Route OPENVPN Multi WAN

Started by Julien, August 12, 2019, 01:31:59 PM

Previous topic - Next topic
August 12, 2019, 01:31:59 PM Last Edit: August 12, 2019, 01:37:44 PM by Julien
Dear All,
i hope someone can route me as i cannot route my VPN lol.
the situation as next, we have two WAN ( WAN1 / WAN2 ) see screenshot

WAN1 GW 192.168.30.254
WAN2 GW 192.168.1.254

i have created GW group with Trigger Level Packet Loss and Made WAN2 as tier1 and WAN1 as Tier 2
on the opnsense i have configured WAN1 as default GW

what i am trying to archieve is to have WAN1 route the VPN to the remote office and WAN2 to be as default internet on the office.
WAN2 is Fiber connectiong which is 200/200MB and want to keep using as main internet however WAN1 is a ADSL which is 10/2 we want it to use the VPN to RDP to the extern server.

the tunnel is i can access from the remote office back but from the office i cannot connect to the remote site.
my routing
Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.30.254     UGS         em1
10.7.0.1           link#13            UH       ovpnc1
10.7.0.2           link#13            UHS         lo0
20.1.1.0/24        link#11            U      em0_vlan
20.1.1.1           link#11            UHS         lo0
30.0.0.0/24        link#12            U      em0_vlan
30.0.0.1           link#12            UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/24     link#3             U           em2
192.168.1.67       link#3             UHS         lo0
192.168.4.0/24     10.7.0.1           UGS      ovpnc1
192.168.24.0/24    link#1             U           em0
192.168.24.1       link#1             UHS         lo0
192.168.30.0/24    link#2             U           em1
192.168.30.10      link#2             UHS         lo0
192.168.99.0/24    10.7.0.1           UGS      ovpnc1


what am i doing wrong ?

Thank you
 
DEC4240 – OPNsense Owner

Hi Julien,

beside your problem you shouldn't use 20.1.1.0/24 and 30.0.0.0/24 if that are not adresses assigned to you, they are from an official range. Only https://tools.ietf.org/html/rfc1918 networks should use for internal use with IPv4.

As you define what interface is used in the site-to-site vpn configuration this should not be handled by your routing configuration. If your site-to-site vpn is configured on WAN1 the connection should be initiated and run over that connection.

Correct me if you see the traffic running the wrong line but what you configure with gateway groups is fallback in the case one connection goes down. As far as I understand you want to achive a fixed load balancing?

If you can access the networks only from one side, check if you have incomming rules defined on the other side.
Outgoing traffic should work automatically, incomming rules need to be defined if I am not mistaken.

Check on both sides if you have incomming rules to the local network addresses or hosts on the OpenVPN interface.

Regards,

Dominik
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de

Quote from: dzajac on August 12, 2019, 01:59:43 PM
Hi Julien,

beside your problem you shouldn't use 20.1.1.0/24 and 30.0.0.0/24 if that are not adresses assigned to you, they are from an official range. Only https://tools.ietf.org/html/rfc1918 networks should use for internal use with IPv4.

As you define what interface is used in the site-to-site vpn configuration this should not be handled by your routing configuration. If your site-to-site vpn is configured on WAN1 the connection should be initiated and run over that connection.

Correct me if you see the traffic running the wrong line but what you configure with gateway groups is fallback in the case one connection goes down. As far as I understand you want to achive a fixed load balancing?

If you can access the networks only from one side, check if you have incomming rules defined on the other side.
Outgoing traffic should work automatically, incomming rules need to be defined if I am not mistaken.

Check on both sides if you have incomming rules to the local network addresses or hosts on the OpenVPN interface.

Regards,

Dominik

Thank you for answer.
20.1.1.0/24,30.0.0./24 VLANS which are not included on the tunnel.
Site to site VPN is configured to use WAN1 ( see attached screenshot )
yes i am trying to use both WAN as failover , so when WAN2 is down the connection will switch on WAN1 that why the GW group. and also keep the OPENVPN runs on the WAN1.

DEC4240 – OPNsense Owner

Have you checked on the remote site what incomming rules you have defined on the openvpn interface?
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de

August 12, 2019, 03:15:30 PM #4 Last Edit: August 12, 2019, 03:22:56 PM by Julien
Quote from: dzajac on August 12, 2019, 02:51:01 PM
Have you checked on the remote site what incomming rules you have defined on the openvpn interface?
on the WAN Interface i have the incoming rules "allow "from both IP. WAN1 and WAN2
however it works when i have GW1 as default. i beleive the issue is not on the remote site as the remote site is operational.
and OPENVPN interface has allow any to any.
DEC4240 – OPNsense Owner

Mhm, then I would do a package caputre on the interfaces to see if the outbound NAT is correct.

If I remember correctly to use openvpn on both wan connections you would configure the openvpn server to localhost and do some port forwardings to the local port on each wan interface, not sure if it's still the prefered way.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de

Quote from: dzajac on August 12, 2019, 04:00:18 PM
Mhm, then I would do a package caputre on the interfaces to see if the outbound NAT is correct.

If I remember correctly to use openvpn on both wan connections you would configure the openvpn server to localhost and do some port forwardings to the local port on each wan interface, not sure if it's still the prefered way.
i did a packet capture but nothing happens on the openvpn interface.
i am not willing to have openvpn to run on multiwan but only on one wan "WAN1".
DEC4240 – OPNsense Owner

Anyone had a idea about my issue ?
Thank you
DEC4240 – OPNsense Owner

Dual WAN amf OpenVPN sounds like "wait for 19.7.3"