[SOLVED] OpenVPN accepts connection from LAN interface?

Started by marceloudi, August 23, 2023, 04:16:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 23, 2023, 04:16:51 AM Last Edit: September 08, 2023, 10:15:59 PM by marceloudi
Hi all!

We have 2 linux boxes seamlessly connected to Openvpn as clients, from the WAN side. But I need to manage these boxes from my LAN.

So, I configured OpenVPN server to listen on "Any" interfaces (please see image attached).

On my LAN side, the OPNSense box is my gateway. So, I configured the ".opnsense" file to connect to my lan gateway, but it does not work...

It is possible?

Just to confirm: I executed tcpdump at opnsense box, and I can see packets arriving from my lan host (tcpdump -i bge0 host 192.168.9.152 and port 1194)

I searched a lot of material available online, but the search terms are too generic: "connect to opnsense openvpn from lan side", so I did not found any solution!

Regards from Brazil!
August 24, 2023, 04:39:25 PM #1
Can't you get to the linux boxes via the IP they get on their tunnel interface? If OPNsense is your gateway, it should know the route without further config, and the LAN should be able to access everything by default
August 24, 2023, 11:37:47 PM #2
Thanks for your response Gustaf!

I can't get to the linux boxes via the Vpn IP.

Executing a ping 10.10.0.2 (remote vpn host), I can see at diagnostics/firewall/log that opnsense is forwarding the packet via system default gateway (in image ends with 129).

I tried to create a route, but Opnsense does not offer Ovpn1 available to select as destination.

Whats can I do?
August 25, 2023, 05:09:11 PM #3
I did a small test:
connected to an OPNsense as an OpenVPN road warrior from a Windows PC
Launched RDP to a Windows server residing in the LAN of the OPNsense. Then from the server:

Tried to ping and traceroute myself back with no success.
Tried to connect via RDP to the PC I was using and got a password prompt, which means the RD connection was successful.

I would have a look at the firewall on your remote linux boxes, it's likely what's blocking you.
September 08, 2023, 09:14:18 PM #4
Ok! I just confirmed: there is no firewall at clients: any remote client can ping or telnet any tcp port between them.

So, activating the logs at firewall, I can see the traffic matching rule "Default allow LAN to any rule" (Image attached)

But the traffic does not reach the remote Vpn client.

Can I check which configuration is dropping/blocking the packet to remote client?
September 08, 2023, 10:15:05 PM #5
SOLVED!

I realized that I need to create a LAN rule, and force Traffic to a specific gateway.

So:

- Created (assign) a new interface for OVPN (OPT3): "Dynamic gateway policy" cheked, to auto-create a gateway

- Confirmed that a new Gateway (OPT3_GW) was created to that interface.

- Created a rule (image attached), marked as quick, BEFORE other rules, forcing traffic destinating OVPN Addresses, to OPT3_GW

Print
Go Up Pages1
User actions