Messages

Done exactly all of that, not working.

Log has a strange entry:
looking for peer configs matching opnsense.public.ip[%any]...remote.public.ip[remote.c-class.id] - no matching peer config found

Why is opnsense trying to match %any as ID with its public IP, when in config (Preshared Key and Connections - Local Authentication) opnsense.public.ip is entered as local ID?

Nope, I set up new routed version of IPSEC (VTI, PSK, Conn, Gw, Route).

Remote router is sending its private WAN address 192.168.0.254 as remote ID.
Can you please tell me where do I put remote ID info OPNSense IPSEC configuration?
I put remote ID in PSK and Connections - Remote Authentication, tunnel is down.

Since interface can't be deassigned in GUI, I removed it's entries from config.xml and finally got what I wanted, no more 50 unnecessary firewall rules ... until I upgraded, they are all back.

So, I have 50 entries in Firewall-Rules I don't want and don't need. I tried to delete assignment for that interface, nothing happens, assignment is not deleted, no error message, not even after reboot.

I removed gateway and route for that interface (all the references), same.

Bug?

Here are the screenshots, i redacted info and shortened it only to 3 tunnels, I hope you will get the picture.

Firewall group IPSEC_VPN contains IPsec and all tunnels (Tun1_IPSEC, Tun2_IPSEC, Tun3_IPSEC ...)

In Interface those tunnels (Tun1_IPSEC, Tun2_IPSEC, Tun3_IPSEC ...) are grouped.

In Firewall rules, I have each TunX_IPSEC interface, as well as generic IPsec, my IPSEC_VPN group etc.

I set up IPSEC site to site tunnel with OPNSense having public IP and NAT-ed Fortigate on the other site.
Fortigate is behind ISP router, its WAN has private IP, all necessary ports are forwarded from ISP router to Fortigate:

OPNSENSE (PUBLIC IP) ---- ISP (PUBLIC IP) --- Fortigate (Private IP)

With other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
With OPNSense I just can't make it work with same configuration. Log says:

looking for peer configs matching OPNSensePublicIP[%any]...ISPPublicIP[FGprivateIP]
no matching peer config found

What am I doing wrong?

On my OPNSense plugin started to work after reboot.

Screenshots contain sensitive data, names of the real companies. I will redact them on Monday and put them here.

One more thing regarding UI. When I create IPSEC site to site tunnel, it gets interface automatically associated to it. Since I have 50+ tunnels with same simple rules (LAN to remote OK, remote to LAN ping one IP), I created firewall group and put all IPSEC interfaces in. Those simple rules are applied on group and it works OK.

In Interfaces menu I have clean visibility - all of 50+ interfaces are grouped and expandable.

In Firewall Rules menu I have:

• one generic ipsec submenu
• firewall group submenu
• each of 50+ interface submenu

In terms of visibility, that is a problem. I hoped for submenus in Firewall Rules to be grouped as they are in Interfaces menu. Can it be accomplished?

There are still OpenVPN firewall group and OpenVPN firewall rules that I don't need or use.

How can I get rid of those

Just delete the rules.

The OpenVPN group is just there if any instance is configured.

There are no rules in OpenVPN, but menu for OpenVPN is there and I don't need it since I don't use it. Can it be hidden?
With firewall, less is more, IMO.

I created OpenVPN instance and assigned MyOpenVPN interface to ovpns1, set up firewall rules, everything works.

There are still OpenVPN firewall group and OpenVPN firewall rules that I don't need or use.

How can I get rid of those to have clean administration of only things that are really used?

I found info that OpenVPN group is non-removable, can I hide it somehow?

Do you think that UI on firewall editing rules could be enhanced in terms of visibility?

Imo there are 3 important segments of rule: source info, destination info and action info. Grouping or for example different colors of those segments would result in better visibility.

For example, source direction is candidate for advanced screen, when source direction can be out?

For me, sometimes less is more, and visibility is better on less.

[Instance configuration]

I found a solution.

Instance configuration has to be split tunnel type, local Internet, LAN access with Redirect gateway = Nothing and appropriate firewall rules that allow access only to LAN. I used /23 mask so that first 254 addresses are assigned to split tunnel users, enough for me.

For full tunnel access in CSO define fixed IPv4 Tunnel Network from other part of /23 subnet, set Redirect gateway = default and allow access to everything trough firewall. That works.

From my experience, it took a long time to learn how to configure OpenVPN server for this scenario since documentation is not so helpfull. When I have time, one day I might write detailed instructions how to set up full/split tunnel on one OpenVPN instance.

Thanks @viragomann for help, this problem is resolved.

Can anyone please confirm that CSO can or cannot be used for split tunnel VPN on the same OpenVPN instance?

Reasons for using one instance are:

• Simpler config with only one interface instead of 2+, one for full tunnel, one for split tunnel, one for filtered access etc.
• Different ports for different instances

Thanks.

Seems all right to me as far as I can see.

Try a /24 mask in the server at least for testing purposes. I saw several issues here with bigger tunnel subnets.
Remember to set also tunnel in the CSO to the correct subnet and mask.

Tried /24 mask, same thing.

Can CSO be used at all for split tunnel VPN?

Tested with:

Instance network - 10.249.240.0/24
CSO test IP - 10.249.240.129/24 (no Push reset)
FW rules - 10.249.240.0/25 full (1-126), 10.249.240.128/25 split (129-254)

With Push reset activated i cannot connect, as explained before.