OpenVPN: I can't connect to the Internet with active Connection on client

[guest41249]

Hey there,
I need to set up a OpenVPN RoadWarrior Setup, becasue I need to have 2FA for the Clients which isn't possible with Wireguard as far as I know.
The docs were very helpful for that, I did the setup like there, but with a different network address, and I'm able to connect to the server and access the local network of both the client and the OPNsense. But when I activate the connection, it's not possible for the client to access any global IP addresses like 8.8.8.8 or 9.9.9.9.
When I check which gateway is in use I see that my Client uses the Gateway of the VPN Server as a Gateway (10.1.8.1). I think that's the issue, isn't it?
It's somehow not possible to route global IPs for that gateway. The solution would be either to configure the VPN connection to be a split tunnel, so that the client uses its default gateway or make the VPN gateway route global IPs. But I only found that topic that explains how to configure a split tunnel with the legacy Server UI, not how I can achieve this with the new Instance UI. And I also have no idea why the VPN gateway isn't routing global addresses. If someone here could help me with one if my problems, it would be great  :D

[cs1]

Have you selected "default" and/or "ipv6 (default)" under the Redirect Gateway option when configuring the server instance?

[guest41249]

Yeah, I did. I looked through the configuration again, and both options are activated. Another thing that was coming to my mind is the Gateway Group I'm using. I use a Multi-Wan setup, where the primary gateway is offline currently. Could that also be a problem, because OpenVPN tries to use the Tier 1 as it's Gateway?

[cs1]

I'm not a multi-WAN expert but I think it's unlikely that this is the issue if the routing itself is working for your local network because redirecting the gateway should simply tell the clients to tunnel everything to the gateway and the routing table on the gateway itself decides what to do with the packets. Have you checked the box's firewall logs to find out whether VPN traffic to the outside world is discarded? If the gateways are properly redirected, the firewall may be the culprit.

[guest41249]

Okay, I now tried out both things and the multi-wan don't seems to be the problem. I also looked at the firewall while pinging and it seems that the ping is allowed to reach the outside, but it still reports package loss. Does that mean that the reply can't reach the VPN client?

[cs1]

That's interesting. Is this a NAT issue by any chance so that a packet coming from a VPN client is not NAT'ed by the firewall (and in turn this would cause packets not being able to return to the client)?

EDIT: Can you post the firewall rules showing that all traffic going out to the internet is directed to the WANGWGROUP (or whatever name you gave it)? Maybe the VPN client network is missing?

[guest41249]

I don't think the NAT is the problem here because the NATing is done by a completely different router thats operating on the WAN Interface of the OPNsense. I attached a sketch of my network.
The NATing on the DrayTek works like that: It translates the external Port 1194 to Port 1194 of the internal address of the OPNsense 192.168.150.1. For that I configured a static route on the DrayTek to the OPNsenses Network, which is working like it should.
There is also one Roule on the MultiWAN Group to allow that communication. I know allowing all the traffic is unsafe, but that is only for testing purposes. I wouldn't use something like that in production.