Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
OpenVPN site2site no routing back to client
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN site2site no routing back to client (Read 3852 times)
erik_123
Newbie
Posts: 5
Karma: 0
OpenVPN site2site no routing back to client
«
on:
March 24, 2020, 09:28:40 am »
SO the first ... caveat is the client end of this VPN is commercial HW, specifically an asus ac88u running merlin 384.15 though I do not think this should matter.
I have defined a peer-to-peer TLS OpenVPN server in opnsense with the following:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: TUN
interface: WAN
Port: 8080
Crypto Settings as per
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
(created CA etc etc)
IPv4 Tunnel Network: 192.168.254.0/29
Local Network: 172.16.0.0/20
Remote Network: 10.0.0.0/16
Address Pool is checked which I believe was on by default.
Allowed incoming on the wan interface to that port (8080)
Rules:OpenVPN has all allowed.
Exporting the config and loading it to the asus is fine.
Tunnel is up. Can ping from remote to OPNsense LAN.
But I cannot
route
BACK to the asus network and I really believe that it appears to be an issue on the OPNsense side of this.
In the web gui the routes are there and look ok to me.
attachment1.jpg
In console the routes are also visible and look good:
attachment2.jpg
Traceroute from console though does NOT show traffic going down the tunnel:
attachment3.jpg
Is routing not actually my problem here? Do I need to add some firewall rules? I don't
SEE
any blocked traffic in the Firewall:LogFiles:LiveView
From the console I can ping both sides of the tunnel network (192.168.254.1 and 192.168.254.6)
From a client machine in the OPNsense LAN I can also ping both ends of the tunnel Network. But when I try to send traffic to the otherside it goes ... nowhere.
Am I going crazy here? Were should I be hunting logs to figure this out?
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: OpenVPN site2site no routing back to client
«
Reply #1 on:
March 24, 2020, 10:16:42 am »
Same question as always ;-)
Is your OPNsense the default GW for your network or do you have static routes pointing to the OPNsense as gateway for your tunnel network 192.168.254.0/29 ?
Please show your rules on openvpn interface and show a diagram of your network topology, please.
If you want to check if the traffic goes into the tunnel you can capture traffic and look for your ping packages. If you only see echo request packages on the openvpn interface, the chance is high that you have a routing problem.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: OpenVPN site2site no routing back to client
«
Reply #2 on:
March 24, 2020, 10:19:00 am »
Yepp, best guess: No ALLOW rule(s) on the OPENVPN firewall tab...
PS:
On the other hand in the OP:
Quote
Rules:OpenVPN has all allowed.
«
Last Edit: March 24, 2020, 10:20:39 am by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
erik_123
Newbie
Posts: 5
Karma: 0
Re: OpenVPN site2site no routing back to client
«
Reply #3 on:
March 24, 2020, 11:04:18 am »
@chemlud: OpenVPN FW rules are just ... horribly open at this point, attached.
@banym: It is the default gateway (unless I've really lost my mind) at least for the LAN behind it.
Here is a ... truly awful network diagram though
It doesn't seem so much like a firewalling/filtering problem rn, packages just do not seem to be routed from the OPNsense to the tunnel (see traceroute pics). But I am going to run some package captures now.
Logged
erik_123
Newbie
Posts: 5
Karma: 0
Re: OpenVPN site2site no routing back to client
«
Reply #4 on:
March 24, 2020, 11:32:20 am »
To me this pcap looks "correct", which is to say that the traffic is going to the OpenVPN interface but ...
ovpns2 11:15:44.611790 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 528, length 64
ovpns2 1 1:15:45.635887 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 529, length 64
ovpns2 11:15:46.659833 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 530, length 64
LAN
vmx2 11:15:44.611781 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 528, length 64
LAN
vmx2 11:15:45.635859 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 529, length 64
LAN
vmx2 11:15:46.190199 IP 172.16.1.0.68 > 172.16.0.1.67: UDP, length 277
LAN
vmx2 11:15:46.191298 IP 172.16.0.1.67 > 172.16.1.0.68: UDP, length 328
LAN
vmx2 11:15:46.659816 IP 172.16.1.0 > 10.0.100.175: ICMP echo request, id 21954, seq 530, length 64
So back to routing problem
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: OpenVPN site2site no routing back to client
«
Reply #5 on:
March 24, 2020, 11:47:57 am »
Virtual machine? Switch to real metal...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
erik_123
Newbie
Posts: 5
Karma: 0
Re: OpenVPN site2site no routing back to client
«
Reply #6 on:
March 24, 2020, 11:58:06 am »
rofl while that would maybe be nice I'm not sure that generally it would magically fix the routing issue.
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: OpenVPN site2site no routing back to client
«
Reply #7 on:
March 24, 2020, 12:33:53 pm »
Ah now I understand, the ASUS Router on the other side is the client.
Well than it works as designed ;-)
You did configure a Roadwarrior OpenVPN not a Site-to-Site. You need to do Site-to-Site if you want to route Traffice from the Laptop on the left side of your diagram into the tunnel. Now you only have the ASUS as a client connected to the OpenVPN.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
erik_123
Newbie
Posts: 5
Karma: 0
Re: OpenVPN site2site no routing back to client
«
Reply #8 on:
March 24, 2020, 01:31:54 pm »
Hold up.
SO I followed the guide here:
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
the laptop can happily route
through
the asus, that is the default gw, to the 172.16 network
But things in the 172 network cannot route through to the 10.0 network.
Whilst the asus is just terrible the above also suggests that site b is configured as a "client".
This could just be a matter of terminology though really.
The asus does also have "server" options but they are limited, eg , not actual tunnel network just local and remote address opts
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: OpenVPN site2site no routing back to client
«
Reply #9 on:
March 24, 2020, 03:02:51 pm »
O.k that was the correct guide. So you have OpenVPN Site-to-Site on the OPNsense side.
Than you have to search the ASUS side for the routing Problem or maybe Firewalling on that side.
Fast way, use Wireshark on the Laptop and search for the ICMP Packages from the ping you send.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
OpenVPN site2site no routing back to client