OpenVPN connection stops working after changing default gateway

zounder1

Good afternoon,
I am setting up pfSense 2.6.0 to use an OpenVPN connection. I am using vpnunlimitedapp.com for my VPN.

I followed this guide for setting up pfSense.
[https://www.vpnunlimited.com/help/manuals/pfsense-configuration-guide](link url)

I can get the connection to work fine after I change the default gateway to the OpenVPN connection. (System / Routing / Gateways) Using a Windows client connected to pfSense, I can confirm that pfSense is using the OpenVPNWAN interface for browsing the internet.

Here is my problem.
Everything works fine until pfSense is rebooted. Upon reboot, the OpenVPN tunnel never opens successfully. I get the following log entries for OpenVPN.

Apr 22 12:45:48 openvpn 42762 UDPv4 link local (bound): [AF_INET]192.168.200.10:0
Apr 22 12:45:48 openvpn 42762 UDPv4 link remote: [AF_INET]192...*:1194
Apr 22 12:45:48 openvpn 42762 write UDPv4: No route to host (code=65)
Apr 22 12:45:50 openvpn 42762 write UDPv4: No route to host (code=65)

It looks like I am getting assigned an IP, but things get stuck with no route to host. If I switch the default gateway to "automatic" the OpenVPN setup completes. But traffic is routed through WAN interface and not the OpenVPNWAN interface. If I again change the default gateway to the OpenVPNWAN interface traffic routes properly. A reboot breaks everything again.

Help? I do not get this issue if I use pfSense 2.4.5 - everything works perfectly fine in that version.

Any ideas?

viragomann

@zounder1
Setting the default gateway to a VPN is a very bad idea at all.

What do you intend? Routing the whole upstream traffic over the VPN when the connection is up?

Is there a check at "Don't pull routes" in the client settings?

zounder1

@viragomann Not really. This a virtual machine. I point windows clients to this gateway (using DHCP gateway assignment) that I want to use the VPN. So defaulting to using the VPN works in my edge application. In fact, prefer the VPN to be the only gateway at all. If the VPN goes down I don't want to drop back to the unencrypted connection.

As discussed, this worked perfectly fine in old 2.4.5 pfSense VMs that I want to retire. So trying to figure out what changed in 2.6.0

Thanks for commenting! (Honestly.)

viragomann

@zounder1
So turn the rule on the incoming interface into a policy routing one by stating the VPN gateway to force the whole upstream traffic to the VPN server.

And add a check at System > Advanced > Miscellaneous > Skip rules when gateway is down (Do not create rules when gateway is down).

zounder1

@viragomann Thank you! I kept searching for the setting to keep dead routes up. I had no idea it was in the miscellaneous settings area.

With that change, I am having all traffic route properly only on the VPN interface now. When the VPN link goes down, internet stops as desired for clients connected to this pfsense gateway.

I did have to tweak DNS Resolver settings for Outgoing Network Interfaces to only use the VPN interface for DNS queries. By default external DNS lookups were going through the WAN port even though there were no traffic rules set for the LAN to WAN.

With your hints I am up and finally running this VM on a newer version of pfSense.

Thank you again! Have a great day.