Show Posts
1
Virtual private networks / Re: OpenVPN server instance - no ipv4 access to WAN
« on: February 28, 2024, 01:28:02 am »
you've just convinced me to go try the legacy config! I am a newbie OPNSense user and this is my first time attempting to setup OpenVPN - I came in assuming the new "instances" config is the preferred/recommended way!
UPDATE:
I just tried to recreate the OpenVPN server using legacy config (I am on 24.1.2_1). To be honest, I feel they are quite similar:
1. both automatically create interface (both un-assigned though)
2. ipv6 (youtube) doesn't go through VPN for either (i think)
3. both leak ipv6 address (confirmed from https://ipleak.net/)
4. had to manually specify client DNS (to use Unbound) for both configs
5. had Unbound set to bind to ALL for both, and no need to do anything else
The only two diffs I see:
a. Unbound bind interfaces drop-down menu doesn't show VPN for new config. However this doesn't seem to matter as I set to bind to ALL so it just works (as long as I did 4 above)
b. SNAT is automatically generated for VPN interface for legacy config. Had to manually add it for new.
To your other question, I don't see a way to manually add OpenVPN options in new config either. However even in the legacy config, that option seems deprecated already - "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting."
UPDATE:
I just tried to recreate the OpenVPN server using legacy config (I am on 24.1.2_1). To be honest, I feel they are quite similar:
1. both automatically create interface (both un-assigned though)
2. ipv6 (youtube) doesn't go through VPN for either (i think)
3. both leak ipv6 address (confirmed from https://ipleak.net/)
4. had to manually specify client DNS (to use Unbound) for both configs
5. had Unbound set to bind to ALL for both, and no need to do anything else
The only two diffs I see:
a. Unbound bind interfaces drop-down menu doesn't show VPN for new config. However this doesn't seem to matter as I set to bind to ALL so it just works (as long as I did 4 above)
b. SNAT is automatically generated for VPN interface for legacy config. Had to manually add it for new.
To your other question, I don't see a way to manually add OpenVPN options in new config either. However even in the legacy config, that option seems deprecated already - "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting."