Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Cannot get response from OpenVPN server
« previous
next »
Print
Pages: [
1
]
Author
Topic: Cannot get response from OpenVPN server (Read 1391 times)
Taomyn
Sr. Member
Posts: 444
Karma: 20
Cannot get response from OpenVPN server
«
on:
July 11, 2020, 10:15:01 pm »
Since migrating to my new firewall where most things have restore nicely and other things needed tweaking e.g. installing missing plug-ins, one thing I cannot get to work any more is OpenVPN. The service simply does not respond to any connections and it seems to be ignoring the firewall rule.
I've tried at least 5 times to reconfigure OpenVPN from scratch and nothing seems to help. According to rules. debug file the rule is there and appears to be correct. The only thing I do after it is generated is to move it above my catch-all rule as I have done with the numerous other service rules, but it's still ignored. This is the rule with the one that follows it:
pass in log quick on pppoe0 reply-to ( pppoe0 nnn.nnn.nnn.1 ) inet proto udp from {any} to {(pppoe0)} port {1194} keep state label "b421bf32c395b0dd6fee90d8e986dfd7" # : OpenVPN MyDomain VPN wizard
pass in log quick on pppoe0 reply-to ( pppoe0 nnn.nnn.nnn.1 ) inet from {any} to $HIBBERT label "0cc733839caa3b3bfdfb4a76bd530780" # : Divert to Honeypot
Attached screenshot is the logged information when the second rule actions the connection and of course does not respond.
I have also tried creating the rule manually, setting the OpenVPN rule to "any" interface and also to one of the others with no effect.
Any ideas?
OPNsense 20.1.8_1-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
LibreSSL 3.0.2
Logged
Taomyn
Sr. Member
Posts: 444
Karma: 20
Re: Cannot get response from OpenVPN server
«
Reply #1 on:
July 12, 2020, 10:30:51 am »
I found the problem, but it seems to have opened a new issue with NAT.
I reset the config of the firewall back a few days to before I started working on a few things and my old VPN set up came back and was working again *phew*. So I started manually putting back the changes I made over the last few days as best I could from memory, and putting some of the things I learnt during that time to get it right first time.
All was going well until I added a new NAT rule to divert all traffic from geo-locations I don't want accessing my services to my honeypot - basically a geo-based alias of granted locations that I inverted. I had already added 3 other similar NATs to divert other traffic based on aliases, and they were working fine, but the moment I added the new one for geo-locations the VPN stopped working again. Disabling the NAT returns VPN to normal.
So I discovered two issues:
NAT does not like to handle geo-location aliases
Disabling a NAT rule does not disable the linked firewall rule
Are these bugs or expected behaviour? Am I doing something wrong?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Cannot get response from OpenVPN server