OpenVPN puts down Internet traffic
-
Hello,
I'm setting my an OpenVPN client on my PFSense.
I followed some guide online, but I get a strange behaviour, as Local Address, I get the modem/router IP, just because is my WAN.Let me explain, below you find my network config:
ISP modem/router
PFSense
SwitchIn Pfsense, I have 15 VLANs.
The one I created for OpenVPN has the same configurations as the others, actually no FW restrictions for testing purposes, ALLOW ALL TO ANY.My VPN seems to be UP and it shows the Virtual Address and the Remote Host, but the Local Address is the ISP modem/router IP, which is still in my local network but another LAN.
In the VPN profile, I had to set that up, that's what I've seen in every guide, even though for me it doesn't make much sense because I think I should set up the VLAN where it belongs to. (I mean in the VPN profile --> network interface)
Unfortunately, even with that doesn't work, both scenarios put down Internet entirely, only my LAN works.
I didn't even reach the NAT config and floating rules, I just imported the CA, cert, key and created the profile.
The VLAN has DHCP following my range (10.x.x.x), but also disabling it doesn't work...
The VPN has a range of 172.x.x.x.
Shall I set up a DHCP range of 172.x.x.x? I don't think it makes sense, considering that is a Virtual IP.Ping on Internet works on the VLAN, VPN interface and VPN link (I think this is different, I see 2 VPN related items in the list), but it works only when the VPN service is stopped with the current config, so, basically no VPN service.
I think that the VPN configuration is responsable for it, having excluded all the rest, because there is nothing else on the table apart the DHCP range :D .The question is, what kind of problem can generate such behaviour?
- DHCP range?
- Network interface where the VPN profile is set? Certainly it's strange to see the Local Address as the WAN address (my ISP modem/router)
-
---MESSAGE EDITED---
I found the solution, but I still have a few items that need clarification.I used a tun interface on a VLAN, not on the WAN as everyone else recommends.
In both cases, the VPN works, but the rest of the VLANs are without internet...The only difference is the local address assigned to the VPN interface, it may be:
- The firewall IP (which is also the PFSense WAN)
OR - The VLAN interface ID
The main problem is the missing internet in the rest of the VLANs.
Another thing to clarify is the NAT Outbound, if I select ANY as destination, the NAT works, if I select a precise IP range, like RFC1980 range, it doesn't... It should NAT with an internal IP address, which is the one that the VPN assigns, so I don't understand why it doesn't work...
Also, I have some difficulty to set up the DNS.
I mean, I did it but I really wanted to isolate the DNS usage, so I can use the DNS from the VPN provider.
Currently it works, but it works by accident I think, I didn't specify anywhere (where it makes sense) what DNS to use.
My expectation is to configure a precise DNS IP on the VLAN or VPN interface, but I don't see any option as such...
I see only the General Setup page...
I found one way to do it, that is in the DHCP server page of that VLAN, but first I wonder why this option is even here...
After testing, I understood that this is why it works, but in case of any change in the DHCP config, I need to reconnect my devices, otherwise, the previous DNS remains in the local network config.
Now I wonder if this is the right way to do it. - The firewall IP (which is also the PFSense WAN)
-
---MESSAGE EDITED n.2---
I found the solution, but I still have a few items that need clarification.- I used a tun interface on a VLAN, not on the WAN as everyone else recommends.
In both cases, the VPN works, but the rest of the VLANs are without internet...
The only difference is the local address assigned to the VPN interface, it may be:
- The firewall IP (which is also the PFSense WAN)
OR - The VLAN interface ID
The main problem is the missing internet in the rest of the VLANs.
-
Another thing to clarify is the NAT Outbound, if I select ANY as destination, the NAT works, if I select a precise IP range, like RFC1918 range, it doesn't... It should NAT with an internal IP address, which is the one that the VPN assigns, so I don't understand why it doesn't work...
-
Also, I have some difficulty to set up the DNS.
I mean, I did it but I really wanted to isolate the DNS usage, so I can use the DNS from the VPN provider.
Currently it works, but it works by accident I think, I didn't specify anywhere (where it makes sense) what DNS to use.
My expectation is to configure a precise DNS IP on the VLAN or VPN interface, but I don't see any option as such...
I see only the General Setup page...
I found one way to do it, that is in the DHCP server page of that VLAN, but first I wonder why this option is even here...
After testing, I understood that this is why it works, but in case of any change in the DHCP config, I need to reconnect my devices, otherwise, the previous DNS remains in the local network config, not a big problem though.
Now I wonder if this is the right way to do it. -
Could it help if I specify the DNS in the General Page allocating the VPN gateway?
I tried to do only that, but the DNS is not reachable, it seems that that config doesn't do anything in my situation, maybe it works without a VPN interface/gateway.
The point is to set this up correctly, nothing else.
- I used a tun interface on a VLAN, not on the WAN as everyone else recommends.
-
J JT40 referenced this topic on
-
J JT40 referenced this topic on
-
I managed the point n.3, that is to restrict the DNS usage selecting a precise gateway when I add the DNS server IP in the General Setup page.
