OpenVPN for road warrier

Started by defaultuserfoo, October 04, 2025, 06:03:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 04, 2025, 06:03:54 PM
Hi,

I'm following the guide[1] to set up a road warrier.  Unfortunately, the example in the guide uses a private IP address, which makes it utterly confusing.  Road warriers are obviously not on some internal network with a private IP but somewhere remote, and they connect via some internet connection if they can get one at the remote place.  That's why they are called 'roadwarriers' in the first place.  If they were on the local network with a private IP, they wouldn't need to use a VPN to connect.

So I need to use one of the public IPs the OPNsense machine has for roadwarriers to connect to.  Let's assume the public IP is 123.123.123.1.  That would mean that I'd have to use 123.123.123.1 in place of the 10.10.8.1 in the example for the bind address.  That would also mean that I would have to use 123.123.123.0/24 as the server address.  Obviously, that doesn't make any sense.

Is there a guide that shows how to set up an OpenVPN connection for roadwarriors at remote sites to connect over the internet and via the OPNsense router to a server on the LAN?

I'd rather use wireguard, but the device that needs to connect via the internet only supports OpenVPN.

[1]: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

October 05, 2025, 11:27:50 AM #1
Quote from: defaultuserfoo on October 04, 2025, 06:03:54 PMSo I need to use one of the public IPs the OPNsense machine has for roadwarriers to connect to. That would mean that I'd have to use 123.123.123.1 in place of the 10.10.8.1 in the example for the bind address.
Yes.
The guide in the docs assumes that the OpenVPN traffic is forwarded from the public IP. This could be done on a router in front of OPNsense, but also on OPNsense itself. But no need, if you have a public IP assigned to OPNsense, you can bind the VPN server to it.

Quote from: defaultuserfoo on October 04, 2025, 06:03:54 PMThat would also mean that I would have to use 123.123.123.0/24 as the server address.
No. The servers address is VPN tunnel subnet.
The docs are correct here. The server IP is a separate private subnet. The bind address doesn't belong to it.
October 05, 2025, 12:05:37 PM #2
I prefer binding to 127.0.0.1 and then use port forward rules. Especially useful for Multi WAN scenarios too.
Hardware:
DEC740
Print
Go Up Pages1
User actions