Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connection stops working after changing default gateway

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 849 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      zounder1
      last edited by

      Good afternoon,
      I am setting up pfSense 2.6.0 to use an OpenVPN connection. I am using vpnunlimitedapp.com for my VPN.

      I followed this guide for setting up pfSense.
      [https://www.vpnunlimited.com/help/manuals/pfsense-configuration-guide](link url)

      I can get the connection to work fine after I change the default gateway to the OpenVPN connection. (System / Routing / Gateways) Using a Windows client connected to pfSense, I can confirm that pfSense is using the OpenVPNWAN interface for browsing the internet.

      Here is my problem.
      Everything works fine until pfSense is rebooted. Upon reboot, the OpenVPN tunnel never opens successfully. I get the following log entries for OpenVPN.

      Apr 22 12:45:48 openvpn 42762 UDPv4 link local (bound): [AF_INET]192.168.200.10:0
      Apr 22 12:45:48 openvpn 42762 UDPv4 link remote: [AF_INET]192...*:1194
      Apr 22 12:45:48 openvpn 42762 write UDPv4: No route to host (code=65)
      Apr 22 12:45:50 openvpn 42762 write UDPv4: No route to host (code=65)

      It looks like I am getting assigned an IP, but things get stuck with no route to host. If I switch the default gateway to "automatic" the OpenVPN setup completes. But traffic is routed through WAN interface and not the OpenVPNWAN interface. If I again change the default gateway to the OpenVPNWAN interface traffic routes properly. A reboot breaks everything again.

      Help? I do not get this issue if I use pfSense 2.4.5 - everything works perfectly fine in that version.

      Any ideas?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @zounder1
        last edited by

        @zounder1
        Setting the default gateway to a VPN is a very bad idea at all.

        What do you intend? Routing the whole upstream traffic over the VPN when the connection is up?

        Is there a check at "Don't pull routes" in the client settings?

        Z 1 Reply Last reply Reply Quote 1
        • Z Offline
          zounder1 @viragomann
          last edited by

          @viragomann Not really. This a virtual machine. I point windows clients to this gateway (using DHCP gateway assignment) that I want to use the VPN. So defaulting to using the VPN works in my edge application. In fact, prefer the VPN to be the only gateway at all. If the VPN goes down I don't want to drop back to the unencrypted connection.

          As discussed, this worked perfectly fine in old 2.4.5 pfSense VMs that I want to retire. So trying to figure out what changed in 2.6.0

          Thanks for commenting! (Honestly.)

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @zounder1
            last edited by

            @zounder1
            So turn the rule on the incoming interface into a policy routing one by stating the VPN gateway to force the whole upstream traffic to the VPN server.

            And add a check at System > Advanced > Miscellaneous > Skip rules when gateway is down (Do not create rules when gateway is down).

            Z 1 Reply Last reply Reply Quote 1
            • Z Offline
              zounder1 @viragomann
              last edited by zounder1

              @viragomann Thank you! I kept searching for the setting to keep dead routes up. I had no idea it was in the miscellaneous settings area.

              With that change, I am having all traffic route properly only on the VPN interface now. When the VPN link goes down, internet stops as desired for clients connected to this pfsense gateway.

              I did have to tweak DNS Resolver settings for Outgoing Network Interfaces to only use the VPN interface for DNS queries. By default external DNS lookups were going through the WAN port even though there were no traffic rules set for the LAN to WAN.

              With your hints I am up and finally running this VM on a newer version of pfSense.

              Thank you again! Have a great day.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.