Messages

I got it.

I needed to set the fragment size in the openVPN configuration. Once I did that everything worked as expected.

Thank you for your support!

I cannot ping anything external. I have tried many known IPs... I am only doing IP addresses to not deal with DNS at all, so DNS resolution isn't an issue at the moment.

The only things I can ping are my local networks and the virtual IPv4 address of the openVPN tunnel.

I am just guessing at openVPN configuration. If the firewall and policies are working (which they appear to be based on the packet captures), there isn't much left. Maybe I have a bad setting so it doesn't pull in the addressing into routing table? I am not sure. All I know is traffic isn't making it back on the openVPN interface.

To investigate run a packet capture. Select all interfaces, at protocol select ICMP and state 8.8.8.8 in the host field. Start the capture and try to ping 8.8.8.8. Then view the capture (less details).
You should see the packets on the wifi interface at least.

Maybe you missed a message I edited because it was a double and I edited after. (message 5)

I did run a packet capture. I ran it on the ExpressVPN interface. I am seeing the traffic there (as expected) so that tells me my firewall rules (at least in the outbound direction) are working fine. The ping is traversing the firewall rules and making it to the ExpressVPN interface. However, I never see an echo reply on the ExpressVPN interface. So that leads me to think it is a routing issue or a openVPN config issue.

If you did enable logging of the rule, you should see the pings in the log, even if you don't get a response. But maybe the rule is not applied.
Note that rule on interface groups and floating quick rules are probed before interface rules. So if any matches to the pings it will be applied.

I don't have any group or floating rules.

Based on the above, it doesn't appear to be a rule issue. It seems to be a routing one. The packets are making it to the correct VPN interface for egress. I just don't see any ingress back on that VPN interface.

I just did a packet capture on the ExpressVPN interface.

I can see my ICMP echo requests going out to the IPv4 address of the openVPN connection. The RFC1918 address.

I don't see any replies coming back on that interface.

Does that point to an issue on the openVPN configuration?

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

I have been trying to ping 8.8.8.8 and nothing.

The gateway is listed as a valid gateway.


When I look in the live firewall view and filter on the IP (192.168.20.75) I don't know how to tell if it is working. When I ping my default gateway I can see the ICMP packet pass. I cannot see the ping to 8.8.8.8 at all. How can I tell that the rule for the gateway is applied?

Interestingly I can see random 'internet' traffic passing from that host, but the host is unable to ping anything. It is almost as if it is getting filtered on the return?

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

I am not sure I follow exactly.
These are my two rules I have created:

This rule is on the network (WIRELESS net (192.168.20.0/24)) interface the device (192.168.20.75) I want to take the VPN exists on:


This rule is on the NAT > Outbound manual rules:


Those are the only 2 firewall/NAT rules I created following the youtube guide.

I have been using OPNsense for awhile now and have gotten many things configured including a site-to-site wireguard VPN to another OPNsense box as well as client wireguard tunnels successfully.

I am trying now to make a 'always on' VPN using ExpressVPN via openVPN for a specific VLAN. I am using this guide so far https://www.youtube.com/watch?v=wDEHo9XJjeA

• I have gotten the openVPN connection established (at least the status is connected).
• I added a new interface for the openVPN connection and enabled it.
• My gateway table has updated with 2 new routes for the opnVPN connection (one IPv6 and one IPv4), the IPv6 connection says active for some reason.
• I enabled route-nopull in my openVPN configuration, so there is no route in my routing table for that connection.

Then things started to fall apart for me. I am testing right now, so I am trying to make a single client 'take the VPN path', so instead of using alias in the video I am using a single host IP.

• I added a firewall rule on the interface the device is connected to. It forces all traffic from that one source IP to use the openVPN interface as its gateway.
• I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

When I do all that I cannot ping anything anymore. I have been using 8.8.8.8 to eliminate any DNS issues as well.

I am not really sure where to even behind looking at logs or how to troubleshoot this. The firewall rules seem pretty simple in the way they operate, but I am not sure if it is firewall, openVPN, NAT rules, or the gateway/route configuration.