Topics

1

General Discussion / OpenVPN client - Gateway config invalid

« on: October 19, 2020, 01:46:20 pm »

Hi,

I have a routing issue (in another post) but I suspect the real issue is my openvpn client config.

I have an OpenVPN client configured in tun mode, udp, going through the WAN interface. My default gateway is the WAN interface, the vpn client is only there for some policy based routing.
What I've noticed is that the system doesn't seem to be considering the vpn interface as a WAN, so it's not generating outbound NAT rules and it's doesn't seem to be using reply-to (which is my real issue) on it.

When the connection gets established, a public IP is properly assigned to the interface, and a Gateway is created.
Below the two IPv4 black boxes (IP and Gateway) are covering the same exact IP.



That gateway has "dynamic" as the IP address, since I've ticked the "This interface does not require an intermediate system to act as a gateway" box in the interface config :



However in the Gateway "single" menu, the IP for the gateway is the interface's IP itself (instead of dynamic, seen when editing the gateway), hiding the IP since it's public :




There's also a route added by something to route the interface's IP to the loopback interface (the red square is the interface's IP, the black squares are just routes added by openvpn for the subnet and the first IP of the bloc) :



The result is that when trying to use the VPN, packets are routed through the loopback interface back at opnsense itself, instead of going through the VPN. So if I try to query any website for example, I'm getting my own HAProxy back since it's listening on ports 80 / 443 of the router.

One way to work around this I've found is to edit the gateway and use any other IP as a gateway, since openvpn doesn't actually require a gateway ip any value works there as long as it's not the interface's own IP (which seems to be the default value chosen when using dynamic).
That allows policy based routing to work, but that's obviously not a good way and still doesn't make it generate proper outbound NAT and reply-to rules so incoming connections aren't working.

Any ideas what I might be doing wrong ? I've been struggling with this for almost a week now.
Thanks

2

General Discussion / Incoming connections on vpn are answered on wrong interface

« on: October 16, 2020, 02:03:43 pm »

Hi opnsense forums,

I have an OpenVPN client connection on my router that I use to get a fixed public IP, as my ISP sadly does some horrible stuff on the WAN interface. So my ovpnc2 interface has a proper dedicated publicly routed IP.

I have a mail server machine I've been trying to setup in the LAN, and I've created a floating firewall rule saying that anything coming from that machine on the LAN interfaces should use the VPN Gatway, which works fine. When I do a "curl ifconfig.me" on that email machine for example I do get the public IP from the vpn interface.

For the other way around I have a port redirect setup to forward tcp port 25 on the vpn interface to that machine on the lan.
Using tcpdump and packet captures on both the machine and the router I can see that incoming connections on port 25 are indeed sent to the mail server, and it's responding fine. But I can see on the router that the paquets are going out the WAN interface, not the VPN interface. Even stranger they are using the VPN interface's IP as a source, on the WAN interface, which of course does not work.

Any idea what I could be missing ? My default gateway is the WAN (but overriding it with floating rules works), my NAT is configured as hybrid and I did setup a rule for the vpn interface (and it seems to be valid since outgoing connections through the vpn are working) and I can't find any other rule that would explain it responding through the wrong interface.

Thanks

3

20.1 Legacy Series / Remotely enable / disable a rule

« on: May 10, 2020, 05:35:58 pm »

Hi,

Is there any way, either through API or SSH or anything else, to have an external system enable or disable an existing firewall rule ?
I have a rule to send my TV's traffic through a VPN (for geo locked content) and I'd like to be able to quickly toggle it on or off from home assistant, I was thinking of just writing a script but it looks like the API doesn't expose anything outside of aliases for the firewall.

Is there any other way to get it to work ?

Thank you

4

17.7 Legacy Series / OpenVPN client not working after upgrade

« on: August 03, 2017, 04:04:42 pm »

Hi,

I used to run 17-rc1 until a few days ago, when I upgraded all the way up to 17.7.
The only problem I seem to have with this is my OpenVPN client, which is not working great anymore.

Basically it still connects, and incoming packets work fine (I can ping from outside trough the VPN), but not the other way around.
ping -S <VPN IP> 8.8.8.8 with a tcpdump running on the vpn interface and another tcpdump running on the WAN interface shows that the packets are actually trying to come out of the WAN interface with the VPN IP, which makes no sense.
The same test on a different opensense installed recently shows packets coming out of the VPN interface, as expected.

So what could cause ping -S to send packets out of the wrong interface ?
I've tried deleting and re-creating the VPN interface and the firewall rules, no luck. I've even tried adding a firewall rule on the VPN interface to force the VPN Gateway, didn't change anything. I don't have any floating rule or anything exotic except a bit of QoS on the WAN, but I don't expect that to be responsible.

5

17.1 Legacy Series / IPSec as client

« on: January 21, 2017, 11:17:54 am »

Hi,

I'm trying to connect to a couple of routers using IPsec.
For work, I have control over the other router so I just configured a site to site tunnel and it works fine.
But I have another one I want to connect to over which I have no control. (I do know we are only two using it so maybe I could talk to the other person and change it, but I'd rather not, it's been working fine for years)

Here is the config I'm supposed to be using :

config setup
       plutostart=no

conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       keyexchange=ikev2

conn grifon
       leftid=$utilisateur@<other side>
       leftfirewall=yes
       leftauth=eap-ttls
       right=<other side>
       rightid="C=FR, ...."
       rightsendcert=never
       rightauth=eap
       type=transport
       auto=start
       closeaction=restart

I've been trying to figure out what to put in the web interface to arrive at a config file looking vaguely like this, and I'm starting to think there's just no way.
As for the password, it's supposed to be put in the secrets file in this form :

$utilisateur@<other side> : EAP "motdepasseutilisateur"

Do you have any tips on how I could connect to this ?
I'm supposed to be adding L2TP after that, too.

Thanks

6

17.1 Legacy Series / [SOLVED] Setup traffic priorization

« on: January 20, 2017, 07:33:13 pm »

Hi,

I've just installed Opnsense on a pcengine APU 2, and I configured my modem in bridge.
I live in the middle of nowhere and I get about 500 Ko/s.

I'm a sysadmin so I basically use ssh for a living, and when anything else is in use in the house (any download, updates ..) ssh becomes unusable. I'd like to setup Opnsense to give ssh priority over everything else.
I tried following the priorization part of this : https://docs.opnsense.org/manual/how-tos/shaper.html

I managed to get something that made ssh a bit better to use, but still not great. Here are the configs I'm at now :





The only thing you can't see in there is the rule for SSH has 22 in dst-port.
What am I doing wrong ? I feel like it's a bit better with this config, but it might be all in my head, it's still pretty horrible to use.
Now I know that using the full 500 Ko/s of my broadband makes the ping skyrocket, so I did try limiting to a lot less (3000 Kbp/s in the pipe screen), but it wasn't any better for my ssh connections.

Thanks !