Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Allowing OpenVPN access to the private WAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Allowing OpenVPN access to the private WAN (Read 3245 times)
plc101man
Newbie
Posts: 12
Karma: 0
Allowing OpenVPN access to the private WAN
«
on:
December 15, 2020, 04:27:02 pm »
I have a opnsense firewall behind a router so is natted. I have the port forwarding from the first router to the WAN interface that has a private ip assigned via DHCP (10.50.65.10) from the first router and I'm forwarding port 11094 to the WAN with the DHCP reservation. I can VPN into the OpenVPN service in opnsense firewall from the internet but I can't if I'm in the network that is in the WAN interface. I have unchecked the block private networks on the WAN interface but I cannot connect to it when I change the IP in viscosity to be the 10.50.65.10. Do I need to create a firewall rule for it ?
Any help will be greatly appreciated.
Here is a diagram of what I'm trying to do.
«
Last Edit: December 16, 2020, 08:29:05 pm by plc101man
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Allowing OpenVPN access to the private WAN
«
Reply #1 on:
December 16, 2020, 11:21:05 am »
I would have thought yes, you'd need a firewall rule allowing your VPN IP(s) to access your local network. Maybe also a static route on your first router so that it knows that return packets destined for the VPN IP(s) need to go through the gateway on your OPNsense router (10.50.65.10).
Logged
plc101man
Newbie
Posts: 12
Karma: 0
Re: Allowing OpenVPN access to the private WAN
«
Reply #2 on:
December 16, 2020, 10:23:51 pm »
Thanks for your response, I have tried to add a firewall rule on the WAN to allow in RFC1918 and nothing.
I have tried to change to a TAP device, Change the port to 1194, made sure that it was allowed on the firewall.
This is what I'm getting in openvpn client log when trying to connect from the local LAN..
Dec 16 4:19:47 PM: State changed to Connecting
Dec 16 4:19:47 PM: Viscosity Windows 1.9 (1695)
Dec 16 4:19:47 PM: Running on Windows 10 1903 (18362) 64 bit
Dec 16 4:19:47 PM: Running on .NET Framework Version 4.8.03752.528040
Dec 16 4:19:47 PM: Checking reachability status of connection...
Dec 16 4:19:47 PM: Connection is reachable. Starting connection attempt.
Dec 16 4:19:48 PM: Bringing up interface...
Dec 16 4:19:48 PM: OpenVPN 2.4.9 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Oct 6 2020
Dec 16 4:19:48 PM: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Dec 16 4:20:00 PM: Valid endpoint found: 10.50.65.10:1194:udp
Dec 16 4:20:00 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]10.50.65.10:1194
Dec 16 4:20:00 PM: UDP link local (bound): [AF_INET][undef]:0
Dec 16 4:20:00 PM: UDP link remote: [AF_INET]10.50.65.10:1194
This is when I try from the internet.
Dec 16 4:30:12 PM: State changed to Connecting
Dec 16 4:30:12 PM: Viscosity Windows 1.9 (1695)
Dec 16 4:30:12 PM: Running on Windows 10 1903 (18362) 64 bit
Dec 16 4:30:12 PM: Running on .NET Framework Version 4.8.03752.528040
Dec 16 4:30:12 PM: Checking reachability status of connection...
Dec 16 4:30:13 PM: Connection is reachable. Starting connection attempt.
Dec 16 4:30:13 PM: Bringing up interface...
Dec 16 4:30:13 PM: OpenVPN 2.4.9 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Oct 6 2020
Dec 16 4:30:13 PM: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Dec 16 4:30:23 PM: Valid endpoint found: 96.###.###.138:11094:udp
Dec 16 4:30:24 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]96.###.###.138:11094
Dec 16 4:30:24 PM: UDP link local (bound): [AF_INET][undef]:0
Dec 16 4:30:24 PM: UDP link remote: [AF_INET]96.###.###.138:11094
Dec 16 4:30:24 PM: State changed to Authenticating
Dec 16 4:30:24 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 16 4:30:25 PM: [Router Cert] Peer Connection Initiated with [AF_INET]96.###.###.138:11094
Dec 16 4:30:25 PM: State changed to Connecting
Dec 16 4:30:25 PM: Awaiting adapter to come up...
Dec 16 4:30:26 PM: TAP-WIN32 device [client1 netgear R7000] opened: \\.\Global\{1B7D26D8-38BD-4DDC-ABDB-240F93F13D3B}.tap, index: 6
Dec 16 4:30:27 PM: Waiting for DNS Setup to complete...