I'm not sure if this is the best method, but so far seems working.As a consequence, the point n.4 remains a problem, especially due to the option to inherit DNS IPs from the OpenVPN service, but it doesn't happen at all.
This is ok as long as the VPN provider doesn't change the VPN DNS IP, which makes my setup static till they don't change it...
I further tested this setup regarding point n.1, but even if the OpenVPN is working from a VLAN, it takes down internet in all the other VLANs... It seems that the OpenVPN has been applied to the WAN anyway (but in a way that I don't understand), where all the traffic gets routed to the gateway I created, but only for ONE VLAN that has access to that gateway, the others remain without Internet.
This gives me isolation, but too much as far as I see :D .
Generally, I'd say that this is a bug, but I wonder if there is anyone out there that can make a quick test on this, I don't see anything else interfering with my setup.Could a double WAN help in this situation?
In any case, above my PFSense box there is a modem/router, so I can have a 2 WAN setup.
Only thing is that I don't want to depend from a 2 WAN setup, it will not be always possible in future, I may switch to only use PfSense and I won't have 2 public IPs... -
Is there anyone that experienced the same?
-
J JT40 referenced this topic on
-
Up!
New year, new hopes :) -
The interface, where the VPN client goes out has to be the upstream interface, so properly WAN.
To direct out the traffic from only one VLAN you have to change all its pass rules into policy routing rules.
In the OpenVPN client settings you might to have check "Don't pull routes" to avoid that the server pushes the default route.The DNS server can be stated in the DHCP settings for the respective VLAN though, but best practice is to redirect any DNS request to the desired DNS server with a NAT port forwarding rule on that interface. This can go to the DNS server of the VPN provider or to any other. Due to the policy routing the requests will go out to the VPN.
-
@viragomann said in OpenVPN puts down Internet traffic:
The interface, where the VPN client goes out has to be the upstream interface, so properly WAN.
To direct out the traffic from only one VLAN you have to change all its pass rules into policy routing rules.
In the OpenVPN client settings you might to have check "Don't pull routes" to avoid that the server pushes the default route.Thanks a lot, I'll test it.
The DNS server can be stated in the DHCP settings for the respective VLAN though, but best practice is to redirect any DNS request to the desired DNS server with a NAT port forwarding rule on that interface. This can go to the DNS server of the VPN provider or to any other. Due to the policy routing the requests will go out to the VPN.
One question, the DNS requests will go always to the VPN IP, which is 10.x.x.x IP, so it will not go outside the VPN in my case, am I still affected?
Or probably you mean that the requests will not be in the VPN tunnel? If so, then it will not work because it's a private address, in case of a public address most probably it will happen what you mentioned.
Anyway, I'm not sure how to create what you suggested (NAT port forwarding rule), I'll check that later. -
@jt40
As you mentioned above, you want the clients in the concerned subnet to the VPN providers DNS server.
So simply add a NAT port forwarding rule to the respective interface to redirect any DNS requests to the DNS providers server, as suggested.Should look like this:
protocol: TCP/UDP
source: any
source port: any
destination: any
destination port: 53
redirect target IP: providers DNS
redirect port: 53This rule strictly redirects any TCP and UDP packet to any IP and port 53 to the desired server. It doesn't matter, which DNS server the clients are requesting.
-
@viragomann said in OpenVPN puts down Internet traffic:
@jt40
As you mentioned above, you want the clients in the concerned subnet to the VPN providers DNS server.
So simply add a NAT port forwarding rule to the respective interface to redirect any DNS requests to the DNS providers server, as suggested.Should look like this:
protocol: TCP/UDP
source: any
source port: any
destination: any
destination port: 53
redirect target IP: providers DNS
redirect port: 53This rule strictly redirects any TCP and UDP packet to any IP and port 53 to the desired server. It doesn't matter, which DNS server the clients are requesting.
I'm not sure why you would prefer to use port forwarding, which is used for other scenarios in my knowledge.
Plus, I'm talking about DNS requests in outgoing, so port forwarding can't be a solution, or not?A simple FW rule on the openvpn interface doesn't make the job?
Or probably on the VLAN directly, I need to check.To avoid DNS IP changes, it's good to have the following rule:
ALLOW ALL from the VLAN IP to every IP with port 53
but always under the IP range of the VPN server.
The only issue I can see from now is if the IP range is similar to mine, I probably need to restrict till a certain point to avoid such conflict, given that the VPN provider doesn't change that too. -
@jt40 said in OpenVPN puts down Internet traffic:
As you mentioned above, you want the clients in the concerned subnet to the VPN providers DNS server.
So is this still correct or not?
If yes, port forwarding is the best way to get it. -
@viragomann said in OpenVPN puts down Internet traffic:
@jt40 said in OpenVPN puts down Internet traffic:
As you mentioned above, you want the clients in the concerned subnet to the VPN providers DNS server.
So is this still correct or not?
If yes, port forwarding is the best way to get it.Thanks a lot for your help, I just need to get my head around it, stuff for the next maintenance :D