timeouts after adding an SSL server

[jds]

I have discovered a very strange problem---at least it seem strange to me, because there is no obvious relation.
Following the tutorial on setting up SSL VPN Road Warrior causes many outbound connections from my LAN
to timeout---especially from apple appliances.  This is repeatable, and I pinpointed exactly where the problem
occurs: when adding the SSL Server.

Now the details.  I followed the tutorial as exactly as possible found here for setting up the openVPN server:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
It worked beautifully, and I could reach my LAN from outside.  But, this setup started causing immediate problems
with many, but not all outbound connections.  I restored the configuration back to the beginning of this setup,
and connectivity to the outside from the LAN was again restored.

I again tried setting up the SSL VPN Road Warrior again, following the instructions exactly.  Connectivity from outside
worked again, but there were again problems with LAN reaching outside on many connections.  I restored the
setting once again, and then checked LAN connectivity to outside at every single step of the tutorial. In fact,
I even rebooted my firewall after each step to be sure.  Doing this, I discovered that connectivity issues happened
after adding the SSL server.   Connectivity was also a problem after rebooting.  If I disabled the SSL server,
connectivity was restored.  The tutorial does not mention what to select for "Peer Certificate Authority", but it seemed
obvious that this should be "SSL VPN CA".  Otherwise, there was not much else to decide on.

I have set up OPNsense in a pretty standard way. After default bits, there were three modifications:

1) Backup for configurations on the cloud were added (which is extremely handy for debugging!).
2) An openVPN client was added.
3) I changed my DNS to use a pi-hole.

These things should not be related to the problem, but who knows? These took some work to set up, but
now work beautifully.

Any help is appreciated, because I really need access to this LAN from the outside.

[jds]

No ideas? Am I posting in the wrong spot? Should I add more info? 

[guest15389]

I am not sure what would cause that issue.


If you can share what you did for Firewall -> NAT -> Outbound via a screenshot and any rules you've added via screenshots, that would probably be a good starting point.

[jds]

Thanks for your help.

My NAT outbound rules are very simple so far.  All I did was change the two automatically generated rules to manual and handle my outbound client VPN.

[guest15389]

You look to be missing an outbound NAT for your LAN network. I have 1 setup for my HomeVPN network as well:

https://i.imgur.com/NH1ipkP.png

I have a separate client OpenVPN as well so that's my other interface you see.

[jds]

OK, if I understand correctly, you have one subnet (192.168.2.0) that goes out your VPN, and a second
subnet (192.168.1.0) that goes out normally.  For some reason, one of my interfaces looks incorrect,
and as you point out, there is a rule for outbound LAN missing.  I have made those two changes, and
everything seems to work OK still (without the SSL server enabled). I enable to SSL server as the tutorial
suggests, and the timeouts return.  I disable the SSL server, and everything works again.

Attached are my new NAT rules.  The SSL setup is the same as in the tutorial.

[guest15389]

Yes, to share more details.

My LAN Interface is 192.168.1.1 and LAN Network is 192.168.1.0/24

My HomeVPN Tunnel Network is 192.168.2.0/24 so when a HomeVPN Client connect, they get a 192.168.2.x address.

So Outbound NAT is needed for both of those on the WAN Interface to allow LAN and HomeVPN traffic out respectively.

I personally redirect all my traffic through the HomeVPN as well once I connect.

[jds]

OK, it seems like I now have similar NAT outbound rules, except only one subnet. I still have timeout problems with the SSL OpenVPN server enabled.

[guest15389]

I'm not following.

Can you share screenshots of your Outbount NAT like I did as well as what you've configured your for OpenVPN Tunnel?

[jds]

There is a screen shot of my NAT rules above.
Here are a couple of screen shots of my openvpn server settings

[guest15389]

What does this look like for you?

[jds]

Sorry, am I missing something?  Isn't this what I attached above?

[guest15389]

When I click on the 2 images, I see the OpenVPN Server Settings.

I'm looking for Firewall->NAT->Outbound picture.

[jds]

I think you are missing the one above that.  Here it is again.

[guest15389]

Yes, so you'd want to delete the item on the OpenVPN Interface (your first line).

You can create another entry for the WAN interface with the subnet 10.10.0.0/24 which is your tunnel network.

Your outbound access breaks because you added a NAT on the OpenVPN interface.