Topics

1

Virtual private networks / WireGuard "Handshake did not complete after 5 seconds": Multi-WAN outgoing issue

« on: October 03, 2022, 06:27:45 pm »

Hello,

I am failing to setup a WireGuard VPN tunnel on my OPNsense (v22.7.4 with "os-wireguard" plugin v1.12) and I begin to think multi-WAN configuration (load balancing, outbound rules, gateway groups, …) is causing issues.

I have, using the guide, already setup a "Road Warrior" WireGuard VPN server on another OPNsense box, but there was only a single WAN.

I've read (on this forum?) that WireGuard is not really (yet?) capable of multi-WAN, and I get it: But could I at least, get it to work over one of the WAN I have (without load balacing nor automatic failover)?

I am using the iOS client and logs shows:

Handshake did not complete after 5 seconds, retrying (try 3)

In the "VPN: WireGuard: List Configuration", the peer part does display "endpoint", "allowed ips" and some "transfer" values, but no "latest handshake" (which the "Handshakes" tab confirms: the timestamps for the peer is at "0").

Here is what I want to have in the end:

• Allow an user to connect to my LAN network from outside Internet
• It does not need to access Internet via the VPN (he'll use it's ISP for that)
• Restrict it to a fixed local IP address
• Apply some restrictions to what local IP addresses it can access (eg. only allow access to a printer having IP 10.0.0.78/24 (I'll try to set this up once I get the previous 3 points up and running)

Here is my setup:

(My LAN is on 10.0.0.0/24)

VPN: WireGuard:
* Local:
  * Enabled: ☑
  * Name: WG_VPN
  * Public Key: Mo_d…Vb1p
  * Listen Port: 51820
  * Tunnel Port: 10.3.0.1/26
  * Peers:
    * user1
* Endpoint:
  * Enabled: ☑
  * Name: user1
  * Public Key: Fx+p…Zw3d
  * Shared Secret: (empty)
  * Allowed IPs: 10.3.0.2/32
  * Endpoint Address: (empty)
  * Endpoint Port: (empty)
  * Keepalive: (empty)
 * List Configuration:
   
    interface: wg1
      public key: Mo_d…Vb1p
      private key: (hidden)
      listening port: 51820

    peer: Fx+p…Zw3d
      allowed ips: 10.3.0.2/32

Interfaces: [WG_VPN]:
* Enabled: ☑
* Lock: ☑
* Device: wg1
* IPv4 Configuration Type: None
* IPv6 Configuration Type: None

Firewall: NAT: Outbound:
* Mode: Hybrid outbound NAT rule generation
* Manual rules:

Interface	Source	NAT Address	NAT Port
WAN_1	10.0.0.0/24	Interface address	*
WAN_2	10.0.0.0/24	Interface address	*

Firewall: Rules: LAN:

Source	Port	Destination	Port	Gateway	Description
10.0.0.0/24	*	10.3.0.0/26	*	*	Allow LAN clients to contact WG_VPN clients
10.0.0.0/24	*	10.3.0.0/26	*	GW_LoadBalancing	Set the gateway for LAN clients

Firewall: Rules: WG_VPN:

Source	Port	Destination	Port	Gateway	Description
*	*	*	*	*	Allow all WG_VPN clients to contact LAN clients (for now)

I tried deleting all the WireGuard setup and starting fresh without much success.

Full logs from the iOS client:

