OpenVPN and OPNsense - beginner questions

[Zugschlus]

Hi,

I have been using OpenVPN for quite a while but am new to OPNsense. There are some things that confuse me.

I have created a CA on my OPNsense installation, and I have created an OpenVPN _instance_ with the role Server, the Type TUN and topology "subnet". As "Server (IPv4)" I have set 10.242.4.0/26. My Local Network ("internal" on my OPNsense) is 192.168.0.0/20 (don't ask), and I have left the Remote Network empty since the (currently, one) client is just a client.

My client is a plain Linux machine, and the connection comes up: I see a tun0 Interface on the client, with 10.242.4.2/26 assigned as its IP address, and when I ping 10.242.4.1 and tcpdump on tun0, I see those ICMP echo requests going down the tunnel. On the OPNsense side, I see the client with Status "ok" in VPN => OpenVPN => Connection Status. However, I don't see any log entries refering to the connection in VPN => OpenVPN => Log File.

I have a firewall rule on my WAN interface to allow the incoming UDP/1194 packets to my OPNsense, and I have an "allow all" rule in the "OpenVPN" ruleset.

However, when I ping 10.242.4.1 from the client, there is no answer. Neither there is an answer when I ping 192.168.0.141 which is a host on my internal network. tcpdumping on the OPNsense internal interface doesn't see the ICMP echo request packets from my VPN client.

Now the strange things:

• ifconfig on my OPNsense shows a tun1 Interface, but that one doesn't have an IP address. I would have expected 10.242.4.1/26 to appear on that interface.
• Firewall => Log Files => Live View doesn't show anything with "Interface" OpenVPN, and I cannot establish a filter "Interface contains OpenVPN". The List only contains internal, Loopback, MGT0, PFSYNC and wan.

Obviously OPNsense does something differently from what I am used to when using OpenVPN on Linux. Can someone enlighten me please?

Greetings
Marc

[Patrick M. Hausen]

Topology = "Subnet"?

Firewall rule on OpenVPN: direction "in", allow all? Direction is frequently confusing for OPNsense beginners.

HTH,
Patrick

[Zugschlus]

Topology = "Subnet"?

Yes. I forgot to mention that. Fixed the original article.

Firewall rule on OpenVPN: direction "in", allow all?

I think so.

You cannot view this attachment.

>Direction is frequently confusing for OPNsense beginners.

Yes, but it's mentioned THIS properly in ALL docs that it's almost impossible to miss.

Greetings
Marc

[Patrick M. Hausen]

You should have an ovpns1 interface with 10.242.4.1/26, not a tun1 on OPNsense.

Which version of OPNsense are you running?

[Zugschlus]

You should have an ovpns1 interface with 10.242.4.1/26, not a tun1 on OPNsense.

Nosireebob.

Code Select Expand

root@OPNs01:~ # ifconfig | grep ovpn
root@OPNs01:~ # ifconfig | grep 242
root@OPNs01:~ #


Which version of OPNsense are you running?

25.1.10 on FreeBSD 14.2-RELEASE-p3. I intend to upgrade before going live, but I'd like to have the configuration complete so that I can actually see that everything survives the upgrade.

Greetings
Marc

[Patrick M. Hausen]

I don't have any 25.1 running to compare, sorry. Although ... that system with my ovpns1 is a 25.4 business edition so essentially 25.1

I attached the relevant part of my config. Try a reboot, maybe, to whack the interfaces into shape? ;-)

[Zugschlus]

Try a reboot, maybe, to whack the interfaces into shape? ;-)

"Gesundbooten" as we say in Germany. It helped. Part of me is happy about that, other part not.

Thanks for helping.

Greetings, Marc

[Patrick M. Hausen]

Possibly a restart of the OpenVPN service would have achieved the same. If you don't have it already, place the Services widget on your dashboard.