1
23.1 Legacy Series / [SOLVED] Issue with nat/portforward from openvpn connection since the upgrade
« on: July 25, 2023, 08:35:14 am »
Hello all,
I have this configuration, that was working before the upgrade:
PIA --> opnsense (openvpn) --> host.
PIA forwards a port into opnsense via a openvpn interface that get's natted (portforwared) to host.
Since the upgrade, i lost the ability to do a tcp connection from outside the PIA, thru opnsense, to the host on the port that it specified. I am able to exit the host via the pia tunnel without any issue
However i see traffic inside the host as coming from PIA, so it appears that something is working. Just not able to to a proper tcp connection /syn/synack.
There are rules allowing that all traffic from pia reach the host.
This is an extract of my unfiltered tcpdump. Code is reaching and appears to be leaving the host, thru openvpn into pia:
This is an extract from a tcpdump from a tcp connection connecting from a public ip, into the front of the PIA vpn endpoint, on the port specified. It does reach the host vm, but is unable to do a proper tcp connection, and yes the port on the destination is listening and there is no local firewall on that particular host
What is wrong with this picture?
Was there any change that needs to be done to the openvpn client to allow this configuration? Or any mandatory new configuration on opnsense's interface to allow this again?
Thanks for your help
I have this configuration, that was working before the upgrade:
PIA --> opnsense (openvpn) --> host.
PIA forwards a port into opnsense via a openvpn interface that get's natted (portforwared) to host.
Since the upgrade, i lost the ability to do a tcp connection from outside the PIA, thru opnsense, to the host on the port that it specified. I am able to exit the host via the pia tunnel without any issue
However i see traffic inside the host as coming from PIA, so it appears that something is working. Just not able to to a proper tcp connection /syn/synack.
There are rules allowing that all traffic from pia reach the host.
This is an extract of my unfiltered tcpdump. Code is reaching and appears to be leaving the host, thru openvpn into pia:
Code: [Select]
07:28:32.892295 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.892326 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.893405 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.893455 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.893469 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.893499 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894146 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894180 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894192 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894216 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894420 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894451 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894613 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894632 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.895104 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.895126 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.897229 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897284 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897285 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897370 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.897938 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897993 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.898007 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.898040 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.899480 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.899526 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.899602 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.900198 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.900239 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.904513 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904567 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904615 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904627 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.904692 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
This is an extract from a tcpdump from a tcp connection connecting from a public ip, into the front of the PIA vpn endpoint, on the port specified. It does reach the host vm, but is unable to do a proper tcp connection, and yes the port on the destination is listening and there is no local firewall on that particular host
Code: [Select]
tcpdump: listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:29:50.612214 IP (tos 0x0, ttl 54, id 11967, offset 0, flags [DF], proto TCP (6), length 60)
bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0x00df (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205320036 ecr 0,nop,wscale 7], length 0
07:29:50.612456 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xe663), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46328494 ecr 205320036,nop,wscale 7], length 0
07:29:51.621210 IP (tos 0x0, ttl 54, id 11968, offset 0, flags [DF], proto TCP (6), length 60)
bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xfcf4 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205321038 ecr 0,nop,wscale 7], length 0
07:29:51.621271 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xe272), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46329503 ecr 205320036,nop,wscale 7], length 0
07:29:52.630136 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xde81), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46330512 ecr 205320036,nop,wscale 7], length 0
07:29:53.646538 IP (tos 0x0, ttl 54, id 11969, offset 0, flags [DF], proto TCP (6), length 60)
bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xf514 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205323054 ecr 0,nop,wscale 7], length 0
07:29:53.646565 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xda89), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46331528 ecr 205320036,nop,wscale 7], length 0
07:29:55.670131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xd2a1), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46333552 ecr 205320036,nop,wscale 7], length 0
07:29:57.771595 IP (tos 0x0, ttl 54, id 11970, offset 0, flags [DF], proto TCP (6), length 60)
bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xe4f4 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205327182 ecr 0,nop,wscale 7], length 0
07:29:57.771636 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xca6c), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46335653 ecr 205320036,nop,wscale 7], length 0
07:30:01.910112 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xba41), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46339792 ecr 205320036,nop,wscale 7], length 0
What is wrong with this picture?
Was there any change that needs to be done to the openvpn client to allow this configuration? Or any mandatory new configuration on opnsense's interface to allow this again?
Thanks for your help