VPN servers and interface assignments

Patrick M. Hausen · April 27, 2021, 02:19:22 PM

Hi all,

still somewhat puzzled about the "symbolic" interface assignments in OPNsense.

As soon as I create an OpenVPN server, an interface appears under "Firewall --> Rules" and I can apply rules to the VPN client connections.
The interface does not appear under the global "Interfaces" section. I can make one appear by "Interfaces --> Assignments" and assigning a symbolic name to "ovpns1".

What is this supposed to do? What is the difference between this interface and the one already present in "Firewall --> Rules"?

Thanks!
Patrick

Maurice · April 27, 2021, 02:28:42 PM

The automatically generated 'Firewall: Rules: OpenVPN' is actually not an interface, but an interface group. Also see this recent discussion about WireGuard (same concept): https://forum.opnsense.org/index.php?topic=22778.0

Cheers

Maurice

For reference:
https://github.com/opnsense/core/blob/45b697f6db341709e4b93ec3d3110823927bf2e1/src/etc/inc/plugins.inc.d/openvpn.inc#L92
https://github.com/opnsense/core/blob/45b697f6db341709e4b93ec3d3110823927bf2e1/src/etc/inc/plugins.inc.d/openvpn.inc#L489

Patrick M. Hausen · April 27, 2021, 02:55:41 PM

Quote from: Maurice on April 27, 2021, 02:28:42 PM
The automatically generated 'Firewall: Rules: OpenVPN' is actually not an interface, but an interface group.

Understood. So if I have my required "permit" rules on the single interface, I don't need any on the global interface group, right?

Maurice · April 27, 2021, 03:39:51 PM

Exactly. :)

Patrick M. Hausen · April 27, 2021, 04:02:32 PM

OK, we tried that, no success.

Created an interface via "Assigments", set it to "enable" but no further configuration.
Added permit all IPv4 to that interface.
Removed same rule from interface group "OpenVPN".

No communication for remote workers.

So we reverted the changes for production for now. I will have to look into this. But thanks for giving me the general outline.

Maurice · April 27, 2021, 04:51:39 PM

I'm doing exactly this with WireGuard. Assign and enable the wgX interfaces, no further configuration, rules only on the assigned interfaces, no rules on the 'WireGuard' interface group. Works fine.

Maybe something is a little different with OpenVPN. I don't currently have an OpenVPN setup to check, sorry.

marcquark · April 27, 2021, 10:28:20 PM

Sounds familiar, try the recommended steps here: https://docs.opnsense.org/troubleshooting/openvpn.html
This is related to the historic "reply-to", which is applied to rules on assigned OpenVPN server interfaces by default. That's becaue corresponding gateways are also auto-created, hence the interfaces are considered WAN-type interfaces. I haven't yet found a situation in which i actually needed said gateways, so i usually just disable then, and then the assigned interfaces work just fine.

Also check out https://github.com/opnsense/core/issues/4485 for further discussions on the subject

Patrick M. Hausen · April 27, 2021, 11:23:37 PM

Thank you very much, guys. Now I see the light. ;)

I always wondered why OPNsense defaults to forcing a gateway instead of relying on the routing table, but I see the use in multi-WAN situations.

There are too many automagic things influencing the firewall rules that cannot be found in the firewall/NAT setting sections of the UI for my tastes. Take the "anti lockout" rule for just one example. Clicking on the little pencil to edit it takes you to a completely different part of the UI. Very confusing.

Maurice · April 28, 2021, 02:16:14 AM

Yeah, there are many quirks which can only be explained by, well, history. "Reply-to" and "route-to" are good examples. There have been intense discussions whether to disable them by default, but no consensus was reached. "Might affect existing setups" is a very sensitive topic when it comes to proposing changes.

Quote from: pmhausen on April 27, 2021, 11:23:37 PM
There are too many automagic things influencing the firewall rules that cannot be found in the firewall/NAT setting sections of the UI for my tastes.

Agreed, but a lot has already improved in the past few years.

Bytechanger · April 29, 2021, 10:54:57 AM

Hi,

a question about it, i understand that:

wireguard and openvpn are interface-groups
= rules are for ALL interfaces of wireguard or openvpn.

But I think Wireguard interface in rules get all traffic from LOCAL Net to Wireguard-Tunnel.

But where can I set rules for Traffic from Tunnel to my networks?

Greets

Byte

Greelan · April 29, 2021, 11:08:09 AM

Quote from: Bytechanger on April 29, 2021, 10:54:57 AM

But where can I set rules for Traffic from Tunnel to my networks?

On the WG interface.

Bytechanger · April 29, 2021, 11:35:21 AM

OK so

QuoteBut I think Wireguard interface in rules get all traffic from LOCAL Net to Wireguard-Tunnel.

this ist wrong?

The Wireguard interface/ interfaces are traffic TO MY LOCAL Network.
Traffic that goes OUTSITE the Tunnel, there is only LAN, VLAN1, GUEST interface?

Greets

Byte

Greelan · April 29, 2021, 11:42:35 AM

I don't really understand what you are asking.

Traffic from VPN clients will come into OPNsense on the WG interface, so you want to set rules there to determine where that traffic should be able to go, whether to local networks or elsewhere.

Suggest you have a look at the OPNsense docs on WG setups that match your use case.

VPN servers and interface assignments

Patrick M. Hausen

April 27, 2021, 02:19:22 PM

Maurice

April 27, 2021, 02:28:42 PM #1 Last Edit: April 27, 2021, 02:35:01 PM by Maurice

Patrick M. Hausen

April 27, 2021, 02:55:41 PM #2

Maurice

April 27, 2021, 03:39:51 PM #3

Patrick M. Hausen

April 27, 2021, 04:02:32 PM #4

Maurice

April 27, 2021, 04:51:39 PM #5

marcquark

April 27, 2021, 10:28:20 PM #6 Last Edit: April 27, 2021, 10:38:32 PM by marcquark

Patrick M. Hausen

April 27, 2021, 11:23:37 PM #7

Maurice

April 28, 2021, 02:16:14 AM #8

Bytechanger

April 29, 2021, 10:54:57 AM #9

Greelan

April 29, 2021, 11:08:09 AM #10

Bytechanger

April 29, 2021, 11:35:21 AM #11

Greelan

April 29, 2021, 11:42:35 AM #12