Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client not using the assigned interface

    OpenVPN
    4
    14
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      OK now I see what you're saying. That is interesting. I'll look into it further.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • P
        petr
        last edited by

        @Derelict:

        OK now I see what you're saying. That is interesting. I'll look into it further.

        Thank you! Btw. I am on the latest pfSense (but had the same issue on 2.1 before upgrading). Please let me know if there is any further information I can provide!

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          This is on 2.3.1_5.

          
igb1 - CABLEWAN - DHCP (192.0.2.63) - Gateway 192.0.2.1, Default selected
igb2 - DSLWAN - DHCP (198.51.100.81) - Gateway 198.51.100.1

Gateway Group FAILOVER - Tier 1 CABLEWAN, Tier 2 DSLWAN

OpenVPN Client to Server 203.0.113.99 UDP 1194 DSLWAN Interface selected

igb1 udp 198.51.100.81:45812 -> 203.0.113.99:1194       MULTIPLE:MULTIPLE
   age 00:06:22, expires in 00:00:59, 110:46 pkts, 12930:7991 bytes, rule 209
   id: 01000000576b0a5b creatorid: 1175fd11

Packet capture of packets on DSLWAN show packets out/in the correct interface.
Interesting the state is on igb1.

15:16:29.113002 IP 198.51.100.81.45812 > 203.0.113.99.1194: UDP, length 133
15:16:29.160365 IP 203.0.113.99.1194 > 198.51.100.81.45812: UDP, length 133
15:16:30.117321 IP 198.51.100.81.45812 > 203.0.113.99.1194: UDP, length 133
15:16:30.164606 IP 203.0.113.99.1194 > 198.51.100.81.45812: UDP, length 133
15:16:31.117644 IP 198.51.100.81.45812 > 203.0.113.99.1194: UDP, length 133
15:16:31.164684 IP 203.0.113.99.1194 > 198.51.100.81.45812: UDP, length 133
15:16:32.122491 IP 198.51.100.81.45812 > 203.0.113.99.1194: UDP, length 133
15:16:32.170163 IP 203.0.113.99.1194 > 198.51.100.81.45812: UDP, length 133
15:16:33.127166 IP 198.51.100.81.45812 > 203.0.113.99.1194: UDP, length 133
15:16:33.174159 IP 203.0.113.99.1194 > 198.51.100.81.45812: UDP, length 133

          My guess is you could force this state to show the correct interface with a /32 static route to the VPN server to the right gateway. In my case igb1 is probably because it's the default gateway. What really matters is the source address.

          Are you just looking at the state or are you actually seeing traffic in/out the incorrect interface?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • P
            petr
            last edited by

            @Derelict:

            This is on 2.3.1_5.
            …
            My guess is you could force this state to show the correct interface with a /32 static route to the VPN server to the right gateway. In my case igb1 is probably because it's the default gateway. What really matters is the source address.

            Are you just looking at the state or are you actually seeing traffic in/out the incorrect interface?

            Running same version here. I am actually not looking at the state at all - looking purely at the traffic, which goes through WAN. Before I go into mitigations via static routes, is there any reason why is the preference in the OpenVPN client being ignored? Also, why did it start misbehaving when I've added additional local interfaces? (WANs have not changed during the process, nor did any of the OpenVPN settings).

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I don't see that it is being ignored. My OpenVPN connection is going out the chosen interface.

              What is the source address of the state created out to the VPN provider?

              Much more information can be had if you look at what's actually happening instead of a traffic graph.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P
                petr
                last edited by

                Ok, looked at the states - it looks like it's originating from the OPT2WAN

                In an nutshell, my interfaces are setup in a following way:

                inet1 .1.1 <- pfsense WAN .1.51 (default gateway 192.168.1.1)
                inet2 .5.1 <- pfsense OPT2WAN2 .5.50 (secondary gateway 192.168.5.1)

                On the screenshot, we can see that the state is indeed originating from the 5.50, as it would indicate the OPT2WAN2.

                lo0 	udp 	192.168.5.50:41155 -> 31.7.58.234:443 	MULTIPLE:MULTIPLE

                However, why does the traffic then flow through WAN?

