OpenVPN Setup on a single NIC?

[tunworks]

I am only dipping my toes in to OPNsense so far.  I've set up a VM running it on a hyper-v server and just for now I am trying to set up the OpenVPN service for remote access.  I don't know if my setup is invalid, but I cannot find any info online to help me through this as it seems like every single setup is using OPNsense inline with their network (as a firewall duh!) rather than as a standalone node like I am... which could be the problem.

So I have set up the VPN using the wizard, I've got a LAN interface on my network, and the WAN interface is also on the same LAN!  BOth are virtual NICs provided by the hypervisor. 

• I am pretty much ignoring the WAN interface - OpenVPN is set to listen on ANY
• WAN is DHCP - the LAN is a static IP.
• I have a dual NAT setup, not something I set up.. just is what it is.
• I've port forwarded port 1194 on the outer NAT router to an IP that is 1 to 1 NATed on the inner NAT router
• Forwarded dest IP is 1-to-1 NAT to the IP assigned to my LAN interface on my OPNsense VM.
• I have run packet capture on the LAN interface and have seen UDP 1194 packets arriving on that interface when I try to log in using an openVPN client.
• I never see anything on the OpenVPN logs.

   

I really have no idea what I am doing I think!  Something is probably OBVIOUSLY wrong that I am not getting, please point it out so I can revel in my lack of understanding.

VPN Client:

Code: [Select]

Sun Sep 15 18:34:47 2019 TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]:1194
Sun Sep 15 18:34:47 2019 UDP link local (bound): [AF_INET][undef]:0
Sun Sep 15 18:34:47 2019 UDP link remote: [AF_INET][public ip of router at location where VM server is hosted]:1194
Sun Sep 15 18:35:48 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Sep 15 18:35:48 2019 TLS Error: TLS handshake failed
Packet Capture:

Code: [Select]

1 0.000000 [The public IP of my router while at home] [VM's IP on LAN interface] OpenVPN 60 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
2 2.351956 [The public IP of my router while at home] [VM's IP on LAN interface] OpenVPN 60 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
Details of one of the packets in capture:

Code: [Select]

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: [redacted], Dst:[redacted]
Internet Protocol Version 4, Src: [The public IP of my router while at home], Dst: [VM's IP on LAN interface]
User Datagram Protocol, Src Port: 61713, Dst Port: 1194
OpenVPN Protocol


[franco]

You may want to simplify your setup by making it "WAN only". What you need in the WAN case is a firewall allow rule and clients should be able to connect. From there you can push them out the WAN to achieve what you want, no need for a LAN if you don't have it.

For more OpenVPN related info please look at https://docs.opnsense.org/manual/how-tos/sslvpn_client.html


Cheers,
Franco

[aschaapherder]

If you use WAN only where do you "exit" OPNSense? Unless you stay inside the appliance ..

I have a setup running internally and I use LAN only. I use it for DNS/DHCP and I recently setup OpenVPN as well and I am currently setting up HAProxy with Let's Encrypt as reverse proxy. Works very well.

Using the WAN interface means you have to start looking into firewall rules/NAT etc (configure it or disable it) doesn't it? ANd you would have to go out to your LAN network via the WAN interface as well.

[franco]

Like in any WAN/LAN setup: the configured default route is out.

Inbound is the tunnel connection, outbound is the standard one.

You can think of it like a little stacked WAN/LAN setup a bit like VLAN tagged in and untagged out on a single link.

WAN-only is just LAN-only with the firewall protection since LAN has an allow all and that does nothing. If you think about DMZ deployments it makes more sense to use a WAN-only as it gives you extra protection for the machine if you don't do it explicitly on your LAN-only setup.


Cheers,
Franco

[tunworks]

If you use WAN only where do you "exit" OPNSense? Unless you stay inside the appliance ..

I have a setup running internally and I use LAN only. I use it for DNS/DHCP and I recently setup OpenVPN as well and I am currently setting up HAProxy with Let's Encrypt as reverse proxy. Works very well.

Using the WAN interface means you have to start looking into firewall rules/NAT etc (configure it or disable it) doesn't it? ANd you would have to go out to your LAN network via the WAN interface as well.

Your setup is basically where I am at (or headed) for now.  I am interested in using OPNsense as a firewall but that will probably happen along side some considerably large network changes I think need to happen later.  How does your setup expose OpenVPN?  Even just a conceptual description, and how OPNsense is configured might help me.

So I think I mentioned we have two NATs.  Outer network is say a 192 network.  It's gateway is bordering the internet (public IP on the other side).  Inner network is say a 172 network, it's gateway borders the 192 and 172 networks. 

• I have 1194 port-forwarded on the router in the 192 network to an IP in the 192 network let call it  192.168.1.50
• That IP is 1 to 1 NAT with an IP in the 172 network by the inner gateway.  Lets say that IP is 172.16.1.50.
   This IP is assigned to the LAN NIC on my OPNsense VM

Packets get through from the internet to the LAN interface on OPNsense (used packet capture utility in OPNsense), but OpenVPN does not seem to be aware!

I've deleted and re-configured the VPN server several times, followed the wizard, all pretty simple - I can't think of what i have misconfigured here.  Maybe its just a problem with our double NAT?

[aschaapherder]

My setup is simpler. I have 1194/UDP forwarded directly to OPNSense LAN interface. OpenVPN is listening there. I believe I had to disable some NAT or firewall rule to get the packets to flow but I am not sure. Would have to setup a frech one to compare. It was rather straight forward if I recall correctly. Might just be the default gateway as franco mentioned.

[tunworks]

I'll try and tear mine down and re-build it.  It being "fairly" simple like you said is what I would expect, I like to think I have a decent idea of what's going on here.  Maybe I'll try and move it inside the outer network so it's not double NATed as a test.  I'll double check my firewall rules and look for any other settings that could be amiss (NAT/gateways).  Thanks for your responses, I needed a reference implementation for me to corroborate against.