Messages

I just ran into this as well. I can create a user, create a user certificate but have not found how to link both together. Hence I cannot export the Openvpn client as there is no cert linked to the client.

Because i simply didn't understand what you wrote. I have some basic knowledge scraped from internet but no real understanding even what to be terms mean... I continued searching and finally found the answer. From what I understand it has to do with SNAT and differs between router softwares how this is handled. I come from a Ubiquity setup where this worked "out of the box" as they handle to things differently. Will need to read up a bit to grasp this.

I solved the issue in a way I did not expect. I was looking at Tailscale as alternative to OpenVPN and they advised to setup overrides in the Unbound DNS server. After doing so the reported IP is now the OpenVPN IP and no longer the remote WAN IP. I can thus access the services as intended now.

A little further analysis shows that the main traffic is probably not tunneled but he DNS is.  A traceroute shows that the system name of the hotel router is resolved without VPN but not with VPN. In both cases all intermediate hops show up which should not be visible with VPN on.

No PN

Code Select Expand

  1  1757 ms   308 ms    11 ms  hsjameosplaya.net [172.16.0.1]
  2   283 ms    33 ms   444 ms  192.168.144.1
  3    20 ms   208 ms    23 ms  229.red-81-41-250.staticip.rima-tde.net [81.41.250.229]
  4   185 ms   864 ms   185 ms  254.red-81-41-250.staticip.rima-tde.net [81.41.250.254]

with VPN, the domainname of the first hop is missing

Code Select Expand

  1    89 ms    13 ms   199 ms  172.16.0.1
  2    16 ms    95 ms    21 ms  192.168.144.1
  3   438 ms   273 ms   925 ms  229.red-81-41-250.staticip.rima-tde.net [81.41.250.229]
  4  1994 ms  1068 ms   501 ms  254.red-81-41-250.staticip.rima-tde.net [81.41.250.254]

When plying a YT a watching the data going in and out in both task manager and OpenVPN connect the same wave form is shown albeit 1000 times less in the VPN than task mnager.

I got the android debugging tools going and indeed it also lists the WAN IP of OPNsense as remote addres.

I double checked the Unbound logs, the entry is indeed showing the VPN IP of the laptop. I checked a different subdomain that was not accessed for a while and it shows up with the Laptop VPN IP too.

For the browser debug I assume you mean the "remote address" in the network tab. That lists the OPNsense WAN address. It should do so  assume as that is the DNS IP for this URL.

I read in forums that a user account without admin rights might not be able to do everything as intended on Windows, at least in older OpenVPN versions. I upgraded my account to admin and restarted the laptop but it does not change anything.

Indeed the hostname resolves to the WAN IP where the OPNsense box routes the traffic and the OpenVPN server runs on.

But why does it work when i use my Android phone (which is on the same hotel network my Laptop is on). The WAN IP the proxy server sees is the WAN IP of the hotel, not the WAN IP of the OPNsense box. Since I see the same data rate on the OpenVPN connect ap as on the WiFi adapter in Windows I assume all traffic goes trough the VPN. For those services that are regularly accessible trough internet I do get access. However for all local LAN only (plus the VPN server's subnet) the proxy logs the WAN IP of the hotel I am at when accessing with the laptop and the OpenVPN IP when accessing with the phone.

Code Select Expand

[26/Sep/2024:15:29:50 +0200] - - 403 - GET https xxx.xxx.xxx "/favicon.ico" [Client 88.25.93.196] [Length 171] [Gzip 3.23] [Sent-to OPNsense.home.arpa] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" "https://xxx.xxx.xxx"
[26/Sep/2024:15:30:02 +0200] - 200 200 - GET https xxx.xxx.xxx "/" [Client 10.10.102.42] [Length 1114] [Gzip -] [Sent-to OPNsense.home.arpa] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" "-"


Above are 2 acesses to the Nginx proxy server using the exact same OpenVPN profile. The first is the Laptop showing the hotel's WAN and hence gets a 403, the second the Android phone which shows the VPN IP and is hence passed trough.

And here are the Unbound logs where twice the VPN IP is logged. The only difference I see is twice and A for the laptop and A plus HTTPS for the phone.

Code Select Expand

2024-09-26T15:30:02 Informational unbound [74769:5] info: . transparent 10.10.102.42@2194 xxx.xxx.xxx HTTPS IN
2024-09-26T15:30:02 Informational unbound [74769:1] info: . transparent 10.10.102.42@33102 xxx.xxx.xxx. A IN
2024-09-26T15:29:45 Informational unbound [74769:7] info: . transparent 10.10.102.15@58573 xxx.xxx.xxx. A IN
2024-09-26T15:29:44 Informational unbound [74769:5] info: . transparent 10.10.102.15@55439 xxx.xxx.xxx. A IN

It seems my last post did not get actually posted...

When I run the exact same client export file on my Android phone (using the official OpenVPN connect app) I do get the behavior I expect: The DNS server logs the request as coming from the VPN address (as in the case when the connection comes from the laptop) and the Nginx proxy server also sees the VPN IP as incoming connection and hence serves the requested service (which is not served from the laptop as the proxy sees the laptop's WAN IP).

Is it possible that the laptop is only sending DNS trough the VPN and the actual traffic over internet? I do have redirect gateway set to default and push block outside dns and register dns all set. and the local lan ip is set too. When I play a YouTube it seems like the WiFi traffic in task manager and the traffic in OpenVPN Connect match hence traffic seems to go trough the tunnel.

The above contradicts your quote as far as I can judge. Can you explain what you mean by plausible reasons? I don't understand the bit "the WAN IP is not routed to the VPN".

