Issues configuring lan to use openvpn

[vman81]

I attempting to configure an OpenVPN connection as the gateway for all the traffic on one of my LANs, but I'm not having any luck. It just seems like a black hole with packets going out according to the firewall logs, and nothing coming back.

I started following this guide, but according to that thread it needs a major overhaul to work today:
https://forum.opnsense.org/index.php?topic=4979.0

Additionally, I tried using parts from NordVPNs guide, but it's also a 19.x guide and I don't know if it'd work today:
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

I am aware that NordVPN is a different provider that may have different requirements and that the older opnsense guide is outdated.

I'm using TigerVPN, and have used it on single client devices for years without issues, and I have 3 concurrent connections allowed (and tested)
The OpenVPN client configuration on opnsense seems in order, as it connects and shows a nice and green "up" status.

vpn config:

vpn status:

vpn log:



The VPN client interface is configured as:
TIGERVPN
with no ipv4 configuration


Since this instance of OpnSense is virtualized, I'm setting up a separate network interface and lan up for my clients to connect to. This lan is configured as:
TIGERVPNLAN


This interface has a static ipv4 address set (10.0.9.1)


Firewall/Outbound configuration:

I'm pretty unsure about the Outbound rules, but I'm leaving hybrid mode (I also have a wireguard setup) on, as this seems to be ok according to the NordVPN guide.
I'm setting a single entry here for TIGERVPN, as shown in the NordVPN guide:
[FW OUTBOUND]


Firewall/Rules configuration:
TIGERVPN interface rules:



TIGERVPNLAN interface rules:


DHCP server is configured on the TIGERVPNLAN interface with a 10.0.9.100-200 range and 8.8.8.8/8.8.4.4/1.1.1.1 DNS set.

It looks like a bunch of DNS queries are sent in the firewall log, and a quick "wget 1.2.3.4" on a client machine on the tigervpnlan network does show up as a 1.2.3.4:80 packet on the way out.



I suspect I'm doing something wrong in the outgoing firewall settings, but I may be totally misunderstanding how I should set this up.

help!?

[Patrick M. Hausen]

If the peer of your OpenVPN connection is a (possibly commercial) service for a single PC or similar, you need to NAT all the packets from your LAN that go into the tunnel. Your provider does not know about the systems "behind" your OPNSense. That's why there are no packets coming back.

[vman81]

Ok, that makes sense - how would I go about doing that compared to my current setup?

[Patrick M. Hausen]

Add a NAT rule, outgoing, interface OpenVPN, source LAN_NET, NAT to interface address.

[vman81]

I already had this set, although the source wasn't narrowed to the VPN_LAN - I changed that and I'm still not seeing any traffic. 

Do you have any suggestion on how to troubleshoot this?

I can see that the VPN Connection status never increases its traffic counter above 2-4kb on the bytes sent/received.

That leads me to look at the vpn logfile - it's a bit confusing because the logfile at /var/log/openvpn.log is capped at 500KB and tailing it will not show you the newest lines. In the web interface I can see a live view of the log and I keep seeing the errors: 
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) 
Additionally it then proceeds to time out after around 60 seconds and re-connect.