Policy Based Routing for Sending Traffic over VPN

[ati]

I have been using OPNsense for awhile now and have gotten many things configured including a site-to-site wireguard VPN to another OPNsense box as well as client wireguard tunnels successfully.

I am trying now to make a 'always on' VPN using ExpressVPN via openVPN for a specific VLAN. I am using this guide so far https://www.youtube.com/watch?v=wDEHo9XJjeA

• I have gotten the openVPN connection established (at least the status is connected).
• I added a new interface for the openVPN connection and enabled it.
• My gateway table has updated with 2 new routes for the opnVPN connection (one IPv6 and one IPv4), the IPv6 connection says active for some reason.
• I enabled route-nopull in my openVPN configuration, so there is no route in my routing table for that connection.

Then things started to fall apart for me. I am testing right now, so I am trying to make a single client 'take the VPN path', so instead of using alias in the video I am using a single host IP.

• I added a firewall rule on the interface the device is connected to. It forces all traffic from that one source IP to use the openVPN interface as its gateway.
• I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

When I do all that I cannot ping anything anymore. I have been using 8.8.8.8 to eliminate any DNS issues as well.

I am not really sure where to even behind looking at logs or how to troubleshoot this. The firewall rules seem pretty simple in the way they operate, but I am not sure if it is firewall, openVPN, NAT rules, or the gateway/route configuration.

[viragomann]

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

[ati]

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

I am not sure I follow exactly.
These are my two rules I have created:

This rule is on the network (WIRELESS net (192.168.20.0/24)) interface the device (192.168.20.75) I want to take the VPN exists on:


This rule is on the NAT > Outbound manual rules:


Those are the only 2 firewall/NAT rules I created following the youtube guide.

[viragomann]

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

[ati]

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

I have been trying to ping 8.8.8.8 and nothing.

The gateway is listed as a valid gateway.


When I look in the live firewall view and filter on the IP (192.168.20.75) I don't know how to tell if it is working. When I ping my default gateway I can see the ICMP packet pass. I cannot see the ping to 8.8.8.8 at all. How can I tell that the rule for the gateway is applied?

Interestingly I can see random 'internet' traffic passing from that host, but the host is unable to ping anything. It is almost as if it is getting filtered on the return?

[ati]

I just did a packet capture on the ExpressVPN interface.

I can see my ICMP echo requests going out to the IPv4 address of the openVPN connection. The RFC1918 address.

I don't see any replies coming back on that interface.

Does that point to an issue on the openVPN configuration?

[viragomann]

If you did enable logging of the rule, you should see the pings in the log, even if you don't get a response. But maybe the rule is not applied.
Note that rule on interface groups and floating quick rules are probed before interface rules. So if any matches to the pings it will be applied.

[ati]

If you did enable logging of the rule, you should see the pings in the log, even if you don't get a response. But maybe the rule is not applied.
Note that rule on interface groups and floating quick rules are probed before interface rules. So if any matches to the pings it will be applied.

I don't have any group or floating rules.

Based on the above, it doesn't appear to be a rule issue. It seems to be a routing one. The packets are making it to the correct VPN interface for egress. I just don't see any ingress back on that VPN interface.

[viragomann]

So to recap, you have a policy-routing rule for a single device, which allows any traffic and you have enabled logging. Then I'd expect, that you see the connection in the firewall log, if you try to access anything in the internet.
If you don't see anything regarding in the log, however, I'd suspect, that the packets doesn't pass OPNsense for some reason.

To investigate run a packet capture. Select all interfaces, at protocol select ICMP and state 8.8.8.8 in the host field. Start the capture and try to ping 8.8.8.8. Then view the capture (less details).
You should see the packets on the wifi interface at least.

[ati]

To investigate run a packet capture. Select all interfaces, at protocol select ICMP and state 8.8.8.8 in the host field. Start the capture and try to ping 8.8.8.8. Then view the capture (less details).
You should see the packets on the wifi interface at least.

Maybe you missed a message I edited because it was a double and I edited after. (message 5)

I did run a packet capture. I ran it on the ExpressVPN interface. I am seeing the traffic there (as expected) so that tells me my firewall rules (at least in the outbound direction) are working fine. The ping is traversing the firewall rules and making it to the ExpressVPN interface. However, I never see an echo reply on the ExpressVPN interface. So that leads me to think it is a routing issue or a openVPN config issue.

[viragomann]

Okay, so the rules seems to work well. But no response seems that the traffic is blocked somewhere.

Try another IP or another protocol.
You can just type 1.1.1.1 (Cloudflare) into the address box of your browser. So no DNS resolution is required.

Why do you think, it's a config issue?
The OpenVPN configuration is quite simple, just a handful settings needed.

[viragomann]

For DNS resolution, remember that your rule passes any traffic to the VPN gateway. Hence you're not able to access any local service. So in case you use a local DNS (on OPNsense) resolution won't work with this.

To enable local access you should limit the rule to public destinations.
Best way to do this is to create an alias which includes all private network ranges. I use to call it RFC1918.
Then state the alias as destination with "invert" checked in the policy-routing rule. So this rule doesn't macht to local destinations.

[ati]

I cannot ping anything external. I have tried many known IPs... I am only doing IP addresses to not deal with DNS at all, so DNS resolution isn't an issue at the moment.

The only things I can ping are my local networks and the virtual IPv4 address of the openVPN tunnel.

I am just guessing at openVPN configuration. If the firewall and policies are working (which they appear to be based on the packet captures), there isn't much left. Maybe I have a bad setting so it doesn't pull in the addressing into routing table? I am not sure. All I know is traffic isn't making it back on the openVPN interface.

[viragomann]

If the firewall and policies are working (which they appear to be based on the packet captures), there isn't much left.

The traffic could be blocked outside of your network.
Possibly there is something wrong at ExpressVPN.

[ati]

I got it.

I needed to set the fragment size in the openVPN configuration. Once I did that everything worked as expected.

Thank you for your support!