Messages

Logging is up to you. I prefer to log everything

In my opinion, it doesn't make sense to log that my OPNsense connected to my DNS recursor on UDP port 53. That only clutters up things and makes the logs harder to filter.

That being said, it doesn't look like my OPNsense allows me to turn off the Log feature on the automatically created "let out anything from firewall host itself" rule (no hover text when I hover over the "i"), and since it's an automatically created rule that is early in my WAN rule set, I also cannot put in an earlier rule allowing outgoing DNS without logging.

How do I get rid of that log entry avalanche?

Greetings
Marc

Try a reboot, maybe, to whack the interfaces into shape? ;-)

"Gesundbooten" as we say in Germany. It helped. Part of me is happy about that, other part not.

Thanks for helping.

Greetings, Marc

You should have an ovpns1 interface with 10.242.4.1/26, not a tun1 on OPNsense.

Nosireebob.

Code Select Expand

root@OPNs01:~ # ifconfig | grep ovpn
root@OPNs01:~ # ifconfig | grep 242
root@OPNs01:~ #


Which version of OPNsense are you running?

25.1.10 on FreeBSD 14.2-RELEASE-p3. I intend to upgrade before going live, but I'd like to have the configuration complete so that I can actually see that everything survives the upgrade.

Greetings
Marc

Topology = "Subnet"?

Yes. I forgot to mention that. Fixed the original article.

Firewall rule on OpenVPN: direction "in", allow all?

I think so.

You cannot view this attachment.

>Direction is frequently confusing for OPNsense beginners.

Yes, but it's mentioned THIS properly in ALL docs that it's almost impossible to miss.

Greetings
Marc

Hi,

I have been using OpenVPN for quite a while but am new to OPNsense. There are some things that confuse me.

I have created a CA on my OPNsense installation, and I have created an OpenVPN _instance_ with the role Server, the Type TUN and topology "subnet". As "Server (IPv4)" I have set 10.242.4.0/26. My Local Network ("internal" on my OPNsense) is 192.168.0.0/20 (don't ask), and I have left the Remote Network empty since the (currently, one) client is just a client.

My client is a plain Linux machine, and the connection comes up: I see a tun0 Interface on the client, with 10.242.4.2/26 assigned as its IP address, and when I ping 10.242.4.1 and tcpdump on tun0, I see those ICMP echo requests going down the tunnel. On the OPNsense side, I see the client with Status "ok" in VPN => OpenVPN => Connection Status. However, I don't see any log entries refering to the connection in VPN => OpenVPN => Log File.

I have a firewall rule on my WAN interface to allow the incoming UDP/1194 packets to my OPNsense, and I have an "allow all" rule in the "OpenVPN" ruleset.

However, when I ping 10.242.4.1 from the client, there is no answer. Neither there is an answer when I ping 192.168.0.141 which is a host on my internal network. tcpdumping on the OPNsense internal interface doesn't see the ICMP echo request packets from my VPN client.

Now the strange things:

• ifconfig on my OPNsense shows a tun1 Interface, but that one doesn't have an IP address. I would have expected 10.242.4.1/26 to appear on that interface.
• Firewall => Log Files => Live View doesn't show anything with "Interface" OpenVPN, and I cannot establish a filter "Interface contains OpenVPN". The List only contains internal, Loopback, MGT0, PFSYNC and wan.

Obviously OPNsense does something differently from what I am used to when using OpenVPN on Linux. Can someone enlighten me please?

Greetings
Marc