[SOLVED] OpenVPN Broken

[marjohn56]

OpenVPN Wizard created default OpenVPN Interface rule which is:

Action = Pass
Interface = OPENVPN
TCP Version = IPV4
Source = Any
Destination = Any
Dest.Port Range = Any
Gateway = default.

OpenVPN Wizard created default WAN Interface rule which is:

Action = Pass
TCP Version = IPv4
Protocol = UDP
Source = ANY
Destimation = WAN Address
Destination_Port_Range = OpenVPN
Gateway = Default

[kanstin]

OpenVPN Wizard created default OpenVPN Interface rule which is:

Action = Pass
Interface = OPENVPN
TCP Version = IPV4
Source = Any
Destination = Any
Dest.Port Range = Any
Gateway = default.

OpenVPN Wizard created default WAN Interface rule which is:

Action = Pass
TCP Version = IPv4
Protocol = UDP
Source = ANY
Destimation = WAN Address
Destination_Port_Range = OpenVPN
Gateway = Default

Those look like OpenVPN server rules. Does anyone have a working OpenVPN client?

[kanstin]

There are  my firewall rules for LAN, NAT outbound, and the relevant routing entries. Can anyone see why I can't ping the remote network from LAN? I can ping from the router device but not from a LAN device. These rules worked on 17.7 but this doesn't work with 18.1. Thanks.

[marjohn56]

OpenVPN Wizard created default OpenVPN Interface rule which is:

Action = Pass
Interface = OPENVPN
TCP Version = IPV4
Source = Any
Destination = Any
Dest.Port Range = Any
Gateway = default.

OpenVPN Wizard created default WAN Interface rule which is:

Action = Pass
TCP Version = IPv4
Protocol = UDP
Source = ANY
Destimation = WAN Address
Destination_Port_Range = OpenVPN
Gateway = Default

Those look like OpenVPN server rules. Does anyone have a working OpenVPN client?

i just use the client export wizard and import that config into openvpn. It works.

[kanstin]

My outbound NAT rules aren't being implemented on the router, see below. What command line can I use to force my rules? Thanks,

[kanstin]

Looking in /tmp/rules.debug I can see that my NAT rules are commented out like they're disabled. See image. So that is the problem. How do I fix this? Thanks,

[kanstin]

Ok I found a temporary work around for me. In the /tmp/rules.debug file there was this:

# nat on openvpn inet from 192.168.6.0/24 to any port 1024:65535 # WIFI to OpenVPN
# nat on openvpn inet from 192.168.7.0/24 to any port 1024:65535 # LAN to OpenVPN

I changed that to this:

nat on openvpn inet from 192.168.6.0/24 to any -> openvpn port 1024:65535 # WIFI to OpenVPN
nat on openvpn inet from 192.168.7.0/24 to any -> openvpn port 1024:65535 # LAN to OpenVPN

And issued this command:

pfctl -f /tmp/rules.debug


And now my openvpn works. So there is an error in the Outbound NAT code that generates that part of the rules file.

[mw01]

I seem to recall the NAT Outbound NAT Address was something else than Interface Address.  Wasn't it OpenVPN address and the WAN was WAN address?  Now they are both Interface Address, which makes sense.

I have something similar in /tmp/rules.debug

nat on igb1 from 192.168.1.0/24 to any port 500 -> igb1 static-port # Auto created rule for ISAKMP - OPT1 -> WAN
# nat on openvpn inet from 192.168.1.0/24 to any port 500 static-port # ISAKMP - OPT1 -> WAN_VPN4
nat on igb1 from 192.168.1.0/24 to any -> igb1 port 1024:65535 # Auto created rule - OPT1 -> WAN
# nat on openvpn inet from 192.168.1.0/24 to any port 1024:65535 # OPT1 -> WAN_VPN4

[non_sense]

I'm trying to setup a VPN client, and I'm seeing a strange issue when trying to set the Outbound NAT.

I can't select the WAN as the Translation / target, when I do i receive the error:

The following input errors were detected:

    A valid target IP address must be specified.

However if I pick any other network it seems to be OK.  Unfortunately I need to configure the NAT for the WAN interface.

Seems to be a similar problem as others in the thread.

[porouslolly]

Ok I found a temporary work around for me. In the /tmp/rules.debug file there was this:

# nat on openvpn inet from 192.168.6.0/24 to any port 1024:65535 # WIFI to OpenVPN
# nat on openvpn inet from 192.168.7.0/24 to any port 1024:65535 # LAN to OpenVPN

I changed that to this:

nat on openvpn inet from 192.168.6.0/24 to any -> openvpn port 1024:65535 # WIFI to OpenVPN
nat on openvpn inet from 192.168.7.0/24 to any -> openvpn port 1024:65535 # LAN to OpenVPN

And issued this command:

pfctl -f /tmp/rules.debug


And now my openvpn works. So there is an error in the Outbound NAT code that generates that part of the rules file.

Kanstin has hit the nail on the head. I am also using OpenVPN in client mode to redir all my egress traffic to a VPN provider. I troubleshot this for hours and tracked it down to NAT rules. Kanstin's fix worked for me for a few minutes, but anything that triggers the rulebase to reload will rewrite the /tmp/rules.debug file with the bad syntax and comment it back out.

In response I deleted all my OpenVPN NAT rules and re-created them, but that did not have any effect.

It seems this is affecting anyone who went to Firewall: NAT: Outbound and changed it from Automatic to Manual in order to add their own NAT rules.

[slackadelic]

FYI, I run PIA at home, and shunt all my default traffic out to PIA.

My default NAT rule goes out of PIA then I have an Alias with hosts configured that should by pass PIA.

With that said, IT turns out I needed to have another rule in my Outbound NAT that set my PIA interface with my bypass PIA alias list as the source, and tell it NOT to NAT.

Once I did that, things started working proper again after I flushed all of the state tables.

Not sure if this helps or not, but figured I'd add in my two cents.

[franco]

So here is a patch:

https://github.com/opnsense/core/commit/bad6be2

Removing edge cases in the outbound NAT generation for 18.1 made the newly written rules fail with OpenVPN in pf.conf as there seems to be an ambiguity in the way that "(something)" vs. "something" is validated. The edge cases were identified and excluded while the general usage flipped from parenthesis-less usage to using them almost exclusively.

Patch apply and test via:

# opnsense-patch bad6be2
# /usr/local/etc/rc.filter_configure

All feedback is highly appreciated for a quick 18.1.2 inclusion path.


Cheers,
Franco

[slackadelic]

Patch applied, no errors so far... at least nothing obvious

[Noctur]

The patch resolved the issue for me. Here's what I did:

On 17.7.12_1
Saved Config 1 with OpenVPN disabled
Saved Config 2 with OpenVPN enabled
Fresh install 18.1 over 17.7.12_1
Restored Config 1
Firmware Update, installed 18.1.1
Ran Patch above
Reboot
Restored Config 2
Checked ipLeak, other sites, installation performing as expected.

Thank you! Will continue to monitor as it has only been running about 15 minutes.

[elektroinside]

My VPN was all good before the patch, but I can confirm that everything works fine even after the patch