[SOLVED] Is an OpenVPN client configuration required?

[seamus]

Still working through the SSL VPN setup "How-To" guide (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html).

Trying to follow the guide in Step 2, "Firewall Rules" - to allow traffic from the VPN clients to the LAN interface. Specifically, in the rule for the OpenVPN interface, it seems that I'm missing something because I do not see an "OpenVPN Clients" option in the drop-down for that firewall rule (as shown in the "How-To guide"); all I get is the phrase "Nothing Selected".

Could it be that the guide has omitted a step for creating an OpenVPN client?

[marjohn56]

Could be an out of date doc. Are you running Opnsense 17 or 18?

BTW, it's often easier, unless you have some really complex OpenVPN setup to use the wizard to do all the work for you.

[seamus]

Sorry, here's my version info:
OPNsense 18.1.2_2-amd64
FreeBSD 11.1-RELEASE-p6
OpenSSL 1.0.2n 7 Dec 2017

Re "wizards": Perhaps that is easier, but wizards in general have not served me well. I thought the advantage of following the How-To would be to gain a better "feel" for how things are organized... a learning opportunity, if you will.

Anyway - I pressed ahead with things, ignoring the difference I noted, and found I actually can connect to my OpenVPN server! Next problem is figuring out how to actually connect to resources on the network from my client machine. The client machine's IP is 10.10.0.6, and my LAN is 192.168.1.0/24... so there must be another step (or two) required to route my packets to their destination on the LAN.

[marjohn56]

Just have a default OpenVPN rule IPv4 Any to Any and the same for the LAN rule.

What you could do is run the wizard and note the differences.

[seamus]

Thanks for your suggestions. I've attached screenshots of my OpenVPN and LAN firewall rules. Does anything in these rulesets look incorrect/incomplete?

It seems I get a successful connection to the firewall from my "Road Warrior" laptop, but then I'm sitting there with this IP address (10.10.0.6) that won't route on the local network.

And which wizard are you talking about? the OpenVPN Server wizard, or one of the others? Is this what people here use - the wizards?

[seamus]

Needed a second reply to get the 2nd screenshot

[marjohn56]

People round here use whatever they like, some will write it all manually, some will use the wizard and some will do a bit of both,  that's what I do.

Change your rules source from lan.net to any, that should fix you. The Lan.net will only allow that network, e.g. 192.168.1.0/24, you want to allow all networks that are Lan side to talk to each other.

[seamus]

Thanks again, but there's still something missing. I've attached a copy of the fw ruleset change - is this what you meant?

[seamus]

And here's a shot of the connection status, if that's of any use

[marjohn56]

Have you also checked the rules for the VPN itself?
same principle applies

[seamus]

Oh, a few other items that might be relevant:

1. Cannot ping anything on the LAN (192.168.1.0/24)

2. I can reach hosts outside the LAN! (e.g. google.com)

3. I've set up this fw to use DNS forwarding - not the DNS resolver (why? I've always done it this way, and it's always worked well as I have a Windows DC on the LAN.

[seamus]

Have you also checked the rules for the VPN itself?
same principle applies

Here's my VPN ruleset...

[marjohn56]

Here's a quickie, your 'Road Warrior' laptop, apart from it's VPN connection, what other connections does it have, i.e. has it got the same LAN range as the opnsense LAN?

[marjohn56]

Are you also seeing these..

[marjohn56]

OpenVPN Rule generated by the wizard.