Archive > 15.1 Legacy Series

[SOLVED] terribly frustrating openvpn issue

(1/1)

jonathanb:
Hi,

So I'm currently running  OPNsense 15.1.12-amd64 . I'm having a very frustrating OpenVPN issue where I can connect to the VPN, but cannot access anything beyond the gateway itself. This issue has a sort of interesting story, I initially had this installed within a VM and the firewall itself worked fine, openvpn never really did. I had an alternate server at the time so this didn't really bother me.

We've since purchased a dedicated piece of hardware for this, a 1u 6-nic intel chipset board/1u case off of aliexpress. Now the strange part to me, is after installing onto the new hardware and re-importing the XML configuration OpenVPN had suddenly started routing traffic correctly, I was able to connect and access any of our subnets/attached VPN's just fine and dandy. However seemingly upon activating one of the additional interfaces (for a separate lan subnet for VOIP) openvpn once again stopped routing traffic altogether.

When connected via openvpn I am unable to reach any point past the gateway, and I am unable to ping connected clients either; getting a ping_sendto permission denied error when attempting to. I'm about at my wits end, the openvpn interface firewall is configured to let all traffic through; openvpn itself connects and authenticates correctly and traffic does flow just fine to the gateway itself.

I'm wondering if anyone here has had a similar issue and might have some insight. I've checked the firewall logs and don't see any blocked packets, I am completely at a loss as to what is causing this.

jonathanb:
Figured it out, after much pulling of hair it turns out that when you add an interface the allow all rule on LAN changes to From Lan net. Aside from the anti-lockout rule. All good now.

franco:
Hi Jonathan,

glad to hear that. :) We were discussing more flexible ways of automatically generating rules as zones security profiles and widening the anti-lockout, but that's something the users will have to help us with and their use cases.

Generally, stuff defaults to "block all" most of the time and you should always be able to find the blocked traffic using the filter log filter (no word play intended). Do you have an idea why that didn't work for you?


Cheers,
Franco

jonathanb:
Hi Franco,

It seems my joy was short-lived. This wasn't the cause of the issue it just started working at that moment for ??? . I haven't been able to make it work since. I've tracked the issue down to packets heading into the openvpn interface.

I can't ping connected clients from the router itself , I get a ping_sendto permission denied. I am able to access the web UI via the VPN but nothing on the network itself even though routes are all set correctly. I did some checking and packets do hit the network from connected VPN clients, just nothing is able to make it back through.

I'm really going nuts with this issue, do you have any ideas how I can debug this further? I'm getting nothing in the firewall logs.

Navigation

[0] Message Index