OpenVPN server instance - no ipv4 access to WAN

[GreenMatter]

As legacy config of VPN servers will be / is EOL, I would like to migrate to instance config my road warrior setup.
I used all available settings in Openvpn server instance to migrate settings from legacy config; but despite having set redirect gateway (default, block local and ipv6 default) I can connect only ipv4 to LAN hosts and nothing in WAN. ipv6 works.
Do I need to setup additional FW rule to what was done for legacy config under OpenVPN instance:

Code: [Select]

Allow IPv4+6 * OpenVPN net * * * * *  Default allow Openvpn to any rule


EDIT:
After enabling logging in above rule, I can see that request are being sent. So, is something wrong with SNAT or created instance interface? But having created outbound NAT rule doesn't help, thus issues with tun interface?

[klipschppp]

I had to manually create the exact same FW rule, and also this outbound NAT rule so that my road warrior client can access WAN (ipv4)

[GreenMatter]

I had to manually create the exact same FW rule, and also this outbound NAT rule so that my road warrior client can access WAN (ipv4)

Thanks! Seems like it works with addition of SNAT including WAN address.
So, now questions are:
Why instance server works so differently from legacy config?
Is as per design or some sort of bug?
Why ipv6 works without SNAT rule?
I can't find documentation for instance OpenVPN, except this: https://docs.opnsense.org/manual/vpnet.html#openvpn-ssl-vpn
Have you seen one?


EDIT:
Is there any way to add manually other (missing in GUI) OpenVPN options to instance config? Not so many are available in GUI...


EDIT2:
Since I can't set in server instance:

Code: [Select]

tun-mtu-extra 32;
mssfix 1450;
fast-io;Connection over server instance is 7 times slower that connection over legacy config...


EDIT3:
After having done update done from 23.7.12 to 24.2 I noticed: Instance config doesn't create automatically interface - unbound DNS can't of course be configured to bind to it. After I manually created interface - it works.
But it looks like really 10 steps backwards!

[klipschppp]

you've just convinced me to go try the legacy config! I am a newbie OPNSense user and this is my first time attempting to setup OpenVPN - I came in assuming the new "instances" config is the preferred/recommended way!

UPDATE:

I just tried to recreate the OpenVPN server using legacy config (I am on 24.1.2_1). To be honest, I feel they are quite similar:
1. both automatically create interface (both un-assigned though)
2. ipv6 (youtube) doesn't go through VPN for either (i think)
3. both leak ipv6 address (confirmed from https://ipleak.net/)
4. had to manually specify client DNS (to use Unbound) for both configs
5. had Unbound set to bind to ALL for both, and no need to do anything else

The only two diffs I see:
a. Unbound bind interfaces drop-down menu doesn't show VPN for new config. However this doesn't seem to matter as I set to bind to ALL so it just works (as long as I did 4 above)
b. SNAT is automatically generated for VPN interface for legacy config. Had to manually add it for new.

To your other question, I don't see a way to manually add OpenVPN options in new config either. However even in the legacy config, that option seems deprecated already - "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting."

[GreenMatter]

Despite I haven't done any manual changes or installed 3rd party repo/software (with exception of Zenarmor), I think there's some error in my instance config.
I've just done reinstall with config restore - but still is the same: legacy servers have stopped working properly in 24.1 SNAT requires manual intervention.

It tempts me to start from scratch, but I'm afraid of amount of work and time required to get everything else up and working...

[GreenMatter]

I just tried to recreate the OpenVPN server using legacy config (I am on 24.1.2_1). To be honest, I feel they are quite similar:
1. both automatically create interface (both un-assigned though)
2. ipv6 (youtube) doesn't go through VPN for either (i think)
3. both leak ipv6 address (confirmed from https://ipleak.net/)
4. had to manually specify client DNS (to use Unbound) for both configs
5. had Unbound set to bind to ALL for both, and no need to do anything else

The only two diffs I see:
a. Unbound bind interfaces drop-down menu doesn't show VPN for new config. However this doesn't seem to matter as I set to bind to ALL so it just works (as long as I did 4 above)
b. SNAT is automatically generated for VPN interface for legacy config. Had to manually add it for new.

To your other question, I don't see a way to manually add OpenVPN options in new config either. However even in the legacy config, that option seems deprecated already - "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting."

I've just installed fresh Opnsense in new VM - and it's exactly like you said above (in bold) and like is in my main and multiple updated instance...
So, it is really big, backward step in OpenVPN functionality...

[DawidConnor]

 It sounds like you're having trouble with your OpenVPN server instance and IPv4 access to the WAN. This issue can be frustrating, but don’t worry—you're not alone in facing this. Have you double-checked your firewall settings? Sometimes, the firewall rules can block the traffic without you even realizing it. Also, you might want to look into the routing settings to ensure everything is configured correctly. Considering managed VPS hosting could be a good idea if you find it too overwhelming. They handle all the technical stuff for you so you can focus on what matters.