timeouts after adding an SSL server

[jds]

If I do as you suggest, I lose all internet access.

[guest15389]

Can you share a screen of what you have before you apply that causes you to lose all internet access?

[jds]

Wasn't clear on what you wanted, but attached are two screen shots: one that allows internet access, one that does not, appropriately labeled.

[guest15389]

To make sure I'm following when you apply that second policy, your LAN clients lose the ability access the internet?

[jds]

yes

[guest15389]

I think I missed a key point to your config.

Did you add a OpenVPN Client or a OpenServer Server?

[jds]

Both!  The client works fine.  It is adding the server that causes problems.

[guest15389]

Ok. You have me pretty confused. In your OP, you linked to a guide running an OpenVPN server on your router so the config I shared/suggested would make sense and work for that.

If you are configuring a Open Client on your router and using that to route traffic, that's a much different config and what you are seeing makes sense.

So from a big picture, what are you trying to setup and accomplish?

I personally have my setup as an OpenVPN server on my router for remote access in and an OpenVPN client for TorGuard that I route specific IPs through (all my torrent traffic).

[jds]

I believe that my original post did explain that I am trying to set up on openvpn server on a firewall that already has an openvpn
client, which sounds similar to what you have.  I am not seeking help in setting up the client---that already works. It is setting up
the server that causes some strange problems.

[guest15389]

You want to not use the OpenVPN tab for anything. You want to create interfaces for your OpenVPN server client.



opnvpnc1 is my client
opnvpns1 is my server

Do you plan to route all your traffic through your VPN client?

I have a set of rules that route my specific LAN IPs through my OpenVPN client gateway:

https://i.imgur.com/7a5ICteh.png

I do not route my HomeVPN Server traffic through the VPN as it just goes through the regular WAN.



Since it goes through the regular WAN, the tunnel network 192.168.2.0/24 gets a NAT on my WAN interface.

If I wanted my OpenVPN server to go through my VPN, I'd change the gateway from the default to the VPN gateway and give it a proper NAT.

I'm guessing your traffic, all of it, goes through your VPN, which is why the OpenVPN NAT interface you have works. The problem with using that is that is for all OpenVPN and as you see, it breaks things if you configure it there.

I also toggle this setting off so if my client VPN is down, no traffic goes out:

[jds]

This is quite different from any of the tutorials or documentation that I have seen.
Which means that I am a bit lost on setting up the details now.  Do you have any
place to point me on such a setup?

[guest15389]

I think every tutorial I've seen talks about setting up a single server or a single client.

TorGuard posts a tutorial for pfSense that I used as a starting point:

https://torguard.net/knowledgebase.php?action=displayarticle&id=208

Same concepts basically. The overlying goal is you do not want to use the OpenVPN tab for anything. Each time you create a VPN interface, map it back to the OpenVPN server or client as an interface and apply any rules or NAT for that specific interface.

If you use the OpenVPN tab, that's global for everything and you will not be able to NAT different nor create any rules for the server or client specifically.

[jds]

I did not have time to get to this the past couple of days, but am now trying again.
These comments were very useful, and I am almost there.  At first I was a bit
confused by the comment about not using the OpenVPN tab for anything, since the
tutorial you point to does use that part of the menu.  I am still not sure what you mean
by that, but at any rate I use the OpenVPN tab on the menu to setup both the client
and the server.  Then, as you write, I add two new interfaces for the server and the client.
Then, I set up my NAT firewall outbound rules using these interfaces.   As soon as I
use this new OpenVPN client interface for my NAT rule, my timeout problems go away.

In other words, I can enable the SSL server for my OpenVPN server, and the outbound
traffic still works fine.  This is great progress, and your comment about interfaces was key!
As you say, there are no (known) tutorials that have both client and server setups for
openvpn.  Unfortunately, the tutorial for opnsense OpenVPN server setup does not suggest setting up
the NAT rules for openvpn through the interface.  Worse, there is no help for setting
up the client, except for pfsense, and it also fails to mention the interface bit.  Maybe there
is a way to help them improve the tutorial.

Anyway, now I have good access out of the LAN through my OpenVPN client.  I can also
login to my network from outside using the OpenVPN server, 2FA (TOTP), and a static IP
from freemyip.  However, when logged in, I do not yet have access to everything (or really
almost anything) on my LAN.  Almost certainly this is a NAT firewall rule, which I don't fully
understand yet.  There is (again) a conflict between your setup and what is in the tutorial
here.  For example, the tutorial suggest opening port 1194 to the WAN, but you have no
such rule.  Also, you do not have any NAT rule for the OpenVPN server, that I can see---
only for the client.   I am sure that it is something simple, but am afraid to mess too much
with NAT rules that are currently almost working.   Attached is my NAT rule setup.  Do
you have any suggestions?  Especially anything that would educate me about how
these are supposed to work?

Thanks again for your help.

[jds]

I spoke too soon! Without making any (known) changes, I do NOT have access to my OpenVPN server.  So, a couple of
simple questions:

1) In setting up the OpenVPN server, do I use the WAN interface, or the OpenVPN Server interface?
2) Do I use the UDP protocol or the UDP4 protocol?
3) What exactly is the NAT firewall outbound rule? 

All of the tutorials get very vague at this last point, only showing the table, but each rule has a screen of
more settings than show up in the table.  Hence, I am scared to mess with these and lose all access to
the internet from my LAN (and invoking the wrath of she-who-must-not-be-contradicted).

[jds]

Got it!  I was being stupid and trying to open up the port in firewall -> NAT -> outbound, instead of going to firewall -> NAT -> rules,
and putting  two rules there: one to open up port 1194 on the WAN interface for IPv4 UDP, and a second rule for OpenVPN Server
interface to allow traffic from my server subnet (10.10.0.0/24) to everything.  Now I can VPN in, and have access to the whole LAN.
Yeah!   All of the bits and pieces are out there once I added your key point of going through the interfaces. Not sure I could reproduce
the whole thing, though.

Many thanks!