[APP] startActivation: Entering (tunnel: MyCompany)
2022-10-03 17:22:06.517
[APP] startActivation: Starting tunnel
2022-10-03 17:22:06.518
[APP] startActivation: Success
2022-10-03 17:22:06.542
[APP] Tunnel 'MyCompany' connection status changed to 'connecting'
2022-10-03 17:22:06.672
[NET] App version: 1.0.15 (26)
2022-10-03 17:22:06.673
[NET] Starting tunnel from the app
2022-10-03 17:22:06.756
[NET] DNS64: mapped 1.2.3.4 to itself.
2022-10-03 17:22:06.756
[NET] Attaching to interface
2022-10-03 17:22:06.757
[NET] UAPI: Updating private key
2022-10-03 17:22:06.757
[NET] Routine: decryption worker 1 - started
2022-10-03 17:22:06.757
[NET] Routine: event worker - started
2022-10-03 17:22:06.757
[NET] Routine: encryption worker 1 - started
2022-10-03 17:22:06.757
[NET] Routine: handshake worker 1 - started
2022-10-03 17:22:06.757
[NET] Routine: decryption worker 2 - started
2022-10-03 17:22:06.757
[NET] Routine: handshake worker 2 - started
2022-10-03 17:22:06.758
[NET] Routine: encryption worker 2 - started
2022-10-03 17:22:06.758
[NET] Routine: TUN reader - started
2022-10-03 17:22:06.759
[NET] UAPI: Removing all peers
2022-10-03 17:22:06.761
[NET] peer(Mo_d…Vb1p) - UAPI: Created
2022-10-03 17:22:06.763
[NET] peer(Mo_d…Vb1p) - UAPI: Updating endpoint
2022-10-03 17:22:06.765
[NET] peer(Mo_d…Vb1p) - UAPI: Updating persistent keepalive interval
2022-10-03 17:22:06.767
[NET] peer(Mo_d…Vb1p) - UAPI: Removing all allowedips
2022-10-03 17:22:06.769
[NET] peer(Mo_d…Vb1p) - UAPI: Adding allowedip
2022-10-03 17:22:06.771
[NET] UDP bind has been updated
2022-10-03 17:22:06.771
[NET] Routine: receive incoming v4 - started
2022-10-03 17:22:06.773
[NET] peer(Mo_d…Vb1p) - Starting
2022-10-03 17:22:06.773
[NET] Routine: receive incoming v6 - started
2022-10-03 17:22:06.775
[NET] peer(Mo_d…Vb1p) - Sending keepalive packet
2022-10-03 17:22:06.775
[NET] peer(Mo_d…Vb1p) - Routine: sequential sender - started
2022-10-03 17:22:06.775
[NET] peer(Mo_d…Vb1p) - Routine: sequential receiver - started
2022-10-03 17:22:06.777
[NET] peer(Mo_d…Vb1p) - Sending handshake initiation
2022-10-03 17:22:06.780
[NET] Interface state was Down, requested Up, now Up
2022-10-03 17:22:06.781
[NET] Device started
2022-10-03 17:22:06.783
[NET] Tunnel interface is utun2
2022-10-03 17:22:06.786
[APP] Tunnel 'MyCompany' connection status changed to 'connected'
2022-10-03 17:22:06.787
[NET] Network change detected with satisfied route and interface order [pdp_ip0]
2022-10-03 17:22:06.788
[NET] DNS64: mapped 1.2.3.4 to itself.
2022-10-03 17:22:06.790
[NET] peer(Mo_d…Vb1p) - UAPI: Updating endpoint
2022-10-03 17:22:06.792
[NET] Routine: receive incoming v4 - stopped
2022-10-03 17:22:06.792
[NET] Routine: receive incoming v6 - stopped
2022-10-03 17:22:06.796
[NET] UDP bind has been updated
2022-10-03 17:22:06.796
[NET] Routine: receive incoming v6 - started
2022-10-03 17:22:06.796
[NET] Routine: receive incoming v4 - started
2022-10-03 17:22:07.044
[NET] Network change detected with satisfied route and interface order [pdp_ip0, utun2]
2022-10-03 17:22:07.045
[NET] DNS64: mapped 1.2.3.4 to itself.
2022-10-03 17:22:07.072
[NET] peer(Mo_d…Vb1p) - UAPI: Updating endpoint
2022-10-03 17:22:07.074
[NET] Routine: receive incoming v4 - stopped
2022-10-03 17:22:07.074
[NET] Routine: receive incoming v6 - stopped
2022-10-03 17:22:07.076
[NET] UDP bind has been updated
2022-10-03 17:22:07.078
[NET] Routine: receive incoming v6 - started
2022-10-03 17:22:07.078
[NET] Routine: receive incoming v4 - started
2022-10-03 17:22:11.509
[APP] Status update notification timeout for tunnel 'MyCompany'. Tunnel status is now 'connected'.
2022-10-03 17:22:12.044
[NET] peer(Mo_d…Vb1p) - Handshake did not complete after 5 seconds, retrying (try 2)
2022-10-03 17:22:12.045
[NET] peer(Mo_d…Vb1p) - Sending handshake initiation
2022-10-03 17:22:17.210
[NET] peer(Mo_d…Vb1p) - Handshake did not complete after 5 seconds, retrying (try 2)
2022-10-03 17:22:17.210
[NET] peer(Mo_d…Vb1p) - Sending handshake initiation
2022-10-03 17:22:22.497
[NET] peer(Mo_d…Vb1p) - Handshake did not complete after 5 seconds, retrying (try 2)
2022-10-03 17:22:22.497
[NET] peer(Mo_d…Vb1p) - Sending handshake initiation
2022-10-03 17:22:27.681
[NET] peer(Mo_d…Vb1p) - Handshake did not complete after 5 seconds, retrying (try 3)
2022-10-03 17:22:27.682
[NET] peer(Mo_d…Vb1p) - Sending handshake initiation
2022-10-03 17:22:32.936
[NET] peer(Mo_d…Vb1p) - Handshake did not complete after 5 seconds, retrying (try 4)

