neebski wrote:@karog@goldlineIT Ok, I was able to strip down my old config and get the VPN connected and routing for the selected devices with the address-group. For the life of me I can't figure out why when I enable the VPN all of the other devices lose access to the internet though.
admin@NeberHaus:~$ show configuration all firewall { all-ping enable broadcast-ping disable group { address-group OpenDNSServers { address 208.67.222.222 address 208.67.220.220 description "Send DNS queries to Odns" } address-group VPNClients { address 10.1.1.1 description "Clients to send to VPN" } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable modify OPENVPN_ROUTE { rule 1 { action modify description "Traffic from devices to vtun0" modify { table 1 } source { group { address-group VPNClients } } } } name ETH0_IN { default-action drop description "Internet In" rule 1 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name ETH0_LOCAL { default-action drop description "" rule 1 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name ETH0_OUT { default-action accept description "" rule 1 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } } name LAN_IN { default-action accept description "" } name LAN_LOCAL { default-action accept description "" } name LAN_OUT { default-action accept description "" } name LOCAL_OUT { default-action accept description "" } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp duplex auto firewall { in { name ETH0_IN } local { name ETH0_LOCAL } out { name ETH0_OUT } } speed auto } ethernet eth1 { address 10.1.0.1/23 duplex auto firewall { in { modify OPENVPN_ROUTE name LAN_IN } local { name LAN_LOCAL } out { name LAN_OUT } } speed auto } ethernet eth2 { address 10.1.0.2/23 duplex auto speed auto } loopback lo { } openvpn vtun0 { config-file /config/auth/PIA-US-East.ovpn description "PIA VPN" } } port-forward { auto-firewall enable hairpin-nat enable lan-interface eth1 lan-interface eth2 rule 1 { description Xprotect forward-to { address 10.1.0.10 port 8081 } original-port 8081 protocol tcp_udp } wan-interface eth0 } protocols { static { table 1 { interface-route 0.0.0.0/0 { next-hop-interface vtun0 { } } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name Default-DHCP { authoritative disable subnet 10.1.0.0/23 { default-router 10.1.0.1 dns-server 10.1.0.1 lease 86400 start 10.1.1.1 { stop 10.1.1.254 } static-mapping AP1 { ip-address 10.1.0.20 mac-address 44:d9:e7:90:39:96 } static-mapping CAM-Entry { ip-address 10.1.0.54 mac-address 90:02:a9:62:4f:b5 } static-mapping CAM-FrontDriveway { ip-address 10.1.0.53 mac-address 00:0b:82:5b:43:6d } static-mapping CAM-GarageDriveway { ip-address 10.1.0.52 mac-address 00:0b:82:5b:43:00 } static-mapping CAM-Matts { ip-address 10.1.0.50 mac-address 9c:8e:cd:00:74:3e } static-mapping CAM-Office { ip-address 10.1.0.51 mac-address 00:02:d1:33:cd:28 } } } } dns { dynamic { interface eth0 { service dyndns { host-name all.dnsomatic.com login n@gmail.com password **************** server updates.dnsomatic.com } web myip.dnsomatic.com } } forwarding { cache-size 150 listen-on eth1 listen-on eth2 name-server 208.67.222.222 name-server 208.67.220.220 } } gui { https-port 443 } nat { rule 1 { description "Force OpenDNS" destination { port 53 } inbound-interface eth1 inside-address { address 10.1.0.1 port 53 } log disable protocol tcp_udp type destination } rule 5000 { description "Masquerade to ETH0" log disable outbound-interface eth0 protocol all source { } type masquerade } rule 5001 { description openvpn log disable outbound-interface vtun0 protocol all source { group { address-group VPNClients } } type masquerade } } snmp { community public { authorization ro } } ssh { port 22 protocol-version v2 } } system { host-name NeberHaus login { user admin { authentication { encrypted-password **************** plaintext-password **************** } full-name Administrator level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York traffic-analysis { dpi enable export enable } }
You need to re-order your NAT rules. The OpenVPN NAT rule should go before the rule called "Masquerade to ETH0". If the configuration file is correct and the connection is being established with PIA re-ordering the NAT rules should do it.