Question

Hi, I hav an openvpn connection established between the RUTX11 and a Sophos UTM SG330.

I can connect from the Sophos to the RUTX11 via the openvpn connection.

I cannot connect from the RUTX11 to the Sophos UTM via the openvpn tunnel. I can connect to other networks on the Sophos UTM if I send the traffic out of the wan on the RUTX11 so I know the routing is working fine.

If I send it via the OpenVPN tunnel, it doesn't reach it's destination.
Dropping the firewall on the RUTX11 allows traffic to reach the destination via the openvpn tunnel (traceroute confirms this)

Dropping the firewall (tunnel traffic allowed)

[email protected]:~# /etc/init.d/firewall stop
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) cannot resolve device of network 'mob1s2a1'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
Warning: Option @rule[14].vpn_type is unknown
Warning: Option @rule[15].vpn_type is unknown
Warning: Option @rule[16].vpn_type is unknown
Warning: Option @rule[17].vpn_type is unknown
Warning: Option @redirect[6].vpn_type is unknown
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...

Starting the firewall (tunnel traffic is blocked)

[email protected]:~# /etc/init.d/firewall start
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) cannot resolve device of network 'mob1s2a1'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
Warning: Option @rule[14].vpn_type is unknown
Warning: Option @rule[15].vpn_type is unknown
Warning: Option @rule[16].vpn_type is unknown
Warning: Option @rule[17].vpn_type is unknown
Warning: Option @redirect[6].vpn_type is unknown
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Enable_HTTPS_WAN'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Enable_HTTPS_WAN'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Flushing conntrack table ...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'
 

Answer 1

Hello,

Which device acts as OpenVPN server in your topology? Sophos?

Did you configure TLS clients on server instance?

I would suggest taking a look at this page for ideas on what the issue could be:

https://wiki.teltonika.lt/view/OpenVPN_configuration_examples#Server_from_Client

Also, please share Openvpn configuration of both devices and network topology, sensitive information omitted of course.

Comments

Hi,
yes Sophos UTM is the OpenVPN server. The RUTX11 is the client.
As mentioned, if I drop the firewall on the RUTX11, everything can communicate so the issue is at the RUTX11 side of things.

The RUTX11 does not show the firewall zone "vpn" which I believe is also part of the issue.

I've also tested this by adding a forward rule in from "lan" to "any zone" and it does communicate. I don't want "any zone" in the there though as it's too open.

---

Hello,

Could you share screenshots of both devices OpenVPN configuration (Sensitive information ommited)

And firewall page screenshot?