Topics

1

Virtual private networks / problem with redirect gateway

« on: May 21, 2024, 02:21:20 pm »

Hi all,

we have an issue configuring a new vpn server (OpenVPN) without "redirect gateway" but accessing internal services.

what we want to achieve:
1. Client traffic not running over our internet connection, excepted
2. Clients access to DFS-Shares
3. we have conditional forwarding in DNS for access on resources in customer network

when we use the "redirect gateway" option -> 2. and 3. is working
when we set "pull-filter ignore redirect-gateway" on the client -> 1. and 2. is working

is there a way, to get all 3 things running at the same time?

Our setup:

Redirect Gateway = true
Dynamic IP = true
Topology = true
DNS Default Domain = our internal Domain
DNS Servers = our 1st and 2nd DNS-Server IP

within the ovpn-config file on the client we set

pull-filter ignore redirect-gateway

2

Virtual private networks / OpenVPN DNS trouble

« on: July 03, 2023, 12:18:16 pm »

Hi,
we do have a problem with DNS-Resolution through the tunnel.

The behavior is very strange. We do have the internal Domain mc.local and the Domain mycompany.com

Code: [Select]

nslookup testserver.mc.local
nslookup testwebsite.mycompany.comboth results in NX-Domain resolved by the dns server where the client resides.

Code: [Select]

nslookup testserver.mc.local 172.16.0.10 #DNS Server at Site, not opnSense
nslookup testwebsite.mycompany.com 172.16.0.10 Both resolves the servers.

The real strange part is:

Code: [Select]

ping testserver.mc.local does work,

Code: [Select]

ping testwebsite.mycompany.comdoes NOT. It does work however, when we add the name resolution in the hosts file.

Our Server Settings are:

Code: [Select]

DNS Default Domain: mc.local
DNS Domain search list: mycompany.com
DNS Servers 172.16.0.10
Force DNS cache update: tested, no difference
Prevent DNS leaks: tested, no difference
redirect gateway: false (when true, it does work)
IPv4 Local Network: 172.16.0.0/16


It behaves the same on all 4 possible connections:

Client:
Windows 10 OpenVPN Connect 3.3.7 (latest Version)
Windows 11 OpenVPN Connect 3.3.7 (latest Version)

Server:
OPNsense 23.1.11-amd64 (OpenVPN 2.6.5)
OPNsense 22.1.6-amd64 (OpenVPN 2.5.6)

We didn´t change the server Config for over one year and nobody complained, so we are pretty sure, it did work up until a few weeks ago.
Since last week, we got three reports, about this issue.

What really puzzles me, is the fact that OpenVPN-Connect had its last update in February and it happens on the old and new OpnSense Version.
The only thing, I can think of, are Windows-Update, that broke something on Win10 and 11...
Or nobody wanted to use those "internal-Only" websites for half a year and last week 3 guys (from 2 different customers, so they are totally independent!) wanted to use it again.

Does anybody have the same issue and/or a solution?

Thanks in advance
Jochen

3

Tutorials and FAQs / Auto-Updating Alias for Microsoft O365 Endpoints

« on: July 25, 2022, 05:56:00 pm »

Hi,
I wrote a little PHP script to create an Alias-parsable list of IP-Addresses.

https://github.com/JochenKorge/m365enpoints

Its my very first php-Script, so reviewing is recommended
Pull requests for other sources (or IPv6) are welcome.

Cheers Jochen

4

Virtual private networks / [SOLVED]Site2Site openvpn Tunnel OK, Clients not

« on: April 27, 2022, 01:12:33 pm »

Hi,

I did encounter some really strange behavior.
We did Setup a OpenVPN Tunnel between 2 Opensense FWs. The Tunnel seems to be fine. When I Ping/Portprobe "ServerFW" from "ClientFW" it just works as expected.
When I try the same from a PC connected to "ClientFW" I can capture Packages leaving ClientFW, not arriving at ServerFW.


First, i tried nc from a pc connected to ClientFW. You can see that the ClientFW tried to send those Packages to ServerFW. On the Server-Side there is nothing captured.
After that, I used the Interface->Debuging->Port-Probe on the ClientFW. Those Packages are captured at both ends.

See attached Captures.
Capture Setting on both firewalls are set to: Tunnel Interface, promiscuos Mode, TCP Port 443, started at the same Time.

Any ideas why traffic in the Tunnel is behaving so strange?

5

High availability / HA/CARP, routed subnets and needed IPs

« on: October 26, 2021, 03:15:36 pm »

Hi,
I´m trying to wrap my Head around the possible configurations of CARP on our WAN side.

Our Addresses are:
XX.XX.212.243/31 OPNSense WAN (Gateway XX.XX.212.242)
Additionally our Provider routes two /29 Subnets to XX.XX.212.243
XX.XX.212.248/29
XX.XX.237.192/29

Were able to use all 16 Adresses from the /29 Nets as Client or VirtualIPs.

I do see two options:
1) we need to 1:1 NAT our main Address onto another Address like 10.0.0.1, used as CAPR-VIP, add 2 "normal" Wan Interfaces 10.0.0.2 and 10.0.0.3 and use XX.XX.212.242 as Far Gateway
2) we ask our Provider to move the allocation like so:
XX.XX.212.248/29 as our "main" Subnet
XX.XX.212.249 Gateway
XX.XX.212.250 CAPR-VIP<- XX.XX.237.192/29 and XX.XX.212.242/31 routed there
XX.XX.212.251 WAN FW1
XX.XX.212.252 WAN FW2
XX.XX.212.253 & 254 Usable as Client or "normal" Virtual IP

Is there a third option? I dislike the additional NAT (mainly because we need a Site to Site IPSec tunnel which dislikes NAT) and Option 2 sounds like a lot of work.

Thanks in Advanced