[SOLVED] OpenVPN accepts connection from LAN interface?

[marceloudi]

Hi all!

We have 2 linux boxes seamlessly connected to Openvpn as clients, from the WAN side. But I need to manage these boxes from my LAN.

So, I configured OpenVPN server to listen on "Any" interfaces (please see image attached).

On my LAN side, the OPNSense box is my gateway. So, I configured the ".opnsense" file to connect to my lan gateway, but it does not work...

It is possible?

Just to confirm: I executed tcpdump at opnsense box, and I can see packets arriving from my lan host (tcpdump -i bge0 host 192.168.9.152 and port 1194)

I searched a lot of material available online, but the search terms are too generic: "connect to opnsense openvpn from lan side", so I did not found any solution!

Regards from Brazil!

[gustaf]

Can't you get to the linux boxes via the IP they get on their tunnel interface? If OPNsense is your gateway, it should know the route without further config, and the LAN should be able to access everything by default

[marceloudi]

Thanks for your response Gustaf!

I can't get to the linux boxes via the Vpn IP.

Executing a ping 10.10.0.2 (remote vpn host), I can see at diagnostics/firewall/log that opnsense is forwarding the packet via system default gateway (in image ends with 129).

I tried to create a route, but Opnsense does not offer Ovpn1 available to select as destination.

Whats can I do?

[gustaf]

I did a small test:
connected to an OPNsense as an OpenVPN road warrior from a Windows PC
Launched RDP to a Windows server residing in the LAN of the OPNsense. Then from the server:

Tried to ping and traceroute myself back with no success.
Tried to connect via RDP to the PC I was using and got a password prompt, which means the RD connection was successful.

I would have a look at the firewall on your remote linux boxes, it's likely what's blocking you.

[marceloudi]

Ok! I just confirmed: there is no firewall at clients: any remote client can ping or telnet any tcp port between them.

So, activating the logs at firewall, I can see the traffic matching rule "Default allow LAN to any rule" (Image attached)

But the traffic does not reach the remote Vpn client.

Can I check which configuration is dropping/blocking the packet to remote client?

[marceloudi]

SOLVED!

I realized that I need to create a LAN rule, and force Traffic to a specific gateway.

So:

- Created (assign) a new interface for OVPN (OPT3): "Dynamic gateway policy" cheked, to auto-create a gateway

- Confirmed that a new Gateway (OPT3_GW) was created to that interface.

- Created a rule (image attached), marked as quick, BEFORE other rules, forcing traffic destinating OVPN Addresses, to OPT3_GW