OpenVPN - Selective Routing to External VPN Endpoint

Started by jaykumar2005, February 22, 2024, 09:28:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2024, 09:28:58 PM
Versions   OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13


I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.

I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html  where I need only few LAN client traffic to traverse through the VPN connection/interface.

For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.

Any ideas how to troubleshoot or fix this?
Hardware: Lenovo ThinkStation P330 Tiny (Intel Core i5-8500 @ 3.00GHz, 1xI219-LM, 4xI350)
BUFFERBLOAT GRADE A+
February 23, 2024, 10:33:01 AM #1
Some additional troubleshooting, packet capture only shows packet leaving the interface, but nothing from remote

Also, lan clients can ping VPN interface IP on firewall

Btw, I have only route-noexec enabled on the VPN client configuration
Hardware: Lenovo ThinkStation P330 Tiny (Intel Core i5-8500 @ 3.00GHz, 1xI219-LM, 4xI350)
BUFFERBLOAT GRADE A+
February 23, 2024, 11:56:33 AM #2
i moved to instances and it works with at 3 different "providers" for me

i setup Alias's by IP address for the device/ static mapping for the device or devices.

then on Lan created a firewall rule for the correct gateway.   
then firewall > nat. > outbound    chose the correct gateway for the interface , source address is the alias of the device to go outbound
February 25, 2024, 08:34:24 AM #3
Moved back to Client (Legacy), and it worked for me.

I think the breaking config is that my VPN provider is expecting
Code Select
--compress lzo, without which the VPN tunnel does not work for me.

How do I set
Code Select
--compress lzo in instances?
Hardware: Lenovo ThinkStation P330 Tiny (Intel Core i5-8500 @ 3.00GHz, 1xI219-LM, 4xI350)
BUFFERBLOAT GRADE A+
February 25, 2024, 12:30:32 PM #4
Compression for encrypted traffic is dangerous and should be disabled when possible!

The OpenVPN project has deprecated compression support and they will remove it from future versions.

Read the text in this section carefully! Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plain text traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.

https://community.openvpn.net/openvpn/wiki/Compression

which provider is this?
Print
Go Up Pages1
User actions