Show Posts
1
19.1 Legacy Series / Packets from LAN to OpenVPN road warrior client get routed to WAN
« on: March 13, 2019, 08:04:51 pm »
Hello,
This thing has been driving me crazy for a while now. I have an OPNSense 19.1.4 router with an OpenVPN road warrior setup. It works perfectly fine and the client connecting through VPN can connect to any host on the LAN (which also means that replies from those hosts get routed back correctly). However trying to connect from a host on the LAN to the address of the OpenVPN client always fail.
The setup looks like this (there are also two WAN interfaces to the internet not shown here):
VPN Client 10.10.12.2 <-> |10.10.12.1 Router 10.10.10.10| <-> 10.10.10.40 LAN host
Traceroute from VPN client to LAN host is correct
traceroute to 10.10.10.40 (10.10.10.40), 64 hops max, 52 byte packets
1 10.10.12.1 (10.10.12.1) 15.706 ms 14.337 ms 18.585 ms
2 10.10.10.40 (10.10.10.40) 22.600 ms 18.737 ms 16.566 ms
While trace route from LAN host to VPN client is wrongly routed to the internet
traceroute to 10.10.12.2 (10.10.12.2), 30 hops max, 60 byte packets
1 85.195.x.x (85.195.x.x) 0.825 ms 0.668 ms 0.685 ms
2 82.197.x.x (82.197.x.x) 0.784 ms 0.777 ms 0.869 ms
Routing tables in OPNSense seem correct:
ipv4 10.10.12.0/24 10.10.12.2 UGS 576 1500 ovpns1
ipv4 10.10.12.1 link#9 UHS 0 16384 lo0
ipv4 10.10.12.2 link#9 UH 1200 1500 ovpns1
And catching packets at every interface confirms what traceroute shows (nothing goes through at the OpenVPN interface of the server when coming from LAN to VPN, but packets are logged when going from VPN to LAN).
My NAT outbound rules are auto-generated as follows:
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN * YES Auto created rule for ISAKMP
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN * NO Auto created rule
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN2 * YES Auto created rule for ISAKMP
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN2 * NO Auto created rule
If anybody has any idea for troubleshooting this, it would be much appreciated!
Many thanks
This thing has been driving me crazy for a while now. I have an OPNSense 19.1.4 router with an OpenVPN road warrior setup. It works perfectly fine and the client connecting through VPN can connect to any host on the LAN (which also means that replies from those hosts get routed back correctly). However trying to connect from a host on the LAN to the address of the OpenVPN client always fail.
The setup looks like this (there are also two WAN interfaces to the internet not shown here):
VPN Client 10.10.12.2 <-> |10.10.12.1 Router 10.10.10.10| <-> 10.10.10.40 LAN host
Traceroute from VPN client to LAN host is correct
traceroute to 10.10.10.40 (10.10.10.40), 64 hops max, 52 byte packets
1 10.10.12.1 (10.10.12.1) 15.706 ms 14.337 ms 18.585 ms
2 10.10.10.40 (10.10.10.40) 22.600 ms 18.737 ms 16.566 ms
While trace route from LAN host to VPN client is wrongly routed to the internet
traceroute to 10.10.12.2 (10.10.12.2), 30 hops max, 60 byte packets
1 85.195.x.x (85.195.x.x) 0.825 ms 0.668 ms 0.685 ms
2 82.197.x.x (82.197.x.x) 0.784 ms 0.777 ms 0.869 ms
Routing tables in OPNSense seem correct:
ipv4 10.10.12.0/24 10.10.12.2 UGS 576 1500 ovpns1
ipv4 10.10.12.1 link#9 UHS 0 16384 lo0
ipv4 10.10.12.2 link#9 UH 1200 1500 ovpns1
And catching packets at every interface confirms what traceroute shows (nothing goes through at the OpenVPN interface of the server when coming from LAN to VPN, but packets are logged when going from VPN to LAN).
My NAT outbound rules are auto-generated as follows:
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN * YES Auto created rule for ISAKMP
WAN LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN * NO Auto created rule
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * 500 WAN2 * YES Auto created rule for ISAKMP
WAN2 LAN networks, 127.0.0.0/8, 10.10.12.0/24 * * * WAN2 * NO Auto created rule
If anybody has any idea for troubleshooting this, it would be much appreciated!
Many thanks