                Thus you are right - it is taken into account in the OpenVPN client, however, the packets just seem to go off the wrong interface for some reason.

                Also, why is the OpenVPN connection the only state that has the "lo0" as the interface? All of my other states have a real interface assigned (LAN, WAN, etc.).

                ![Screenshot 2016-06-19 13.43.07.png](/public/imported_attachments/1/Screenshot 2016-06-19 13.43.07.png)
                ![Screenshot 2016-06-19 13.43.07.png_thumb](/public/imported_attachments/1/Screenshot 2016-06-19 13.43.07.png_thumb)

                1 Reply Last reply Reply Quote 0
                • P
                  petr
                  last edited by

                  Further update:

                  I have now managed to include the static routes and those seem to have "fixed" the problem and the VPN traffic is going through the assigned interface. However, I had to include all of the current results of the DNS records for vpn.blackvpn.ch, which is far from ideal and I imagine it breaking easily in the future.

                  Any tips how can I keep using the domain name?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    If that 5.50 address is the correct interface and traffic is STILL going out another interface it is not being properly routed to the VPN in the first place, like I was originally saying. This really sounds like a policy routing problem brought about by adding Multi-WAN which introduced more policy routing into your rule set.

                    You need to POST YOUR LAN RULES like I originally asked for. You very likely have something set incorrectly.

                    And please report the status of the Don't pull routes checkbox and anything in Custom Options in your OpenVPN client config.

                    Remove whatever static route you set up.

                    If traffic is still flowing through the wrong WAN go to www.wimi.com. You will see you are not going through the VPN at all.

                    Having the state on lo0 (a loopback interface) is just fine.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P
                      petr
                      last edited by

                      Please find attached!

                      I do not see anything relevant to the actual VPN connection there though.

                      The rule that sends selected machines' traffic over the VPN is the "routeViaBlackVPN" alias, which contains IPs of few machines on my network. The torrentDownloads is gateway group consisting of the VPN connection as a primary one and other gateway as secondary.

                      To clarify, the VPN has always worked (I have tested outgoing IP from configured machines), my only issue that the VPN traffic was not going over the assigned interface. This is now resolved via setting the static routes, however, I would like to find a more flexible solution.

                      In my opinion, the issue is that the OpenVPN traffic goes over "lo0" interface, which in turn is routed via the default gateway.

                      Please see below for "Custom Options" of the BlackVPN Client:

                      comp-lzo
auth SHA512
auth-user-pass /root/blackvpnpassword
route-nopull

                      The Don't pull routes checkbox is unchecked above.

                      As I've said, I do not have any issues with using the VPN - traffic goes through it as expected. What I do have issues with is that without the static routes, the data of the OpenVPN link itself does not go through the specified interface. I would also like to add that it all used to work just fine, until I added additional local LAN interfaces to the system (no changes to gateways or rules).

                      ![Screenshot 2016-06-20 11.42.42.png](/public/imported_attachments/1/Screenshot 2016-06-20 11.42.42.png)
                      ![Screenshot 2016-06-20 11.42.42.png_thumb](/public/imported_attachments/1/Screenshot 2016-06-20 11.42.42.png_thumb)

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        gremblin @petr
                        last edited by

                        @petr I am having the same issue. I also have an OpenVPN client that is using the failover WAN interface. My failover WAN is a 4G modem that I pay for the data I use on, so I want to limit the devices that can use this interface. All the rules seem to work fine except that the VPN connects and devices that use that VPN can still access the internet and tank my data plan. Did you ever find a solution to this?

                        1 Reply Last reply Reply Quote 1
                        • D
                          dbykov
                          last edited by dbykov

                          The problem still exists in 2.7.

                          If during the OpenVPN client connection the interface, specified in client's config, is down, the connection happens through another gateway (which could be a metered backup connection for example).

                          This is a major issue in my opinion.

                          UPD: "Do not create rules when gateway is down" option is checked BTW.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.