2

21.7 Legacy Series / FTP Proxy for LAN clients to connect to any external FTP server

« on: November 03, 2021, 03:44:40 pm »

Hello,

I want to provide an FTP proxy for my LAN clients so that their FTP traffic goes via the OPNsense router and via it's WAN.
I want them to be able to connect to any FTP server.

I got the "os-ftp-proxy" plugin installation part OK and successfully configured a proxy to connect to a fixed server (using "Reverse address" and "Reverse port" ports).
For the client (FileZilla), I set the FTP proxy IP and port (IP of OPNsense aand 8021) and the following custom auth sequence:

USER %u
PASS %p

But, for my real use case I need to be able to connect to any FTP server, so I emptied both "Reverse address" and "Reverse port" fields from the FTP proxy configuration and set FileZilla FTP proxy settings to the custom auth sequence:


OPEN %h
USER %u
PASS %p
ACCT %a

But connections attempts timeout.

Using Wireshark I don't see any mention of the real FTP server address in my outgoing traffic.

I could not find any tutorial about the client-side configuration for a FTP proxy setup: is it that software-dependent?

3

General Discussion / [SOLVED] How to compute the PC Engines APU serial number from MAC ID?

« on: April 16, 2021, 02:16:35 am »

I want to get the serial number of my PC Engines APU2 card and the documentation (https://www.pcengines.ch/ht_macid.htm) says:

The MAC ID of the first NIC on all PC Engines boards is derived of its serial number. The following NICs have subsequent addresses.

This is the formula to convert from MAC ID to serial number and vice versa:

MAC ID = 00:0d:b9 (our OUI) : (serial + 64) * 4

serial = (MAC ID & 0x000000FFFFFF) / 4 - 64

As I am not really sure about my understanding of the formula (and didn't found more explanation/examples on the Internet not a shell command to get it) I would like to share my process of computing the serial number (so that it can be useful to others, and be corrected if wrong, in the reverse order )

So if my igb0 NIC's MAC address is 00:0d:b9:3e:ff:25.

First I convert the MAC ID from hexadecimal (00:0d:b9:3e:ff:25) to binary:

hex= 0    0   :0    d   :b    9   :3    e   :f    f   :2    5
bin= 0000 0000 0000 1101 1011 1001 0011 1110 1111 1111 0010 0101

Also the mask (000000ffffff) must be converted to binary:

hex= 0    0    0    0    0    0    f    f    f    f    f    f
bin= 0000 0000 0000 0000 0000 0000 1111 1111 1111 1111 1111 1111

Then I apply the MAC_ID & MASK AND bitmask operation and :

mac= 0000 0000 0000 1101 1011 1001 0011 1110 1111 1111 0010 0101
msk= 0000 0000 0000 0000 0000 0000 1111 1111 1111 1111 1111 1111
res= 0000 0000 0000 0000 0000 0000 0011 1110 1111 1111 0010 0101

obtained res is 4128549 in decimal notation.

My APU serial number would be: 4128549 / 4 - 64 = 1032073 ?

