Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Complex OpenVPN Routing Question

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 554 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      juchong
      last edited by

      Hi everyone! I'd like to ask the hive mind for some guidance on correctly setting up an OpenVPN client/server while routing all traffic through an obfuscator to help avoid IDS. I've already figured out the obfuscator and pluggable transport (shapeshifter-dispatcher), but I'm having trouble getting pfSense to remain connected as traffic doesn't seem to want to flow through the tunnel. pfSense boxes sit at both sides of the bridge and are running the latest stable build. Here's what I'm trying to accomplish:

      Server/Host (OpenVPN) -> Obfuscation Proxy (Running on the host) -> Internet -> Obfuscation Proxy (Running on remote site) -> Client/Remote Site (OpenVPN)

      and here are the IPs associated with each hop:

      Server/Host (10.0.32.0/24) -> 127.0.0.1:61932 -> External-Facing Listening Service (0.0.0.0:2222) -> 127.0.0.1:62317 -> Client (192.168.100.0/24)

      I've confirmed that the proxy is functioning as intended and the connection remains stable when used for things other than OpenVPN.

      I'm only able to ping from client to server for a few seconds after the connection is established. Disabling pushing routes on the client seems to keep the VPN connection alive a bit longer, but it eventually drops due to inactivity after about a minute:

      Mar 11 00:59:22 	openvpn 	93199 	openvpn server 'ovpns3' user 'thecloudbridge' address '127.0.0.1' - disconnected
Mar 11 00:59:22 	openvpn 	598 	thecloudbridge/127.0.0.1:53146 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mar 11 00:59:22 	openvpn 	598 	thecloudbridge/127.0.0.1:53146 [thecloudbridge] Inactivity timeout (--ping-restart), restarting
Mar 11 00:59:16 	openvpn 	598 	MANAGEMENT: Client disconnected
Mar 11 00:59:16 	openvpn 	598 	MANAGEMENT: CMD 'quit'
Mar 11 00:59:16 	openvpn 	598 	MANAGEMENT: CMD 'status 2'
Mar 11 00:59:16 	openvpn 	598 	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
Mar 11 00:58:12 	openvpn 	598 	MANAGEMENT: Client disconnected
Mar 11 00:58:12 	openvpn 	598 	MANAGEMENT: CMD 'quit'
Mar 11 00:58:12 	openvpn 	598 	MANAGEMENT: CMD 'status 2'
Mar 11 00:58:12 	openvpn 	598 	MANAGEMENT: Client connected from /var/etc/openvpn/server3/sock
Mar 11 00:57:45 	openvpn 	3505 	openvpn server 'ovpns3' user 'thecloudbridge' address '127.0.0.1' - disconnected
Mar 11 00:57:45 	openvpn 	598 	thecloudbridge/127.0.0.1:19401 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mar 11 00:57:45 	openvpn 	598 	thecloudbridge/127.0.0.1:19401 [thecloudbridge] Inactivity timeout (--ping-restart), restarting
Mar 11 00:57:13 	openvpn 	598 	thecloudbridge/127.0.0.1:53146 PUSH: Received control message: 'PUSH_REQUEST'

      At this point, I'm confident the issue is somewhere in the way routing is handled by OpenVPN, but I'm at wit's end. Can anyone with a bit more experience lend me a hand?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.