English Forums > Virtual private networks

[SOLVED] Using OPNsense to funnel whole subnet through provider VPN

(1/1)

gustaf:
Hi everyone,
I'm trying to setup something but - for the first time in my OPNsense experience - I got stuck.

What's been going on:
We want to host a web server from a dynamic IP. The ISP won't assign a static one to our location. So we subscribed to a VPN with static IP and port forwarding. Preliminar tests have been good, but we can't use the VPN on board of the web server because of conflicts between applications, limitations in automation, etc.

Here's the summary:
[physical layout] Web server > OPNsense > ISP router > Internet
[logical layout] Web server > OPNsense > VPN provider > Internet

OPNsense did connect immediately to the VPN tunnel (configured in VPN > OpenVPN > Clients and checked in Connection Status).
But no traffic is being forwarded from the LAN side to the internet. OPNsense can ping and traceroute, but not the web server or other machines if connected to the LAN side of OPNsense.

I think I'm missing some firewall rule or part of the configuration.
I did set a NAT rule to forward traffic from OPNsense to the web server and it works: I can connect to the web server from the internet using our VPN IP.*3

So far I've tried the following with no change:
- Interfaces > Assignment: added the openvpn virtual interface as WAN_VPN and set to enabled
- System > Gateways > Single: 2 new gateways are present, one marked active for VPN IPv6 and one for IPv4 not marked active. I assigned the private VPN IP to the IPv4 gw and marked it as far gateway*1
- Firewall > Rules > LAN: Added a rule from any to any with the VPN_GW as gateway*2

So I'm asking for you help since nothing flows from the LAN to the Internet...

Thanks

EDITS
*1 I've given the VPNGW IPv4 a lower priority number and it became the active gw. The outbound block persists. I then restored the default values, because after reboot the VPN  link coudn't come up: traffic was trying to be forwarded through the yet-to-be-established VPN gw.
*2 this rule was removed as it was not necessary
*3 The NAT rules had to be modified after adding a new interface assignment to the OpenVPN connection: Interface OpenVPN, Destination VPN-interface, Redirect target WebServer. Ports had to be opened on the VPN provider control panel.



Solved as described in this thread: https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771
and specifically by applying this part:
" - Navigate to Firewall > NAT > Outbound
 - Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
 - Add a new rule

Rule 1.
 - Interface: VPN (The one you created in Step 6)
 - Source: VPNTraffic ( The alias you created in Step 7)
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
 NOTE: Leave ALL other options as default/any"

I set hybrid outbound NAT in order to keep the autogenerated rules, and LAN net as source in Rule1.
*2 this rule was removed as it was not necessary

This guide is a bit old and thus some settings no longer apply (for example, you cannot set DHCPv4 in step 6), but it's still very valuable as it discusses full configuration of OPNsense as a VPN client, and how to route select clients instead of the whole subnet.

Navigation

[0] Message Index