OpenVPN no internet connection

[swiftbird07]

Hello, its me again :)

I now tried to use OpenVPN to connect to UTMFW using the provided config files but it does not allow me to connect to anything besides the local network (UTMFW WUI using the local IP works but no internet).

What I did:

1. Fresh setup of UTMFW with 2 interfaces (internal/external) with every packet installed
2. Connected to the WUI using ssh ... -L port forwarding (I use a cloud server to host UTMFW)
3. Downloaded the OpenVPN client.conf and relevant certs via SFTP
4. Changed the remote port on my client to the actual public IP of UTMFW, the cert paths and enabled the setting to route any ipv4 traffic through Tunnelblick (OpenVPN client for MacOS)
5. Un-commented the "VPN" section in the pf.conf and did pfctl -f pf.conf
6. Connected using the client.conf. The connection is green/established. (It just warns that the DNS is not routed through the VPN)
7. No connection to anything besides 10.0.0.3 (the internal IP)

• I tried just a ping 1.1.1.1 , curl https://1.1.1.1 or neverssl.com, nothing works.
• In the WUI I can see many more "States" if I connect but nothing on "Data Transfer" or "Internal interfaces". No logs on any of the packet's Log-sections (IDS/IPS/Spam etc).
• I can see no pf blocks in the log. I see pass from 10.0.0.8 to public-IPs that seem to be the one I requested but I see nothing in the other direction.
• I tried enabling the #VPN passthrough rules that were commented in the pf.conf but it also didn't work.

Maybe I am missing some routing? Or did I do anything else wrong?
Any help would be appreciated. :)

[sonertari]

It's always good to hear from users.

I don't actively use OpenVPN, but your descriptions make me think:

• You never mention any OpenVPN server. Do you start openvpn with the server config on UTMFW? I guess you do, because you say that the connection is green/established.
• I guess you mean the OpenVPN section in pf.conf, not VPN, because the VPN rules are for IPsec VPN. I guess you do, because in your last comment you refer to those rules as VPN passthru. (Btw, for port configuration I guess you have already read Advanced option settings on the command line.)
• I have never used cloud servers, but I know that some containers restrict networking, so could it be something similar?
• Routing may be an issue too, as you have guessed, because if the OpenVPN server and client are connected, and if there are no issues with the pf rules, then probably the issue is with routing. Do you have any entries in the routing table on the client corresponding to the OpenVPN connection, which will route the packets over the OpenVPN connection?

But, perhaps I should test a similar setup like yours to understand what's going on. (What cloud service are you using?)

[swiftbird07]

Thanks for the fast answer!

• You never mention any OpenVPN server. Do you start openvpn with the server config on UTMFW?

Yes sorry forgot to write that

• I guess you mean the OpenVPN section in pf.conf, not VPN,

Yes I meant that sorry

• I have never used cloud servers, but I know that some containers restrict networking, so could it be something similar?

Hm they only block port 25 because of potential mail spam and I have no firewall enabled

• Routing may be an issue too, as you have guessed, because if the OpenVPN server and client are connected, and if there
  are no issues with the pf rules, then probably the issue is with routing. Do you have any entries in the routing table on the client corresponding to the OpenVPN connection, which will route the packets over the OpenVPN connection?

Oh do I need to add routing tables to the client? I thought the OpenVPN client software does that automatically. As said I enabled the option to send all ipv4 traffic through the VPN (which is the reason why I can't access anything on the internet if connected)

But, perhaps I should test a similar setup like yours to understand what's going on. (What cloud service are you using?)

I use Hetzner Cloud they are cheap and they were so nice to add your UTMFW iso to the installable ISOs after I requested it (normally you need to have a dedicated server for custom ISO installations)

[swiftbird07]

Btw I am always open for alternatives to OpenVPN as long as I can connect my clients with it from remote.

[sonertari]

Since I did not know how you tested, I asked about the routing table on the client side, I guess that's not the issue. Well, I guess my comments were not helpful at all, sorry. And I don't think I can use your cloud provider either (but it's interesting to hear that they've added the UTMFW iso among their installable isos). I don't have any other comments at the moment, but let me know if you make some progress. And do certainly let me know if this is an issue with UTMFW.

[sonertari]

Btw, another further comment, I always thought that the OpenVPN feature on UTMFW would be used to connect two UTMFW systems at remote locations, such as two offices of a company. I never thought it would be used to connect the clients to the Internet.

So, given that you connect to the OpenVPN server on UTMFW over its external interface, the connections initiated by your OpenVPN client should go out of the same external interface. That sounds interesting in terms of the pf rules and routing on UTMFW, because it seems backwards to its normal operation, i.e. the connections are expected to be initiated from the internal network running on the internal interface (which is again different from its original intention). But even so, I think it should be possible, but I cannot guess what to do unless I try it myself.

[swiftbird07]

Yeah as my ISP does not give me an option to use my home-firewall as a router/modem (the access to WAN is encrypted in their proprietary router) I can't use UTMFW as intended without some way to redirect traffic to it.
Btw I wrote you an Email if you want to access the server yourself.