[Solved] OpenVPN firewall rules

[Gauss23]

Hi,

I noticed a strange problem with OpenVPN servers on OPNsense when assigning interfaces to those OpenVPN servers.

There is already a german thread https://forum.opnsense.org/index.php?topic=9150.msg88343#msg88343

When creating an OpenVPN server and assign that server to an interface you´ll get those new interfaces in the Firewall section. I thought it might look better if you separate the rules by interface. Unfortunately rules created there don´t bring the effect you´d expect. The rules are evaluated by traffic flowing through this interface. In the firewall logs you can see that the packets come in from the correct interface and the packets may pass.
But the packets are not leaving the OPNsense anymore. Doesn´t matter if the packets need to be routed or are addressed to services on the OPNsense.

When you move or even clone the same rule to the OpenVPN firewall section packets are flowing like they should.
Something is weird with handling traffic through those assigned interfaces.

Did a packet capture but don´t see any problems here. You see the packets coming in, but not leaving the box.

[insecure]

I can confirm this behavior. Should we open a ticket on github?

Best reguards,

Marc

[Gauss23]

Issue created: https://github.com/opnsense/core/issues/4395

[Fright]

can you please add screenshots?
it is a little unclear on which interface it works and on which not

[Gauss23]

Ok, added some screenshots to the issue at Github

[insecure]

Thank you for opening the ticket!

[Fright]

tested some rule modification. works for me:
https://github.com/opnsense/core/issues/4395#issuecomment-703783952

[Gauss23]

Yes, problem is solved by setting "disable reply-to" for all rules on the interface specific section.

[Fright]

glad it works )