Thanks for any help you could provide.

4

20.1 Legacy Series / [SOLVED] 1:1 NAT with an IPsec tunnel (in a multi-WAN setup)

« on: February 23, 2020, 07:47:06 pm »

Hello,

I fail to configure 1:1 NAT for trafic going via an IPsec tunnel (tunnel between my LAN and the network of a third party)

Here is the context :

My LAN network IP address is : 10.33.0.0/16
Third party IP address of the server I need to access via IPsec tunnel : 172.31.254.254/32
Network arriving in the tunnel (for 1:1 NAT) : 10.88.0.0/16

I am using OPNsense version 20.1.1.

Here is the IPsec configuration (algorithms part taken out) :

• Phase 1 :
        
  • Key Exchange version : V1
  • Interface : WAN
  • Remote gateway : 5.5.5.5 (Third party server IP)
  • Authentication method : Mutual PSK
  • My identifier : 3.3.3.3 (my public IP)
  • Peer identifier : 5.5.5.5
  • Install policy : (Checked)
  • Tunnel Isolation : (Unchecked)
  • NAT Traversal : Enable
     
• Phase 2 :
        
  • Mode : Tunnel IPv4
  • Local Network :
                
    • Type : Network
    • Address : 10.88.0.0/16
             
  • Remote Network :
                
    • Type : Address
    • Address : 172.31.254.254/32
             
  • Manual SPD entries : (Empty)
     

And here is the the 1:1 NAT configuration :

• Interface : IPsec
• Type : BINAT
• External network : 10.88.0.0/16
• Source / invert : (Unchecked)
• Source :
        
  • Type : Single host or Network
  • Address : 10.33.0.0/16
     
• Destination / invert : (Unchecked)
• Destination : any
• NAT reflection : Use system default

I do have an "IPsec" entry in the "Firewall: Rules" part of the GUI but nowhere else (not in "Interfaces" nor when trying to add a gateway or a route).

IPsec tunnel seems UP (according to the OPNsense dashboard) but I can't ping 172.31.254.254 or something in 10.88.0.0 from LAN.
And I don't see how it could work because netstat -rn shows no entry for 172.31.254.254 nor 10.88.0.0.

Do I need to add my LAN address (10.33.0.0/16) to Phase 2's "Manual SPD entries" ?
Where/How could I see thoses "SPD entries" ?

Thank you.

5

18.7 Legacy Series / Benchmark each WAN bandwidth on multi-WAN setup ?

« on: January 16, 2019, 02:27:50 pm »

Hello,

To periodically benchmark the bandwidth of my WAN connection I use speedtest-cli: which works fine.
But I want to extend this benchmark to the other WANs (I have a multi-WAN failover setup) so I guess I need a firewall rule with gateway policy to force traffic to go via the other WAN.

Say the computer running speedtest-cli has IP 192.168.0.100, I can add a OPNsense firewall rule "from=192.168.0.100; gw=WAN_FAILOVER" but I don't want enable/disable the rule each time... so I am looking for a way to make this permanent/stable.

I see 3 ways:

• Add virtual network interface (eg. eth0:1, eth0:2, ...) to the computer running speedtest-cli (with dedicated LAN IP address 192.168.0.x) for each WAN to benchmark (WAN_PRIMARY, WAN_FAILOVER) and add a OPNsense firewall rules for each WAN:
  
  • from=192.168.0.101; gw=WAN_PRIMARY
  • from=192.168.0.102; gw=WAN_FAILOVER
• Choose a remote speedtest server (get the list with speedtest-cli --list) for each WAN to benchmark (WAN_PRIMARY, WAN_FAILOVER) and add a OPNsense firewall rule per speedtest server (destination) IP address:
  
  • from=192.168.0.100; to=SpeedTestA; gw=WAN_PRIMARY
  • from=192.168.0.100; to=SpeedTestB; gw=WAN_FAILOVER
• Add one virtual network interface (eg. eth0:1) to the computer running speedtest-cli (with dedicated LAN IP address 192.168.0.101). This IP will be exclusively used by the computer for benchmark. Add a OPNsense firewall rule "from=192.168.0.101; gw=WAN_PRIMARY"  and use the OPNsense API to update (change gateway) and enable/disable the firewall from computer running speedtest-cli.

