I’m having some trouble getting OpenVPN working on my pfSense box. The issue is quite strange to me.
When I have the OpenVPN turned on, only my router is able to connect to the Internet. From the router I can use ping, links, etc., and connections work exactly as expected – through the VPN, with the IP address assigned by my VPN provider (Proxy.sh, incidentally).
However, none of the clients on the local network can connect to the Internet. I get timeouts when using ping or a web browser. I can ping my router, and the IP address of the gateway.
When I switch the default gateway from the VPN to my ISP’s gateway, all works exactly as expected.
Here the routing table (
netstat -r) when in VPN mode, and a key for it:
IPv4 Destination Gateway Flags Refs Use Mtu Netif Expire 0.0.0.0/1 10.XX.X.53 UGS 0 122 1500 ovpnc1 => default 10.XX.X.53 UGS 0 235 1500 ovpnc1 188.8.131.52 10.XX.X.53 UGHS 0 82 1500 ovpnc1 10.XX.X.1/32 10.11.0.53 UGS 0 0 1500 ovpnc1 10.XX.X.53 link#12 UH 0 0 1500 ovpnc1 10.XX.X.54 link#12 UHS 0 0 16384 lo0 ZZ.XX.XXX.0/20 link#1 U 0 83 1500 re0 ZZ.XX.XXX.XXX link#1 UHS 0 0 16384 lo0 127.0.0.1 link#9 UH 0 12 16384 lo0 184.108.40.206/1 10.11.0.53 UGS 0 123 1500 ovpnc1 192.168.1.0/24 link#11 U 0 1434 1500 ue0 192.168.1.1 link#11 UHS 0 0 16384 lo0 Y.Y.Y.Y/32 ZZ.XX.XXX.1 UGS 0 249 1500 re0
10.XX.X.53/54– My DHCP-assigned IP address/pair from the VPN provider
ZZ.XX.XXX.XXX– My external IP assigned by my ISP
Y.Y.Y.Y– The external IP assigned by the VPN provider
ovpnc1– My VPN client interface
re0– My LAN interface
ue0– My WAN interface
This looks essentially what I would expect it to be. The default route is through the VPN provider. The VPN address is routed through the ISP-assigned IP address. I am not sure what would be wrong here.
So figuring this was a firewall issue, I basically tried enabling all in/out traffic. This did not seem to remedy the problem.
Also figuring it could possibly be some client networking issue, I restarted the clients on the LAN. This did not help.
I also ran
route flush and reset the routes manually.
So I am a bit stumped, and would be very grateful for any thoughts on what the problem might be.
Normally, you must provide an instruction to forward IPv4 traffic from the LAN to the new interface which the VPN provides, be it tun0 or tap0.
I am way too rusty with pf to try and suggest how to do it. With iptables you would use this command:
iptables --table nat --append POSTROUTING --out-interface tap0/tun0 -j MASQUERADE
I hope this will provide a push in the right direction, even though this is not a solution.
To resolve this I had to go to:
pfSense -> Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation
(AON – Advanced Outbound NAT)
From there I had to move all the OPT1 mappings to the top (i.e. above the WAN mappings).
Note as well that:
- in the firewall rules I had to set an rule for all incoming traffic on the LAN subnet to have it use the Proxy-Gateway. Looks like this in the rule list of pfSense:
IPv4 TCP LAN net * * 80 (HTTP) ProxySHGW none "LAN Subnet to Proxy.sh gateway"
- I kept the default gateway as the WAN, but had to add the ProxySHGW gateway used by the above rule.
I hope that helps someone else along the way.