What's the difference between OpenVPN and OPT4 interface?

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:44:50 GMT

lohphat — Fri, 14 May 2021 20:44:50 GMT

@viragomann I didn't try that. Since adding the OPT4 /ovpns1 assigned interface fixed it for me I stopped trying. I'll go back to the config and try when it's idle.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:34:53 GMT

viragomann — Fri, 14 May 2021 20:34:53 GMT

@lohphat
Did you add the tunnel network to unbound ACLs?

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:33:49 GMT

lohphat — Fri, 14 May 2021 20:33:49 GMT

@viragomann Ok that I understand, but then why doesn't unbound enumerate it to respond to queries?

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:31:51 GMT

lohphat — Fri, 14 May 2021 20:31:51 GMT

@eric-lts Correct. e.g. if the client net is 192.168.23.0/24 and local DNS is desired (so the pfBlockerNG-devel can filter DNS), I have to add the assigned interface for the DNS quieries to function. I tried sending them to 192.168.0.1 but that wouldn't work for some reason. If I used external DNS like 1.1.1.1 and 9.9.9.9 those would work.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:29:19 GMT

viragomann — Fri, 14 May 2021 20:29:19 GMT

@lohphat
The OpenVPN tab is basically an interface group, implicitly added be pfSense, when configuring an OpenVPN instance. It includes all OpenVPN servers and clients you're running.

For some special purposes interface groups cannot be used.

Consider that firewall rules on interface group tabs are probed at first. So if a group rule applies to an incoming packet, the rules on the interface tab you,ve assigned to the instance will be ignored.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:24:23 GMT

Eric-LTS — Fri, 14 May 2021 20:24:23 GMT

@lohphat So the OpenVPN client isn't able to reach your unbound server on your pfSense? I'm assuming you're providing a DNS server list to your VPN clients under the Advanced Client Settings on your OpenVPN server? What servers do you have listed there?

You otherwise have rules set to allow traffic on the OpenVPN interface at least for port 53 (if you haven't changed that from the default in unbound)?

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 20:22:47 GMT

lohphat — Fri, 14 May 2021 20:22:47 GMT

@eric-lts Unless I create the ovpns1 interface then I can't get unbound to answer DNS queries on the client /24 because the OpenVPN pseudo interface doesn't show up in the interface list of the DNS Resolver page.

Only creating the OPT4/ovpns1 interface allows unbound to service attached clients.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 16:58:44 GMT

Eric-LTS — Fri, 14 May 2021 16:58:44 GMT

@lohphat https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html

I'm not 100% on why they are created separately, but it seems to be a difference between whether or not you are looking to initiate and route traffic out the VPN tunnel. When you create the OpenVPN server, you use the OpenVPN interface in the firewall rules to allow inbound traffic from the VPN clients. The new OpenVPN interface you are then able to assign and create in the Interfaces > Assignments > Interface Assignments window is for when you are trying to route traffic initiating from your pfSense out the VPN tunnel. For example, if you are connecting your pfSense as a client to say a NordVPN server and you want to policy route traffic to it, you would create the client config and then assign the interface and configure your Outbound NAT accordingly. You would otherwise use that interface in a peer-to-peer configuration to ensure traffic can flow bidirectionally over the tunnel.

As far as I understand, the OpenVPN interface you assign is strictly to create an outbound gateway from your pfSense, and the firewall interface it assigns is strictly for inbound traffic from the OpenVPN tunnel.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 08:20:55 GMT

lohphat — Fri, 14 May 2021 08:20:55 GMT

@kom The problem is the wizard creates an interface (OpenVPN) which is NOT in the assigned interface list it only shows up in the rules menu.

Unbound doesn't see this interface. At all.

You have to create the new interface OPT4 manually for DNS to see it to work (ovpns1); now there are two interfaces. The one the wizard created (OpenVPN) is not in the assigned interface list.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 02:41:59 GMT

KOM — Fri, 14 May 2021 02:41:59 GMT

@lohphat Every interface has to have at least one rule to let traffic flow. The OpenVPN wizard will create it for you but if you manually assign an interface then you have to create it yourself.

Reply to What's the difference between OpenVPN and OPT4 interface? on Fri, 14 May 2021 01:42:13 GMT

lohphat — Fri, 14 May 2021 01:42:13 GMT

@kom That's what I figured, but unless you enable the OPT4 rule, then the DNS server can't reply to the interface.

Methinks this is a structural bug as it infers two distinct classes of what an Interface is or not.

Reply to What's the difference between OpenVPN and OPT4 interface? on Thu, 13 May 2021 21:23:44 GMT

KOM — Thu, 13 May 2021 21:23:44 GMT

@lohphat IIRC the OpenVPN tab is kind of a global list. If you have your OpenVPN connection assigned to an interface then pfSense will use the interface rules. If no interface then it uses the OpenVPN tab rules.