I think solution 1 (virtual network interface) is the best but I am open to other solutions I have not thought about

6

18.1 Legacy Series / [SOLVED] Routing table not used for LAN clients (eg. for remote OpenVPN site)

« on: July 16, 2018, 12:29:12 pm »

I have a routing issue: when trying to access a remote OpenVPN-accessible network, traffic leaves via WAN (Internet) not using the router's routing table.

Context:
I have 3 sites, all running OPNsense as their router : Site 1 with LAN_1 (192.168.1.0/24), Site 2 with LAN_2 (192.168.2.0/24) and Site 3 with LAN_3 (192.168.3.0/24).
The OpenVPN server is on site 1's router.
Sites 2 and 3 have OpenVPN clients configured.

Problem:
The OpenVPN tunnel between sites 1 and 2 is fine: LAN_1 can reach LAN_2 and LAN_2 can reach LAN_1.
But the tunnel between sites 1 and 3 has issues: LAN_3 can reach LAN_1 (pinging 192.168.1.x from LAN_3 is OK) but LAN_1 cannot reach LAN_3 (pinging 192.168.3.x from LAN_1 fails).

It looks like a routing issue because, from LAN_1, a traceroute to a LAN_3 IP shows traffic goes toward my WAN/Internet:

user@machine_at_site_1:~# traceroute 192.168.3.1
traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets
 1  80.10.x.y (80.10.x.y)  0.127 ms  0.100 ms  0.112 ms
 2  * * *
 3  * * *
[...]

(80.10.x.y is the IP address of site 1's WAN gateway)

In the opposite direction (from LAN_3 to LAN_1) it seems to works fine:

user@machine_at_site_3:~# traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  router.site3.example.com (192.168.3.254)  0.127 ms  0.100 ms  0.112 ms
 2  192.168.254.17 (192.168.254.17)  62.583 ms  63.738 ms  60.224 ms
 3  192.168.1.1 (192.168.1.1)  62.612 ms  63.870 ms  62.489 ms

(192.168.3.254 is site 3's OPNsense, and 192.168.254.17 the OpenVPN interface for the Site 1-Site 3 tunnel)

In the mean time, a traceroute from LAN_1 to LAN_2 (the tunnel that works) shows traffic using OPNsense VPN server (as expected):

user@machine_at_site_1:~#  traceroute 192.168.2.1
traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 60 byte packets
 1  router.site1.example.com (192.168.1.254)  0.127 ms  0.100 ms  0.112 ms
 2  192.168.254.14 (192.168.254.14)  62.583 ms  63.738 ms  60.224 ms
 3  192.168.2.1 (192.168.2.1)  62.612 ms  63.870 ms  62.489 ms

(192.168.1.254 is site 1's OPNsense, and 192.168.254.14 the OpenVPN interface for the Site 1-Site 2 tunnel)

Also, traceroute executed directly from site 1's OPNsense (to either Site 2 or Site 3 works fine.

I cannot understand why routing table works for one site and not the other and/or why LAN_1 machines traffic does not use routing table...

7

18.1 Legacy Series / Multi-WAN + public IP pool setup: some connection drops/timeout

« on: May 09, 2018, 12:40:54 pm »

I have multi-WAN + pool public IP (round robin) OPNsense v18.1.7 setup where users are randomly experiencing blank web pages / timeout issues. On their side it seems the website takes ages to respond (when it does). It not all websites and not always.

It was running fine on 17.7 but when I upgraded to 18.1.1 I stumbled on a alias + Outbound NAT bug: outbound rules could not be loaded and got the error "There were error(s) loading the rules: no IP address found for PUBLICIPS_WAN_A".
So I disabled my round robin rule the time I understand the situation and a fix is created.
Version 18.1.7_1 fixed it: outbound NAT rules loads successfully.
But now, I have this blank web pages / timeout issue.

Here is my setup: 2 WANs, outgoing Internet traffic is loadbalanced between the 2, one of the WAN have a pool of public IP addresses I use with round robin.

