Remote Access with OpenVPN, no replies from LAN in the tunnel

[random1104]

Hello, I've setup OPNSense with OpenVPN several times in the past, but this is the first time I see this (my last exercise was a long time ago and something might have changed).

This is a brand new install updated to 21.1.7_1, VM on top of Proxmox serving as OpenVPN Remote Access VPN server.

- I can get the client to connect
- Firewall rules allow traffic coming from the tunnel to the LAN
- Server in LAN sees the ICMP echo request from the VPN client
- Server sends ICMP echo reply (tcpdump on the server located in LAN)
- I can see incoming ICMP echo reply packages entering the firewall LAN interface
- I don't see outgoing ICMP echo reply packages in the tunnel (no outgoing replies from Firewall to remote client).
- There are no firewall log entries, or OpenVPN errors.
- Route table seem to be ok, checked with tcpdump in the firewall for asymmetric replies (reply going to another interface), but found nothing.

Any idea about what could be missing?. I've been checking & re-checking for the last 4 hours, any relevant hint is welcomed.

Edit: adding diagram to better explain what's the scenario

[hloiter]

Hello,

i think you need a NAT Outbound rule.

Cheers

hloiter

[random1104]

Thanks for the feedback. Part of the CARP-for-WAN setup included an outbound manual NAT for LAN using the public floating IP.

In case it was missing (doesn't seem to be the case), would it really affect the traffic going through the tunnel (clean routing is expected, without NAT inside the tunnel)

[random1104]

Solved this after several days of reviewing firewall, NAT and OpenVPN configurations again and again.

In the end, disabling the VPN gateway that was created automatically after assigning the interface for the tunnel fixed the issue for me, go figure.