HOWTO - Routing Traffic over Private VPN

[M4DM4NZ]

Hi Andrea,

Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.

I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.

Will keep everyone posted on here if i find a work-around.

Cheers :)

[jelly-ck]

Hi Andrea,

Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.

I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.

Will keep everyone posted on here if i find a work-around.

Cheers :)

Hi @M4DM4NZ have you been able to make any progress on this issue?

[M4DM4NZ]

I did manage to get it going (kinda).

I inverted my original setup so by default all traffic passes by the VPN, then set a rule pointing a single PC on my network to have access to the WAN directly. (DMZ)

After messing around with these setting for HOURS! I did manage to get it working, but it wasn't stable.

I had to flip the gateway setting in the LAN rule for the single PC that required WAN access, then flip it back so the gateway was using the VPN, then flip it back again.

It worked fine (untill that single PC released/renewed its IP address)

so, for now I've reverted back to 17.x until i can find more time to take another look at it.

Keep you posted.

[Dimi3]

..i have the same problem..i just switched to opnsense :(, spent 2 days for basic config, today lost whole day and unable to make routing trough VPN to work.

Is there a bug open for this? because something is obviously wrong?

Anyone managed to make this work?

[relink2013]

Im following this closely aswell, and this tutorial right here is the whole reason I went with OPNSense.

[Dimi3]

I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.

Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..

[jelly-ck]

I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.

Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..

So what you are saying is that if one uses OpenSSL rather than LibreSSL, VPN NAT routing works on v 18.1.2_2?

[Dimi3]

I can't claim that in case LibreSSL selected routing doesn't work, but this is the only thing i change on first installation. Maybe i also messed something else up can't say. :)

[andreab]

Hi,

Just to give everyone an update on this - I have patched OPNsense to the latest (18.1.3) but the issues reported in my previous comment (#29) still remain a problem.

Let me know if you experience anything different please.

Regards,
Andrea

[jelly-ck]

Has there been any progress on routing selective traffic over OpenVPN on v18.1.4? I haven't been had a chance to update and test the routing on v18.1.3 nor v18.1.4. Still on 18.1.2_2.

[andreab]

Hi,

I'm on 18.1.4 but I have not seen any progress regarding my situation.
My routing table still looks exactly the same as before, and I experience the same problems as before.

A couple of things I've noticed with the VPN on (and therefore with no connectivity):
1) checking the firewall log I can see that my ping to the google DNS servers (8.8.8.8) is allowed, but since I get no response, I assume the "reply" messages are blocked on the way back;
2) if I am pinging something (eg 8.8.8.8) while I enable the VPN, the ping keeps working - so something is blocking new connections, but not already established ones.

Regards,
Andrea

[andreab]

actually, possibly the biggest routing problem experienced (in my case) came from this rule:
0.0.0.0/1          46.246.85.1        UGS      ovpnc1

I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.

Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.

I'll have to investigate in that direction.

Regards,
Andrea

[Dimi3]

Are you using DNS reslover or DNS Forwarder?

[andreab]

I'm using Unbound default settings (I think).
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.

[Dimi3]

I'm using unbound in Forwarder mode, since i dont need local lan name resolving.

I couldn't make it work with default settings (also my knowledge is limited)

For test try to use;

under Services - Unbound - thick these options:
Enable Forwarder Mode
Register DHCP leases in the DNS Resolver
Register DHCP leases in the DNS Resolver

Select outgoing network interfaces ... i have selected both WAN and VPN

Under System - Settings - General insert DNS addresses eg. 8.8.8.8 and thick

Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

Under VPN client settings thick; Don't pull routes

Maybee this will help you, if not, you could post your FW rules.