English Forums > General Discussion

Cannot get response from OpenVPN server

(1/1)

Taomyn:
Since migrating to my new firewall where most things have restore nicely and other things needed tweaking e.g. installing missing plug-ins, one thing I cannot get to work any more is OpenVPN. The service simply does not respond to any connections and it seems to be ignoring the firewall rule.



I've tried at least 5 times to reconfigure OpenVPN from scratch and nothing seems to help. According to rules. debug file the rule is there and appears to be correct. The only thing I do after it is generated is to move it above my catch-all rule as I have done with the numerous other service rules, but it's still ignored. This is the rule with the one that follows it:



pass in log quick on pppoe0 reply-to ( pppoe0 nnn.nnn.nnn.1 ) inet proto udp from {any} to {(pppoe0)} port {1194} keep state label "b421bf32c395b0dd6fee90d8e986dfd7" # : OpenVPN MyDomain VPN wizard
pass in log quick on pppoe0 reply-to ( pppoe0 nnn.nnn.nnn.1 ) inet from {any} to $HIBBERT label "0cc733839caa3b3bfdfb4a76bd530780" # : Divert to Honeypot


Attached screenshot is the logged information when the second rule actions the connection and of course does not respond.


I have also tried creating the rule manually, setting the OpenVPN rule to "any" interface and also to one of the others with no effect.


Any ideas?



OPNsense 20.1.8_1-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
LibreSSL 3.0.2

Taomyn:
I found the problem, but it seems to have opened a new issue with NAT.


I reset the config of the firewall back a few days to before I started working on a few things and my old VPN set up came back and was working again *phew*. So I started manually putting back the changes I made over the last few days as best I could from memory, and putting some of the things I learnt during that time to get it right first time.


All was going well until I added a new NAT rule to divert all traffic from geo-locations I don't want accessing my services to my honeypot - basically a geo-based alias of granted locations that I inverted. I had already added 3 other similar NATs to divert other traffic based on aliases, and they were working fine, but the moment I added the new one for geo-locations the VPN stopped working again. Disabling the NAT returns VPN to normal.


So I discovered two issues:

* NAT does not like to handle geo-location aliases
* Disabling a NAT rule does not disable the linked firewall ruleAre these bugs or expected behaviour? Am I doing something wrong?

Navigation

[0] Message Index