No HTTPS over OpenVPN Site-to-Site Tunnel

[jimjohn]

Hi all,

I am running some services over an OpenVPN tunnel between to OPNsenses. There services run well and can communicate with each other. However, I cannot reach the :443 port and display a webpage over HTTPS on Site B from Site A although I can see the HTTPS request pass in the firewall log of Site B (so the package is definitely not blocked on Site A, is definitely sent through the VPN tunnel and is definitely not blocked on Site B; it is marked as an "outgoing" package of the "ovpns1" interface and passed through to my physical interface by the "let out anything from the firewall host itself" rule).

When physically being on Site B, I can access the webpage through OPNsense, so the server is definitely working as well. I am using a self-signed certificate, all private since everything is happening within the tunnel network.

All looks fine for me but it is still not working. What could that be? No hint in the OpenVPN log (level 4) as well ... I am stuck.

Any help is very much appreciated!

[Gauss23]

Sounds like the server you're trying to reach on port 443 is not sending the packets back the same route they are coming from. Is the OPNsense on Site B the default gateway for that server? If not you need to tell the server on Site B to use the OPNSense as a gateway for the originating network (Site A).

[jimjohn]

Sounds like the server you're trying to reach on port 443 is not sending the packets back the same route they are coming from. Is the OPNsense on Site B the default gateway for that server? If not you need to tell the server on Site B to use the OPNSense as a gateway for the originating network (Site A).

But why would it work then when I connect from the local OPNsense LAN on Site B to the local server interface on Site B but not when I connect over VPN through the OPNsense from Site A? Wouldn't both requests look the same from the server perspective?

[Gauss23]

The local OPNsense on Site B should have an IP in the same subnet as the HTTPS server, correct?

Check if you are able to ping some IP in Site A from the HTTPS server or check the routing table of that server.
The requests would only look the same for the HTTPS server perspective if you would do NAT which I assume you are not doing.

[jimjohn]

The local OPNsense on Site B should have an IP in the same subnet as the HTTPS server, correct?

Check if you are able to ping some IP in Site A from the HTTPS server or check the routing table of that server.
The requests would only look the same for the HTTPS server perspective if you would do NAT which I assume you are not doing.

Not entirely. The server is 10.1.2.2 whereas the local client is 10.1.1.X. The remote client (over VPN) is 10.0.X.X.

Other services, such as RTRR, work in each direction. Only HTTPS is not working.

[chemlud]

Do you see any reply packages with package capture on LAN interface of site B?

Had cases of firewalls in NAS not allowing traffic from remote nets.

[jimjohn]

Do you see any reply packages with package capture on LAN interface of site B?

Had cases of firewalls in NAS not allowing traffic from remote nets.

How do these „answer packages“ look like?

I disabled the NAS‘ firewall but still no success. The NAS‘ firewall should not be the problem.

[lfirewall1243]

Please provide a network plan. It will make the troubleshooting a lot easier