[SOLVED] openvpn and gaming - server access issue

[NoncarbonatedClack]

So I've set this up a few years ago (albeit on pfsense instead) but I made the switch to OPNsense earlier this year and couldn't be happier.

I'm rebuilding my server environment after not running it for a while, and now I'm getting my minecraft server running on docker again.

The trouble is, that while I can get my friend connected to openvpn, and he can ping the server's IP, minecraft fails to allow him to join (connection timeout error). I can join fine (the server is running on a different VLAN than my LAN).

General setup is:
OPNsense does layer 3, vlan's terminate here, openvpn terminates here
trunk port to cisco switch, and trunks for 2 esxi hosts

I went through the openvpn wizard, so I have the default firewall rules in place. I'm not really sure where to look, as docker (running on a slimmed down ubuntu VM) is accepting connections (works from my LAN, also verified iptables rule on the ubuntu guest)

Anyone have suggestions on where to look please?

[NoncarbonatedClack]

Attached rule details for the openvpn rule

[defaultuserfoo]

Maybe the server is not allowed/able to answer?  You could try with a rule that allows the server to talk to anything.  How does your friend connect?

[NoncarbonatedClack]

bump for visibility? any suggestions?

[Vilhonator]

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

Also clients won't be able to access different network clients without proper routes, but pinging tells that routes are fine.

[NoncarbonatedClack]

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

[Vilhonator]

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

Not quite. Ping tells you if route exists and you can block Pingign by blocking ICMP traffic (firewall blocks TCP/UDP traffic by default, ping is neither of those).

Also you will be able to ping pretty much any IP to which there's a route to and if ICMP traffic isn't blocked. Again, ping only tells you if there's a working route to that address, traceroute would give you more detailed results on routes.

[NoncarbonatedClack]

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

Not quite. Ping tells you if route exists and you can block Pingign by blocking ICMP traffic (firewall blocks TCP/UDP traffic by default, ping is neither of those).

Also you will be able to ping pretty much any IP to which there's a route to and if ICMP traffic isn't blocked. Again, ping only tells you if there's a working route to that address, traceroute would give you more detailed results on routes.

Interesting, thanks.

firewall rule did it!