Use openvpn as client and server breaks it all

Started by nothing, March 07, 2021, 08:34:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2021, 08:34:28 AM
Just wonder has anyone had such experience:

  • Single WAN interface.
    Openvpn tun server instance for site to site clients (peer2peer)
    Openvpn tun server instance for remote access (mobile) clients
    Openvpn tun client to another server with bunch of networks routed though the tunnel.
All works fine until the client instance is started. It breaks all remote access and site to site tunnels. And all openvpn services fall into a loop where everything starts and stops. If I leave it like this over the night, I have it settled and working in the morning. And it stays stable until the client instance reconnects - then all falls apart.

Anyone tried this setup?
March 07, 2021, 10:07:29 AM #1
What are the tunnel subnets?
Which ports/protocols are the various OpenVPN servers using?
Are you using NAT or pushing out routes to clients?

Bart...
March 07, 2021, 02:57:54 PM #2
Wonder if its the routes being added to OPNsense when the client tunnel comes up.

I usually tick "Don't pull routes" then create a gateway, and do policy based routing. Otherwise the VPN client messes with the default routes if your connecting to a VPN provider such as Private Internet Access
Adventuring through internet pipes
My Blog
March 07, 2021, 03:25:30 PM #3 Last Edit: March 07, 2021, 03:27:14 PM by nothing
Main details

  • Site2site p2p subnets are /30
  • Main site and two client sites has one /24 each
  • Remote access clients use subnet topology with another /24. Main site /24 subnet is pushed to RA clients.
  • Openvpn client instance of the main site receives some subnets pushed via the tunnel
  • There is NAT rule for outgoing traffic on openvpn client interface, which is assigned. No other NAT rules for vpn subnets.
  • All instances use TCP protocol.
  • All routes are pushed via the openvpn serivces. No manual gateways.
It behaves like all those openvpn instances are depending from one another and are not separate processes. Also I have tried without the NAT - same behavior.
March 07, 2021, 05:19:13 PM #4
try establishing the tunnels without automatic routing and set the temporary routes on the clients for testing. That way you get the connections confirmed before you troubleshoot the routing.

Any reason for using TCP? You'll get better performance from UDP. What are the listener ports?

Bart...
March 07, 2021, 07:34:42 PM #5
I've tried to switch on "Don't pull routes" and "Don't add/remove routes" on client instance, but it doesn't make any difference. The client instance process is somehow connected with the server instances - reconnecting the client, resets all connections on all instances.
On top of that, while the client is reconnecting, the web interface of Opnsense is not responding (for about 5-10seconds).

I use tcp/1194 and tcp/1195 for server instances. The client instance is connecting to remote server on 1194.

I had some issues with UDP and NAT by shitty routers in the past. UDP is also not supported by Mikrotik.

The only thing I see in the log is:
Code Select
MANAGEMENT: Client disconnected
MANAGEMENT: CMD 'quit'
MANAGEMENT: CMD 'status 2'
MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
March 07, 2021, 07:51:44 PM #6
I've had OpenVPN server and OpenVPN client running at the same time on OPNsense for years, so something isn't quite right with your setting it sounds...

Have you left the "Local port" on the VPN client blank? if so try putting in a port you know isn't in use like 1195.

Can you screenshot the settings for each server and the client? Would make things easier to see how you've configured them :-)
Adventuring through internet pipes
My Blog
March 07, 2021, 10:02:58 PM #7
Just got some more clues!
The problem exist only if I have assigned interface to openvpn client instance - Interface>Assignments
And if I don't assign interface, I can't make outbound NAT, because in firewall rules all openvpn instances are seen like one.

So workaround for openvpn reconnection loop is to disable that assigned OPT interface, then enable it again.
March 07, 2021, 10:07:04 PM #8
that sounds very strange... you shouldn't need to do that...

Have you changed any settings in "Firewall: Settings: Advanced", kinda sounds like when the gateway goes up or down its killing all the states.

Adventuring through internet pipes
My Blog
March 08, 2021, 05:12:22 AM #9
My assigned interface:
March 08, 2021, 05:15:00 AM #10
Firewall>Settings>Advanced
Print
Go Up Pages1
User actions