Show Posts
1
Virtual private networks / OpenVPN Access Across High Availability Setup
« on: January 10, 2022, 11:19:47 am »
Hey Guys,
I have the following Setup:
2x OPNSense configured in HA with:
Virtual LAN IP: 10.0.1.1/24
opnsense1 LAN: 10.0.1.2/24
opnsense2 LAN: 10.0.1.3/24
CARP Addresses for both hosts are 172.16.3.1/24 and 127.16.3.2/24. The HA and Failover on Virtual LAN IP and Virtual WAN IP work fine.
These Are connected in the same LAN Subnet (10.0.1.0/24) I then have configured OpenVPN (10.0.8.0/24 Transfernet) on the master opnsense and created the following rules:
on OpenVPN Interface:
on LAN interface:
on WAN Interface:
Both Systems also have their own WAN IPv4 Addresses and i can connect to both OPNSense's individually using their individual WAN IP's. When i connect to opnsense1 with openvpn, i can access the entire LAN-net except for opnsense2 (10.0.1.3/24). When i connect to opnsense2 with openvpn, i can also access the entire LAN-net except for opnsense1 (10.0.1.2/24).
When i look into Firewall -> Log Files -> Live View i can see the following:
So this means that the icmp request is blocked by a default deny rule. However i have a rule in Firewall -> Rules -> LAN that allows any traffic from the OpenVPN net.
I have the following Setup:
2x OPNSense configured in HA with:
Virtual LAN IP: 10.0.1.1/24
opnsense1 LAN: 10.0.1.2/24
opnsense2 LAN: 10.0.1.3/24
CARP Addresses for both hosts are 172.16.3.1/24 and 127.16.3.2/24. The HA and Failover on Virtual LAN IP and Virtual WAN IP work fine.
These Are connected in the same LAN Subnet (10.0.1.0/24) I then have configured OpenVPN (10.0.8.0/24 Transfernet) on the master opnsense and created the following rules:
on OpenVPN Interface:
| Protocol | Source | Port | Destination | Gateway | Schedule | Description |
| IPv4 * | * | * | * | * | * | * |
on LAN interface:
| Protocol | Source | Port | Destination | Gateway | Schedule | Description |
| IPv4 * | OpenVPN net | * | * | * | * | * |
on WAN Interface:
| Protocol | Source | Port | Destination | Gateway | Schedule | Description |
| IPv4 UDP | * | 1194 | WAN net | * | * | * |
Both Systems also have their own WAN IPv4 Addresses and i can connect to both OPNSense's individually using their individual WAN IP's. When i connect to opnsense1 with openvpn, i can access the entire LAN-net except for opnsense2 (10.0.1.3/24). When i connect to opnsense2 with openvpn, i can also access the entire LAN-net except for opnsense1 (10.0.1.2/24).
When i look into Firewall -> Log Files -> Live View i can see the following:
| Interface | Time | Source | Destination | Proto | Label |
| LAN | Jan 10 11:16:22 | 10.0.8.6 | 10.0.1.3 | icmp | Default deny rule |
So this means that the icmp request is blocked by a default deny rule. However i have a rule in Firewall -> Rules -> LAN that allows any traffic from the OpenVPN net.