Dec 16 4:30:27 PM: Successful ARP Flush on interface [6] {1B7D26D8-38BD-4DDC-ABDB-240F93F13D3B}
Dec 16 4:30:33 PM: Initialization Sequence Completed
Dec 16 4:30:33 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see:
https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
Server - 10.100.1.11:53; Lookup Type - Any; Domains - sei.local.
Server - 10.100.1.12:53; Lookup Type - Any; Domains - sei.local.
Server - 8.8.8.8:53; Lookup Type - Any; Domains - sei.local.
Server - [2600:381:1b19:564d::ce]:53; Lookup Type - Any; Domains - None
Server - 192.168.42.129:53; Lookup Type - Any; Domains - None
Dec 16 4:30:34 PM: State changed to Connected
Regards,
«
Last Edit: December 16, 2020, 10:34:30 pm by plc101man
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Allowing OpenVPN access to the private WAN
«
Reply #3 on:
December 16, 2020, 11:18:06 pm »
My suggestions were based on an analogous setup I used to run - had a Ubuntu host in my LAN that was running an OpenVPN server so I could access my LAN remotely. Your OPNsense box seems the equivalent of my Ubuntu host
Key aspects:
- pushed relevant routes to my LAN in the OpenVPN server config (wasn’t using redirect-gateway)
- added firewall rule on router to allow access for VPN IPs to LAN
- added route on firewall for VPN IPs with Ubuntu host as gateway
And of course had port forward on router to allow connections to OpenVPN server to be initiated, and corresponding firewall rule on the Ubuntu host (as well as an iptables forward rule to forward packets on the VPN interface to the LAN interface)
Logged
plc101man
Newbie
Posts: 12
Karma: 0
Re: Allowing OpenVPN access to the private WAN
«
Reply #4 on:
December 18, 2020, 09:39:50 pm »
It looks like when I'm in the outside LAN that the WAN is connected to, the TLS handshake is failing, dunno why.
Dec 18 3:36:20 PM: State changed to Connecting
Dec 18 3:36:20 PM: Viscosity Windows 1.9 (1695)
Dec 18 3:36:20 PM: Running on Windows 10 1903 (18362) 64 bit
Dec 18 3:36:20 PM: Running on .NET Framework Version 4.8.03752.528040
Dec 18 3:36:20 PM: Checking reachability status of connection...
Dec 18 3:36:20 PM: Connection is reachable. Starting connection attempt.
Dec 18 3:36:20 PM: Bringing up interface...
Dec 18 3:36:21 PM: OpenVPN 2.4.9 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Oct 6 2020
Dec 18 3:36:21 PM: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Dec 18 3:36:32 PM: Valid endpoint found: 10.50.65.10:11094:udp
Dec 18 3:36:32 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]10.50.65.10:11094
Dec 18 3:36:32 PM: UDP link local (bound): [AF_INET][undef]:0
Dec 18 3:36:32 PM: UDP link remote: [AF_INET]10.50.65.10:11094
Dec 18 3:37:33 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 18 3:37:33 PM: TLS Error: TLS handshake failed
Dec 18 3:37:33 PM: SIGUSR1[soft,tls-error] received, process restarting
Dec 18 3:37:33 PM: State changed to Connecting
Dec 18 3:37:43 PM: Valid endpoint found: 10.50.65.10:11094:udp
Dec 18 3:37:43 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]10.50.65.10:11094
Dec 18 3:37:43 PM: UDP link local (bound): [AF_INET][undef]:0
Dec 18 3:37:43 PM: UDP link remote: [AF_INET]10.50.65.10:11094
Dec 18 3:38:44 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 18 3:38:44 PM: TLS Error: TLS handshake failed
Dec 18 3:38:44 PM: SIGUSR1[soft,tls-error] received, process restarting
Dec 18 3:38:44 PM: State changed to Connecting
Dec 18 3:38:54 PM: Valid endpoint found: 10.50.65.10:11094:udp
Dec 18 3:38:54 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]10.50.65.10:11094
Dec 18 3:38:54 PM: UDP link local (bound): [AF_INET][undef]:0
Dec 18 3:38:54 PM: UDP link remote: [AF_INET]10.50.65.10:11094
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Allowing OpenVPN access to the private WAN