Add section about OpenVPN assigned interfaces (#295)

pull/297/head
Marc Leuser 4 years ago committed by GitHub
parent 5b9e66426f
commit ec62439d9c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -73,3 +73,4 @@ be found in the list below.
troubleshooting/boot
troubleshooting/gateways
troubleshooting/network
troubleshooting/openvpn

@ -0,0 +1,29 @@
====================================
OpenVPN
====================================
---------------------------------
Assigned Interfaces
---------------------------------
While not strictly necessary, it is possible to assign individual interfaces for OpenVPN servers and clients alike. However doing
so may yield unexpected behaviour of firewall rules. Most notably, rules created on an assigned interface of an OpenVPN Roadwarrior
server are created with the :code:`reply-to` directive by default, which breaks client connectivity.
.. Tip::
In cases as described above, it can be observed that incoming traffic matches and passes the corresponding firewall rule, but
reply traffic is never sent back to the connected client. This can be verified via the Web GUI by going to
:menuselection:`Firewall -> Log Files -> Live View` and optionally by performing a packet capture on the affected interface.
There are multiple ways to fix this problem. For most setups, it will be sufficient to disable the automatically created IPv4 and
IPv6 Gateways under :menuselection:`System -> Gateways -> Single`. Doing so will also disable the automatic addition of the
:code:`reply-to` directive to rules created on the interface, and client connectivity will be restored.
Another option is to manually select the option "Disable Reply-To" on each firewall rule you generate on the assigned interface.
See :doc:`/manual/firewall` for further details.
The third option is to globally disable the generation of :code:`reply-to` completely as described in
:doc:`/manual/firewall_settings`. However this method can break Multi-WAN setups.
Loading…
Cancel
Save