What do I need to allow traffic from LAN through OpenVPN client connection?

Started by puldi, September 28, 2021, 10:29:45 AM

Previous topic - Next topic
Hi,

I imported an OpenVPN client connection on my OPNSense (21.1.6) and got it already up and running. I can ping hosts on remote site and successful ssh to a host on remote site from OPNsense terminal. But I cannot reach any remote host from other hosts in my LAN. Even if i do a ping from OPNsense to remote host with source address set to LAN address of my OPNSense I get no answer.
This is what it looks like:


  .-------------.   .----------------.                  .--------------.
  |   OVPN IP   |   |    OVPN NET    |   .--------.     |  Dest Host   |
  |--------------------------------------- TUNNEL ---------------------|
  | 10.112.63.9 |   | 10.112.63.0/24 |   '--------'     | 10.112.62.54 |
  '-------------'   '----------------'                  '--------------'

  .------------------.   X
  | OPNsense IP/Mask |  /
  |--------------------'
  | 172.22.0.150/24  |
  '------------------'


There is a routing entry set up on OPNsense for 10.112.62.54 and when enabling the client there is a new interface called ovpnc2 which is used for routing. Hosts in my LAN have routing entries for 10.112.62.54 pointing to 172.22.0.150. Pakets reach OPNsense but are not transmitted to tunnel.

My firewall has an entry for allowing all traffic from LAN to OVPN connection, set up in OpenVPN.

When inspecting traffic with tcpdump I see that connections coming from OPNsense itself are using 10.112.63.9 as source address. Changing this to LAN address breaks communication. So I guess I need to do NAT but I don't know where and how. I think that this should be enabled by default. Or at least by some setting in client configuration.

How is such scenario supposed to be setup?

To make this work you have to setup a new interface in Interfaces->Assignment using ovpnc2 as "Network port".
After that you should be able to configure NAT in Firewall->NAT->Outbound for this newly generated interface.

When using several OpenVPN Client Connections this is a bit tedious  :(
You are perfectly right, there should be a setting for outgoing NAT in OpenVPN client settings.

We solved this several months ago with a quick and dirty patch enabling outgoing IPv4 and IPv6 NAT for all OpenVPN Client connections, which is not the correct way to do this :)

Quote from: goodomens42 on September 28, 2021, 05:34:40 PM
To make this work you have to setup a new interface in Interfaces->Assignment using ovpnc2 as "Network port".
After that you should be able to configure NAT in Firewall->NAT->Outbound for this newly generated interface.
:o sounds complicated. I'll try that.

QuoteWe solved this several months ago with a quick and dirty patch enabling outgoing IPv4 and IPv6 NAT for all OpenVPN Client connections, which is not the correct way to do this :)
How did you do this? Currently we just have one client but there might come more and handling separate interfaces and NAT rules for each of them might become confusing by time.

It works!  ;D

Thanks for your helpful hint! I just managed to run the OVPN connection, do a NAT for outgoing requests and tunnel this connection via ssh over our ipsec VPN to our office. Now we all can reach the remote host from our office PCs. 3 weeks of trial and error and this way it works.  8)