Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
OpenVPN - Selective Routing to External VPN Endpoint
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN - Selective Routing to External VPN Endpoint (Read 1168 times)
jaykumar2005
Newbie
Posts: 12
Karma: 0
OpenVPN - Selective Routing to External VPN Endpoint
«
on:
February 22, 2024, 09:28:58 pm »
Versions OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
Logged
jaykumar2005
Newbie
Posts: 12
Karma: 0
Re: OpenVPN - Selective Routing to External VPN Endpoint
«
Reply #1 on:
February 23, 2024, 10:33:01 am »
Some additional troubleshooting, packet capture only shows packet leaving the interface, but nothing from remote
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
Logged
DEC670airp414user
Full Member
Posts: 162
Karma: 8
Re: OpenVPN - Selective Routing to External VPN Endpoint
«
Reply #2 on:
February 23, 2024, 11:56:33 am »
i moved to instances and it works with at 3 different "providers" for me
i setup Alias's by IP address for the device/ static mapping for the device or devices.
then on Lan created a firewall rule for the correct gateway.
then firewall > nat. > outbound chose the correct gateway for the interface , source address is the alias of the device to go outbound
Logged
jaykumar2005
Newbie
Posts: 12
Karma: 0
Re: OpenVPN - Selective Routing to External VPN Endpoint
«
Reply #3 on:
February 25, 2024, 08:34:24 am »
Moved back to Client (Legacy), and it worked for me.
I think the breaking config is that my VPN provider is expecting
Code:
[Select]
--compress lzo
, without which the VPN tunnel does not work for me.
How do I set
Code:
[Select]
--compress lzo
in instances?
Logged
DEC670airp414user
Full Member
Posts: 162
Karma: 8
Re: OpenVPN - Selective Routing to External VPN Endpoint
«
Reply #4 on:
February 25, 2024, 12:30:32 pm »
Compression for encrypted traffic is dangerous and should be disabled when possible!
The OpenVPN project has deprecated compression support and they will remove it from future versions.
Read the text in this section carefully! Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plain text traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.
https://community.openvpn.net/openvpn/wiki/Compression
which provider is this?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
OpenVPN - Selective Routing to External VPN Endpoint