Yeah, so the requested host probably resolves to the WAN IP. But the WAN IP, which is the VPN client connected to is not routed via the VPN and cannot be due to plausible reasons.

Using the local DNS is not really a solution as not all services run on port 443 (for instance a Synology service page).

I do see a few things in the routing table on the laptop i don't understand:

Code Select Expand

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.101.227  192.168.101.196     50
          0.0.0.0        128.0.0.0      10.10.102.1     10.10.102.66    257
      10.10.102.0    255.255.255.0         On-link      10.10.102.66    257
     10.10.102.66  255.255.255.255         On-link      10.10.102.66    257
    10.10.102.255  255.255.255.255         On-link      10.10.102.66    257
     86.83.115.52  255.255.255.255  192.168.101.227  192.168.101.196    306
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0      10.10.102.1     10.10.102.66    257
      192.168.1.0    255.255.255.0      10.10.102.1     10.10.102.66    257
    192.168.101.0    255.255.255.0         On-link   192.168.101.196    306
  192.168.101.196  255.255.255.255         On-link   192.168.101.196    306
  192.168.101.255  255.255.255.255         On-link   192.168.101.196    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      10.10.102.66    257
        224.0.0.0        240.0.0.0         On-link   192.168.101.196    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      10.10.102.66    257
  255.255.255.255  255.255.255.255         On-link   192.168.101.196    306
===========================================================================
Persistent Routes:
  None

192.168.101.196 is my current WiFi IP. 10.10.102.66 is the OpenVPN IP.

It would help if I had a better idea where to start searching as that might give more detail but I lack knowledge here... Anyway I will try to answer your questions.

I am using ipv4 only, the vpn sends all traffic trough the tunnel. Hence the router's DNS is accessed by the VPN client (verified the log entries on the OPNsense box).
The proxy server uses my domain name to send traffic to the respective services. I want to be able to connect to the subdomains that are LAN only by connecting the VPN and tunneling traffic. The proxy server has the openVPN address range in it's allowed addresses. This has worked when I used a Raspberry to run the OpenVPN server and post routed the traffic on the rpi such that the IP the traffic came from was the rpi's lan address.

When I connect to the proxy (which is on the local LAN) from the internet a few services have their setting to allow incoming WAN connections and those are served. All other services are set to LAN + OpenVPN only and get a 403 as intended.

When I connect trough the OpenVPN tunnel I can access the services that are allowed from WAN but not the ones allowed from LAN only, these still get a 403.
The Unbound logs show the request with the clients VPN IP address as the source.
The logs of the Nginx proxy server show the WAN address from the location I al at even though I am connecting trough the VPN tunnel.
When i connect a service on the internet at the same time (myIP.com) this one shows my outgoing home WAN address and not the remote WAN address I am at. Hence traffic is routed trough the tunnel.

I can connect to all services when using their IP or .home.arpa addresses further confirming the connection trough the VPN is active.

I just realize I do set a bunch of headers on the proxy server:
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
These might well be overkill and cause the VPN to give the client IP instead of the VPN IP.

I run an OpenVPN server instance, can connect and access both the local LAN and internet trough the VPN.

In the LAN I run an Nginx proxy server where certain services are limited to the local LAN. When connecting to the LAN via OpenVPN I can however not connect to the services that are limited to the local LAN (403 forbidden error) as it sees the remote internet IP instead of the VPN IP (I have set the VPN IP range set as allowed in Nginx proxy manager). The Nginx proxy manager logs show the remote internet IP.

Connecting directly to the IP:port of the proxied services does work as the VPN is functional. The services that are exposed to the internet can be accessed trough the proxy server as usual.

Is there a specific setting in OpenVPN to make it report the VPN IP?

My logs get flooded with following message:

<171>1 2023-10-18T20:43:20+02:00 OPNsense.home.arpa suricata 70341 - [meta sequenceId="34716810"] [101173] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe1': (55u) No buffer space available

Google search delivers some results that OPNsense or actually freeBSD cannot cope with the pppoe interface of my provider (Dutch KPN). So I switched the interface from WAN to LAN but still the same messages. Switching off IPS also continues to give the same messages (in both cases the messages are still about the pppoe interface). The message above is actually with Suricata set to look at the LAN interface with IPS off.

Even when I untick enabled (in the Services - Intrusion detection - Administration menu) Suricata continues to produce these messages. Hence I think the settings are not actually being picked up. I also cannot disable the service from the dashboard.

I tried several VPN options (OpenVPN, Wireguard and Tailscale). For all of them I manage to get connected to my LAN machines and connect to services using their IP address. So far so good.

When The traffic hits my Nginx Proxy Manager I get denied access even though the VPN IP ranges are in the access list for that subdomain. Checking the logs I find the WAN IP of the client is reported instead of the VPN IP.

Is there a way to change this such that the VPN IP is reported? I tried about every setting I could find in the OPNsense interface for the different VPN types.

Maybe I have the same issue.

Port forwarding is working when accessing services from the WAN side (ie mobile on 4G).
Port reflection is working for port 80 and 443 from LAN

Port reflection does not work for other ports (email or several other services).

It looks like port reflection only works on http and https ports.

EDIT:
I just found out what was wrong.

First of all I needed to set host overrides in Unbound DNS. I pointed a subdomain to my mail server (different box from the web proxy server).

Then I had to flush the DNS of my clients as resolving the domain name gave the outside IP which does not reflect.

Is this a bug in OPNsense (or a feature)? Anyway I cannot find anything pointing to this in the docs but found fragments when searching.

Thanks, that did it!