1
22.7 Legacy Series / OpenVPN clients not following static route on OpnSense box?
« on: September 21, 2022, 10:56:37 pm »
I recently set up a new OpnSense VM to replace a really old pfSense VM (FreeBSD 10). This system, which is being used as a OpenVPN server, has three network interfaces -- WAN, LAN and OPT1. WAN has a public IP, LAN has a 10.252.x.x/16 address and OPT1 has a 10.20.30.0/26 address. LAN and OPT1 happen to be connected to two totally different networks.
The old pfSense box doesn't't have the OPT1 interface, but just like this new OpnSense system, it DOES have a single static route of 10.0.0.0/8 for the LAN traffic.
OpenVPN clients need to be able to get to all addresses in the LAN (multiple subnets beyond the 10.252.x.x) as well as the one subnet on OPT1 at 10.20.30.0/26.
When I connect to the OpnSense box, I am able to connect successfully. I'm able to get to the hosts of all the subnets on the LAN, but NOT the hosts on OPT1 (ping returns timeout). Interestingly, I'm able to communicate with the hosts on OPT1 from the OpnSense shell via the console.
The OpenVPN server is listening to 1194 on the WAN. It's using TCP and tun device mode. I've set 192.168.55.0/24 as the IPv4 tunnel network. I've listed all the applicable subnets I need available to the clients in the IPv4 Local Network field, including the 10.20.30.0/26. I've enabled the Inter-client communication, Dynamic IP and Address Pool options.
Redirect Gateway is OFF (I want a split horizon configuration). The routes for the "local networks" are being properly generated on the client. When I traceroute any of the host IPs on that network, the results return 192.168.55.1 as the first hop but the traceroute fails after that.
I've disabled the firewall completely to rule out a firewall issue, but the issue persists. I've dug through logs to no avail (even with OpenVPN logging set to debug).
OpnSense is on 10.20.30.20, but I've also tried adding 10.20.30.1 as an actual gateway but that doesn't change anything. Again, OpenVPN is routing to the LAN networks (10.252.x.x) but not the network on OPT1.
Any thoughts on what my problem might be? My thoughts that if the static route were an issue, I wouldn't be able to ping hosts on the 10.20.30.x network from the shell.
Any help would be greatly appreciated. Thanks all!
The old pfSense box doesn't't have the OPT1 interface, but just like this new OpnSense system, it DOES have a single static route of 10.0.0.0/8 for the LAN traffic.
OpenVPN clients need to be able to get to all addresses in the LAN (multiple subnets beyond the 10.252.x.x) as well as the one subnet on OPT1 at 10.20.30.0/26.
When I connect to the OpnSense box, I am able to connect successfully. I'm able to get to the hosts of all the subnets on the LAN, but NOT the hosts on OPT1 (ping returns timeout). Interestingly, I'm able to communicate with the hosts on OPT1 from the OpnSense shell via the console.
The OpenVPN server is listening to 1194 on the WAN. It's using TCP and tun device mode. I've set 192.168.55.0/24 as the IPv4 tunnel network. I've listed all the applicable subnets I need available to the clients in the IPv4 Local Network field, including the 10.20.30.0/26. I've enabled the Inter-client communication, Dynamic IP and Address Pool options.
Redirect Gateway is OFF (I want a split horizon configuration). The routes for the "local networks" are being properly generated on the client. When I traceroute any of the host IPs on that network, the results return 192.168.55.1 as the first hop but the traceroute fails after that.
I've disabled the firewall completely to rule out a firewall issue, but the issue persists. I've dug through logs to no avail (even with OpenVPN logging set to debug).
OpnSense is on 10.20.30.20, but I've also tried adding 10.20.30.1 as an actual gateway but that doesn't change anything. Again, OpenVPN is routing to the LAN networks (10.252.x.x) but not the network on OPT1.
Any thoughts on what my problem might be? My thoughts that if the static route were an issue, I wouldn't be able to ping hosts on the 10.20.30.x network from the shell.
Any help would be greatly appreciated. Thanks all!