internal OpenVPN server, firewall rules

[cswingley]

Greetings!

I have an OpenVPN server (192.168.11.9) running inside my LAN (192.168.11.0/24) and OPNsense is set up to NAT 1195 UDP to that server. OPNsense has a gateway to the OpenVPN server and a static route for the internal VPN subnet (10.192.11.0/24). Clients are able to connect through the firewall to the VPN server and get an IP. But the OPNsense firewall is blocking LAN packets travelling from an internal LAN server IP (192.168.11.57, for example) to the address the OpenVPN server has assigned to the client (10.192.11.33, for example). I've tried adding LAN and floating rules to pass all LAN subnet traffic to the VPN subnet (10.192.11.0/24), but they don't seem to be working. When in place, I still get the default block from lan src 192.168.11.57 -> dst 10.192.11.33. What am I missing? How can I get internal server traffic to pass through to the OpenVPN server network?

FWIW, I'm not using the built-in OpenVPN server/client setup because I'd rather not set up all my users on the firewall; with an OpenVPN server running inside my LAN I can use my LDAP server for authentication (in addition to the keys, etc. from OpenVPN).

A poor attempt at a diagram for what's going on:


WAN -- OPNsense -- 192.168.11.0/24 -- LAN -- 192.168.11.9 OpenVPN server
 |                                     |
10.192.11.33  <--- blocked ----   192.168.11.57
 VPN client                      Internal server