• I have 2 WAN connections: WAN_A and WAN_B.
• I have a gateway group (GW_LB) containing both WAN_A and WAN_B at tier 1 (for loadbalancing).
• I have a firewall rule on LAN interface that defines GW_LB as the gateway for LAN clients.
• I have an alias (PUBLICIPS_WAN_A) containing the 9 public IP addresses my WAN_A's ISP gave me.
• Firewall: NAT: Outbound is set to "Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)"
• I have an outbound NAT rule on interface WAN_A that actives the round robin on pool : interface=WAN_A, source=LAN, Translation/target=PUBLICIPS_WAN_A, pool_option="Round Robin with Sticky Address").
• In page "Firewall: Settings: Advanced", in section "Multi-WAN", I have "Sticky connections" checked, "Shared forwarding" unchecked, and "Disable force gateway" unchecked

My desired behavior:
Outgoing Internet traffic goes through one of the two Internet connection: WAN_A or WAN_B (if one is down, traffic will go through the other).
Whatever outgoing Internet traffic that ends up going through WAN_A have to use any of the 9 public IP addresses defined in alias PUBLICIPS_WAN_A.

My analysis:
My instinct tells me some outgoing traffic is going out via one IP of the pool (or at least tagged as such by OPNsense) but it's response arrives on one other IP...

Do you find the detailed configuration correct/adequate ?
Do you have any tips on how I could debug the (random) event of outgoing traffic that gets lost?

8

General Discussion / Access WAN's subnet computers from LAN?

« on: July 17, 2017, 05:40:41 pm »

TL;DR: I want to access, from LAN, some computer located on WAN interface alongside with my ISP gateway and my OPNsense box.

Full details:

I have the following setup :

OPNsense running on a server with 3 Ethernet interfaces.
* LAN/igb1 interface: 192.168.0.1/24
* WAN_A/igb0 interface: 192.168.1.1/24 (obtained via DHCP) (gateway is 192.168.1.254)
* WAN_B/igb2 interface: 192.168.1.100/24 (obtained via DHCP) (gateway is 192.168.1.1)

Note that my two WAN networks uses the same network address (but I can't change it, using ISP's devices with no access to it): I know that and it should not interfere (I hope) with the rest of the issue.

On WAN_A, the ISP's gateway 192.168.1.254 should have some webGUI I want to access from any computer on LAN network. Same thing for  WAN_B with gateway 192.168.1.1 plus other devices (192.168.1.101, 192.168.1.102, 192.168.1.103, etc.).

Because I only need this access from time to time for maintenance purpose and there is a limited number of machines (<10), I can accommodate myself with some simple port redirections:

• Accessing OPNsense LAN interface on port 8081 would contact 192.168.1.254 port 80 on WAN_A interface
• Accessing OPNsense LAN interface on port 8082 would contact 192.168.1.1 port 80 on WAN_B interface
• Accessing OPNsense LAN interface on port 8083 would contact 192.168.1.101 port 80 on WAN_B interface
• ...

But the "Firewall: NAT: Port Forward" form does not allow specifying which interface the "target" resides on.

At first I wanted to make sure OPNsense can access the webGUI of the gateway of WAN_B/igb2 with:

Code: [Select]

curl --interface igb2 -D - http://192.168.1.1But I seems to get the OPNsense's auth form (and I'm 100% sure the gateway does not uses OPNsense )

9

General Discussion / DNS Resolver: prevent OPNsense to add himself

« on: November 24, 2016, 11:41:40 pm »

My OPNsense server has many interfaces (LAN, LAN_GUEST, LAN_GUEST2) and DNS Resolver is used by machines of LAN network.
I have another DNS server running elsewhere to handle my "local" domain and DNS Resolver is set to use this server as a domain override for "domain.lan".
This "domain.lan" zone has a A record for ""opnsense.domain.lan"
However, if any LAN machine where to ask the IP of "opnsense.domain.lan" to DNS Resolver it would respond with all the IP addresses of any interfaces (LAN, WAN, etc.) OPNsense has.

I get that OPNsense is:

• Not using domain overrides settings when asked about it's own FQDN
• Adding itself to DNS Resolver

If point 1 is abnormal: I'll create an issue on the bug tracker.
Is there a way to avoid/disable point 2?

