PPPoE WAN (BT 8 IP static IP subnet) OpenVPN Config

[alpresidente]

Hello Folks
Im banging my head against the wall trying to get an OpenVPN road warrior connection to the WAN address of the OPNSense firewall.  The firewall is configured PPPoE WAN with a BT subnet of public IP addresses. The BT modem is setup in bridge mode.  Firewall is working ok im able to get an OpenVPN connection to a linux server using one of the public IPs (a NATet VirtualIP).  What I cant achieve is an OpenVPN connection to the firewall itself.  Ive followed instructions from OPNSense documentation

Any guidance on how best to debug this would be appreciated, tools, methods etc.  My sense is this has something to do with the weird IP subnet allocation that BT gives

logs from the Viscocity VPN client below (x.y.z.w is one of the WAN IPs which has been allocated to the connection


Jul 21 6:59:53 PM: Valid endpoint found: x.y.z.w:1193:udp
Jul 21 6:59:53 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]x.y.z.w:1193
Jul 21 6:59:53 PM: UDP link local (bound): [AF_INET][undef]:0
Jul 21 6:59:53 PM: UDP link remote: [AF_INET]x.y.z.w:1193

Jul 21 7:03:14 PM: SIGUSR1[soft,tls-error] received, process restarting
Jul 21 7:03:24 PM: Valid endpoint found: x.y.z.w:1193:udp
Jul 21 7:03:24 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]x.y.z.w:1193
Jul 21 7:03:24 PM: UDP link local (bound): [AF_INET][undef]:0
Jul 21 7:03:24 PM: UDP link remote: [AF_INET]x.y.z.w:1193
Jul 21 7:04:24 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 21 7:04:24 PM: TLS Error: TLS handshake failed

[bartjsmit]

The issue you have is that the return traffic goes out via the default WAN IP - usually the lowest IP in your BT range (of six, btw - one is reserved for the network and one for broadcast). Viscocity initiates the tunnel by sending a connection request to say 72.48.19.2 and OPNsense sends the reply on 72.48.19.1. Confusion ensues and Viscocity throws in the towel.

Try OpenVPN on the internal Linux host and set a 1:1 NAT for it to 72.48.19.2 on OPNsense, or give different OpenVPN servers on the firewall different listener ports: 1194, 1195, 1196, etc.

I've had both options running on a similar Openreach /29 WAN connection. The only difference is a Huawei FTTP adapter instead of your DSL modem.

Bart...

[alpresidente]

Hi BArt, so wanting to stick with getting a vpn connection direct to tthe firewall, how are you "binding" traffic associated with a specific WAN IP to a specific UDP port - youll note below that i have deliberately used UDP 1193 to be distinct from the 1194 used for an internal linux server vpn connection that works
cheers
ALex

[cookiemonster]

Have you put your local LAN network in the OpenVPN server settings? In the "IPv4 Local Network" field you can put the network of your LAN. For instance 192.168.5.0/24, of course has to be the one where the firewall sits.

[bartjsmit]

how are you "binding" traffic associated with a specific WAN IP to a specific UDP port

Hi Alex, I'm not - I differentiate between VPN's to the firewall by UDP port and I have had LAN servers with 1:1 that listen on TCP 443 shared between web and OpenVPN.

In other words, I use the two techniques orthogonally - either different internal servers on different WAN IP's or different OpenVPN instances on OPNsense on different ports. I'm not sure you can mix the two, I'm afraid.

Bart...