Connected to VPN, unable to take advantage of rules using VTI gateway

ja133 · June 23, 2023, 04:51:05 AM

Hello, long time lurker, first post. I moved over from pfSense a few months ago and couldn't be happier!

Anyhow, one small issue. I am hosting my own VPN server with both OpenVPN and Wireguard and I experience the same issue on both services. I also have a VTI with Wireguard (but already tried changing it to IPSec, and experienced the same exact issue)

Under the firewall rules (both openVPN and WG), I created a rule to route a specific alias over the VTI. When trying to access the alias from the VPN, the page tries to load. I get the favicon, but eventually it just times out.

Copy the exact same rule but under the LAN interface, and it works perfectly when accessing from my home network

Sounds like an MTU issue to me, and I've played around with it but no luck. Any other suggestions?

Thank you

zan · June 23, 2023, 04:37:53 PM

Try clamping the MSS too, eg: use 1400 for both MTU and MSS.

ja133 · July 07, 2023, 02:08:06 PM

Thank you. After running a packet capture I realized that the issue was unrelated to MTU. I had to create an outbound NAT rule. Source is the WG subnet, destination is the alias I created, and NAT address is the OPT interface address associated with the VPN.

Connected to VPN, unable to take advantage of rules using VTI gateway

ja133

June 23, 2023, 04:51:05 AM

zan

June 23, 2023, 04:37:53 PM #1

ja133

July 07, 2023, 02:08:06 PM #2