10

16.7 Legacy Series / Access network behind an OpenVPN client? P2P setup: Need manual route?

« on: November 24, 2016, 06:34:34 pm »

Hello,
I have configured a "Peer-to-Peer" OpenVPN connection between Site A where a OPNsense 16.7 is acting as the VPN server and Site B where a Debian machine acts as the VPN client.

My final goal is that the Debian machine acts as a gateway for any machine residing in Debian's LAN and wants to access a machine residing on the OPNsense's LAN (and vice-versa).

Here is a schema of the desired networks


                     ⁞                  ⁞
              Site A                      Site B
         10.1.0.0/16 ⁞                  ⁞ 10.2.0.0/16

       ┌──────────┐  ⁞                  ⁞  ┌────────┐
       │ OPNsense •-----►( Internet )◄-----• Site B │
       │ (OpenVPN │  ⁞                  ⁞  │ router │
       │  server) │                        └─•──────┘
       └────────•─┘  ⁞                  ⁞    |10.2.0.1
        10.1.0.1|                            |
   (192.168.9.1)|    ⁞                  ⁞    |              ┌───────────────┐
                |                            ├--------------• Debian server │
┌────────────┐  |    ⁞                  ⁞    |      10.2.0.2│ (OpenVPN      │
│ Station A1 •--┤                            | (192.168.9.2)│   client)     │
└────────────┘  |    ⁞                  ⁞    |              └───────────────┘
                |                            |  ┌────────────┐
┌────────────┐  |    ⁞                  ⁞    ├--• Station B1 │
│ Station A2 •--┤                            |  └────────────┘
└────────────┘  |    ⁞                  ⁞    |
                |                            |  ┌────────────┐
                |    ⁞                  ⁞    ├--• Station B2 │
                |                            |  └────────────┘
                |    ⁞   VPN network    ⁞    |
                ├~~~~~~~~~~~~~~~~~~~~~~~~~~~~┤
                     ⁞  192.168.9.0/30  ⁞    |
                                       
                     ⁞                  ⁞


OpenVPN configuration (on OPNsense):

• Server Mode: Peer to Peer
• Protocol: UDP
• Device Mode: tun
• IPv4 Tunnel Network: 192.168.9.0/30
• IPv4 Local Network: 10.1.0.0/16 (the LAN of Site A / OPNsense side)
• IPv4 Remote Network: 10.2.0.0/16 (the LAN of Site B / Debian server side)
• Client Settings>Dynamic IP: checked
• Client Settings>Address Pool: checked
• Client Settings>Topology: checked

Once client connects, both ends have the following IP addresses in the tunnel network:
* OPNsense: 192.168.9.1/30
* Debian server: 192.168.9.2/30

All Stations uses their respective router as their main gateway.
Clients A1 and A2 uses 10.1.0.1 (OPNsense)
Clients B1, B2 and Debian server uses 10.2.0.1 (Site B router)

On Debian I have enabled IP forwarding:

Code: [Select]

echo 1 > /proc/sys/net/ipv4/ip_forwardOn Site B router (10.2.0.1), I have added a static route to 10.1.0.0/16 (Site A's LAN) via 10.2.0.2 (Debian server)

From both OPNense and Debian server I can ping each other using 192.168.9.x/30 (tunnel network)
From Debian server, I can ping and access (eg. HTTP) any IP address belonging to 10.1.0.0/16.
From OPNense, I can't ping Debian server using it's 10.2.0.2 IP address (problem number 1) nor any other IP belonging to 10.2.0.0/16 (problem number 2).
From Station B1, a traceroute shows that traffic to 10.1.0.0/16 uses 10.2.0.1 (Site B router , but traffic does not reach it's destination (problem number 3).

For problem number 1:
I guess I have to add a route on OPNsense because I can't see any route for 10.2.0.0/16 on the OPNsense web GUI "System Routing Table" (/ui/diagnostics/interface/routes/).
To add such route, a gateway is required, so I must also create that gateway.
But on which interface should this gateway be?
I have "pending" new interface "ovpns1" in "Interfaces: Assignments" (/interfaces_assign.php) but don't know if I can/should assign it.

Thanks for your help.

Edit: Added a map and color.