting due to fatal error

The password is correct and on Ubuntu 22.04 (Openvpn 2.5.x) works.

There is any workaround?

Thanks

Already tried but i not work. Maybe NM requires some files and fields that in the exported archive are missing, like the CA Certificate (tried added it manually but no success).

Hi, on mac and win client I use the great Viscosity app to connect to OPNSense openvpn server.

On linux (Ubuntu) I tried to import the config (exported as archive) with the built-in Gnome NetworkManager OpenVpn plug-in but always i get the error that the config file is not compatible.

If i try to run this config from terminal with the command "openvpn --config" it works.

How I can edit the autogenerated config file to be able to work with Network Manager?