Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use OpenVPN but with Internet access on the client

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 774 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WhiteTiger-IT
      last edited by

      I'm testing my OpenVPN setup.
      When the OpenVPN connection is active I lose access to the Internet from my PC.
      I know I could turn on the option to redirect all traffic to OpenVPN, but I would like to keep Internet access on the PC.
      Both because it would be faster and then because I have to use tools to access another PC, such as TeamViewer, and I wouldn't want to let this through the OpenVPN tunnel too.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @WhiteTiger-IT
        last edited by

        @whitetiger-it
        What kind of OpenVPN are you talking about, is it a client or a server?

        W 1 Reply Last reply Reply Quote 0
        • W
          WhiteTiger-IT @viragomann
          last edited by WhiteTiger-IT

          @viragomann
          I need to connect from a PC, (Road Warrior).
          On pfSense the Wizard has created a server and the firewall rule.
          I exported the .ovpn file from a pfsense user, to whom I had previously created a certificate.
          The VPN works and once activated I see the devices in the LAN and in the DMZ.
          But from my PC I don't go to the Internet.

          Then on the OpenVPN server I activated the option "Redirect IPv4 Gateway: Force all client-generated IPv4 traffic through the tunnel.".
          I logged in again, but I still don't have access to the internet.

          ==== Update ====
          Whit "Manual outbound NAT rule generation", now i am able to connect to the internet, but always through the pfsense OpenVPN tunnel.
          I would like to do it directly from the PC.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @WhiteTiger-IT
            last edited by

            @whitetiger-it
            With the „redirect gateway“ option the server pushes the default route to the client. Hence the whole upstream traffic is routed over the von.

            For split tunneling you have to remove this check and enter the servers local networks into the „Local Networks“
            field.
            There are changes needed in the clients . ovpn file.

            W 1 Reply Last reply Reply Quote 0
            • W
              WhiteTiger-IT @viragomann
              last edited by WhiteTiger-IT

              @viragomann

              I find myself in great difficulty for a random behavior.
              Yet the configuration is the "basic" one, created with the Wizard and the same as many others described on the Internet.
              For testing I use:

              • Browser with clean cache
              • Browsing in private mode, not to save caches, cookies, etc.
              • Online newspapers because they have a very dynamic content.

              Well:

              • In pfSense there is the Redirect Gateway = ON
              • I connect to the VPN, the tray icon turns green; a Win10Pro message appears telling me that an IP has been assigned for the tunnel; I can access the pfSense configuration page.
              • I open the browser for the test; I open the online newspaper; I browse some articles; I ping using the newspaper domain. So, everything is OK.

              After few minutes, the VPN is still active, but the pages are no longer reachable and the ping from the PC no longer works because it cannot resolve the domain, while if I do it from the GUI of pfSense, ping works correctly on all interfaces.

              OpenVPN log reports:

              Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_VER=2.5.4
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_PLAT=win
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_PROTO=6
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_LZ4=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_LZ4v2=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_LZO=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_COMP_STUB=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_COMP_STUBv2=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_TCPNL=1
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_GUI_VER=OpenVPN_GUI_11
Nov 15 07:00:40	openvpn	30979	IP-ROUTER:55664 peer info: IV_SSO=openurl,crtext
Nov 15 07:00:41	openvpn	27557	user 'USERNAME' authenticated
Nov 15 07:00:46	openvpn	30979	IP-ROUTER:55664 [USERNAME] Peer Connection Initiated with [AF_INET]IP-ROUTER:55664
Nov 15 07:00:46	openvpn	30979	USERNAME/IP-ROUTER:55664 MULTI_sva: pool returned IPv4=10.101.101.2, IPv6=(Not enabled)

              Then follow dozens of reports all the same

              Nov 15 07:00:56	openvpn	30979	USERNAME/IP-ROUTER:55664 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #163 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

              Sometimes disconnecting and reconnecting is not useful and I have to close the OpenVPN client to reopen it again.

              Now I am forced to work with three PCs:

              • One to access pfSense.
              • One to test the VPN
              • One connected directly to the router to be able to navigate so that you can always access the online documentation.

              The OpenVPNclient GUI is v11.25.0.0
              Installed with OpenVPN-2.5.4-I604-amd64.msi

              This is the config (.ovpn)

              dev tun
persist-tun
persist-key
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote MYDDNS.duckdns.org 1194 udp4
setenv opt block-outside-dns
lport 0
verify-x509-name "mynamepfsense-ovpn-rwa" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
              1 Reply Last reply Reply Quote 0
              • W WhiteTiger-IT referenced this topic on
              • W WhiteTiger-IT referenced this topic on
              • W WhiteTiger-IT referenced this topic on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.