pfSense 2.1 OpenVPN client not using tunnelled interface

By Posted on

Problem :

I’m having some trouble getting OpenVPN working on my pfSense box. The issue is quite strange to me.

When I have the OpenVPN turned on, only my router is able to connect to the Internet. From the router I can use ping, links, etc., and connections work exactly as expected – through the VPN, with the IP address assigned by my VPN provider (Proxy.sh, incidentally).

However, none of the clients on the local network can connect to the Internet. I get timeouts when using ping or a web browser. I can ping my router, and the IP address of the gateway.

When I switch the default gateway from the VPN to my ISP’s gateway, all works exactly as expected.

Here the routing table (netstat -r) when in VPN mode, and a key for it:

IPv4
Destination     Gateway     Flags   Refs    Use  Mtu     Netif   Expire
0.0.0.0/1       10.XX.X.53  UGS     0       122  1500    ovpnc1  =>
default         10.XX.X.53  UGS     0       235  1500    ovpnc1   
8.8.8.8         10.XX.X.53  UGHS    0       82   1500    ovpnc1   
10.XX.X.1/32    10.11.0.53  UGS     0       0    1500    ovpnc1   
10.XX.X.53      link#12     UH      0       0    1500    ovpnc1   
10.XX.X.54      link#12     UHS     0       0    16384   lo0  
ZZ.XX.XXX.0/20  link#1      U       0       83   1500    re0  
ZZ.XX.XXX.XXX   link#1      UHS     0       0    16384   lo0  
127.0.0.1       link#9      UH      0       12   16384   lo0  
128.0.0.0/1     10.11.0.53  UGS     0       123  1500    ovpnc1   
192.168.1.0/24  link#11     U       0       1434 1500    ue0  
192.168.1.1     link#11     UHS     0       0    16384   lo0  
Y.Y.Y.Y/32      ZZ.XX.XXX.1 UGS     0       249  1500    re0

IP addresses

  • 10.XX.X.53/54 – My DHCP-assigned IP address/pair from the VPN provider
  • ZZ.XX.XXX.XXX – My external IP assigned by my ISP
  • Y.Y.Y.Y – The external IP assigned by the VPN provider

Interfaces

  • ovpnc1 – My VPN client interface
  • re0 – My LAN interface
  • ue0 – My WAN interface

This looks essentially what I would expect it to be. The default route is through the VPN provider. The VPN address is routed through the ISP-assigned IP address. I am not sure what would be wrong here.

So figuring this was a firewall issue, I basically tried enabling all in/out traffic. This did not seem to remedy the problem.

Also figuring it could possibly be some client networking issue, I restarted the clients on the LAN. This did not help.

I also ran route flush and reset the routes manually.

So I am a bit stumped, and would be very grateful for any thoughts on what the problem might be.

Solution :

Normally, you must provide an instruction to forward IPv4 traffic from the LAN to the new interface which the VPN provides, be it tun0 or tap0.

I am way too rusty with pf to try and suggest how to do it. With iptables you would use this command:

 iptables --table nat --append POSTROUTING --out-interface tap0/tun0 -j MASQUERADE

I hope this will provide a push in the right direction, even though this is not a solution.

To resolve this I had to go to:

pfSense -> Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation
(AON – Advanced Outbound NAT)

From there I had to move all the OPT1 mappings to the top (i.e. above the WAN mappings).

Note as well that:

  1. in the firewall rules I had to set an rule for all incoming traffic on the LAN subnet to have it use the Proxy-Gateway. Looks like this in the rule list of pfSense:
IPv4 TCP LAN net * * 80 (HTTP) ProxySHGW none "LAN Subnet to Proxy.sh gateway"
  1. I kept the default gateway as the WAN, but had to add the ProxySHGW gateway used by the above rule.

I hope that helps someone else along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *