I have a OPNsense device with an IPsec VPN to a remote site, which works fine. All traffic from the LAN should go through the VPN, so I configured the Phase 2 like this:
- Local Subnet: LAN network
- Remote Subnet: 0.0.0.0/0
All traffic from my LAN now goes into the tunnel. However, this means that even IP packets to the firewall itself are routed through the VPN. I can see them on the remote gateway, where they are dropped (obviously). As a consequence, I cannot reach the OPNsense web UI from my LAN interface anymore. Other interfaces keep working as expected.
How can I prevent OPNsense from sending traffic that is destined directly to its own interfaces into the VPN tunnel?
My first idea was to add a static route, but I am unsure if that would be possible, as there is no next hop.
Please note that this is not a question about regaining access to the management UI, I know how to do that. What I want to do is allow access from the LAN, while other LAN traffic is sent into the tunnel.
Best Answer
You are on the right track with the static route idea. Routes are prioritized based on how specific they are.
0.0.0.0/0 is the most generic and should always be evaluated last.
I would suggest setting a route that matches the remote network instead for just
0.0.0.0/0. Something like10.2.0.0/16or whatever matches your networks. You can also create one for the local network like10.1.0.0/16(or whatever) to make sure it can connect to local devices.