Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN steals all outbound traffic when activated

    OpenVPN
    3
    4
    425
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TangoOverswayT
      TangoOversway
      last edited by TangoOversway

      First, this is dealing with a commercial VPN (using OpenVPN) and I have been dealing with tech support for the VPN service, but they're limited in what they can do and their higher level techs are only available when I'm sleeping or at work. And, honestly, I trust this community to give me better answers and technical insight. (Just want to get that, "Why don't you ask them? issue out of the way first.) (Also, I know I can use my own VPS and OpenVPN setup - but that has limited bandwidth and BrandX costs $1 more a month than the VPS and has unlimited bandwidth.)

      I'm on Starlink internet, which uses CGNAT. So I have a setup a bit like this:

      LAN ---- pfSense ---- Starlink Router ---- CGNAT gateway ---- Real World Internet

      My LAN uses a 172.16.17.xxx subnet. Starlink's router uses 192.168.1.xxx. The Starlink router is 192.168.1.1. The pfSense WAN address is random. The pfSense LAN is 172.16.17.1 and it's the DHCP server for my LAN and the DNS (and forwards requests for DNS for the WAN/internet).

      I'm on pfSense 22.01. (Once I have all this working, I'll take time to get the EFI partition issue fixed and upgrade from there.)

      I need to be able to access systems in my LAN from outside and to use a VPN to do it. I was experimenting with an OpenVPN server on a VPS and have asked questions about that. I was able to get it working so the server was on the VPS and pfSense worked as a client for that system. I could verify, from the status on the VPS that pfSense was a client and I could also verify that status on pfSense, so I know I can connect to a VPN, specifically one based on OpenVPN, through the CGNAT gateway. I could connect and didn't have other issues going on with my connectivity while connected.

      Now I'm working with BrandX VPN (rather not name them - while they're not the best, and their lower level techs have spent a LOT of time helping me, so I don't want to make them look bad). This is one of those services usually used for privacy, but also will let me use port forwarding within the VPN so I can reach my LAN systems from my mobile devices. Their setup (for the pfSense client) is mostly the same was what I had to do for my own OpenVPN client. That includes how I created an OpenVPN interface for BrandX's VPN.

      Once I got the BrandX OpenVPN client configured, I got a connection and promptly lost my internet connection for everything in the LAN. So here's the related info for that:

      • The BrandX VPN connected and my LAN lost internet connection
      • I could not ping 8.8.8.8. (One of Google's name servers - easy to ping to check connectivity.)
      • I could ping my pfSense firewall.
      • I could ping, from the LAN, my Starlink router at 192.168.1.1 - which is the DNS and DHCP for my WAN side of pfSense.
      • I can still ping 8.8.8.8 from the command line on pfSense.
      • No DNS or connectivity for ANYTHING in the LAN.

      I did not expect this, since my own OpenVPN network didn't do anything like this. BrandX does provide instructions to change ALL NAT rules to use the BrandX VPN as the NAT address. Once I did that, connectivity was restored. So I can get to the internet, and the VPN does work, BUT I don't want all my traffic going through it. (Speed is one issue, but there are reasons why I don't want all traffic going through BrandX.)

      Once I get this setup so the VPN is hooked up and my normal traffic is going through the normal internet connection, I'll set up rules for port forwarding so I can reach LAN systems from outside, through the VPN. But that's a separate issue and, for now, I just want to have that BrandX OpenVPN client on pfSense to connect to BrandX's VPN servers without it trying to take all my traffic.

      What's happening that, when I connect to this VPN, it suddenly takes over my entire internet connection and what can I do to stop that. (So that, later, I can set it up for port forwarding through the BrandX VPN.)

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @TangoOversway
        last edited by

        @tangooversway So if I understand you correctly, once you activate your commercial VPN, All your LAN traffic goes out the VPN?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        TangoOverswayT 1 Reply Last reply Reply Quote 0
        • TangoOverswayT
          TangoOversway @michmoor
          last edited by

          @michmoor

          @michmoor said in OpenVPN steals all outbound traffic when activated:

          So if I understand you correctly, once you activate your commercial VPN, All your LAN traffic goes out the VPN?

          When I activate it, almost all traffic dies (except for the limited ping abilities I described). That didn't happen with the OpenVPN server and client I set up on my own.

          Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them.

          So why do the two behave so differently? Why does one need interfaces in NAT rules switched and the other doesn't and what is going on that the BrandX automatically stops all traffic if the interfaces aren't switched?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @TangoOversway
            last edited by

            @tangooversway
            Presumably the VPN server pushes the default route to you.
            This is a pretty common setting of VPN services.

            To avoid it go to the VPN client settings and add a check at "Don't pull routes".
            After that you have to create policy routing rules to direct the desired traffic out through the VPN.

            Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them.

            What do you mean with "switch interfaces in the NAT rules"?
            Basically you need to add outbound NAT rules for your internal subnets on the VPN interface, if you want to pass out upstream traffic. But there is nothing to switch. Existing rules (automatic) should stay in place.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.