LAN routing conflict between OPNsense and OpenVPN web servers

[tonys]

I'm running an OpenVPN server on a Raspberry Pi behind the OPNsense firewall in order to filter out the vast majority of bot attacks before they reach OpenVPN/Fail2ban. (I originally tried placing the Pi before the firewall but the outrageous number of bot attacks overwhelmed the OpenVPN server, making it totally unresponsive, not to mention the conflicts between the OPNSense and OpenVPN servers, both running on port 443.) Everything works correctly from the internet (outside my LAN) but connection requests originating from inside my LAN (i.e., LetsEncrypt cert updates) and referencing the external Dynu DNS server are not getting to the Raspberry Pi host. Instead, they're going to the OPNSense firewall and getting blocked because port 80 is not open there. (Even if OPNsense port 80 was open, this is the wrong place for LetsEncrypt replies as they must route to the requesting server.) Port 80 is open on the Raspberry Pi for LetsEncrypt replies but OPNSense isn't routing them to the Raspberry Pi. How do I know this? If I open a web browser to my Dynu domain "tshome.mywire.org" from inside my LAN, I get the OPNSense login page instead of the OpenVPN page. My Dynu domain "tshome.mywire.org" should always route to the Rapsberry Pi/OpenVPN, regardless of whether I'm inside or outside my LAN. Again, outside my network, this works fine and my collaborators do see the OpenVPN login page and can login there. Therefore, this issue is isolated only to the LetsEncrypt update process when inside the LAN.

Unfortunately, the LetsEncrypt cert updates are intimately tied to the "tshome.mywire.org" domain and LetsEncrypt expects to see its requests come back on the Raspberry Pi's port 80 as shown below:

****************************************************************************
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tshome.mywire.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for tshome.mywire.org

Failed to renew certificate tshome.mywire.org with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/tshome.mywire.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
****************************************************************************

Because those port 80 replies are going to the OPNSense web server page and getting rejected, I can't renew my certs and I'm running out of time.

Further info: Yes, I have ports 80 and 443 NAT translated to the Raspberry Pi so I expected all incoming traffic to go there. This works correctly from the outside world but not within my network where LetsEncrypt expects to receive replies. See the attached screenshot.

How do I set a rule for OPNsense to understand that outgoing requests from my LAN to "tshome.mywire.org" must return replies on port 80 to the Raspberry PI behind the OPNsense firewall?

Thank you...

[irritum]

Sounds like what you need is NAT "reflection". Take a look at Firewall -> Settings -> Advanced page and this:
https://docs.opnsense.org/manual/firewall_settings.html#reflection-for-port-forwards

Good Luck!