Outbound openvpn to Expressvpn and route voIP traffic through it only - Bid $

xbipin

steps i did were

setup openvpn client with server specific settings such as certificates, keys etc
assign an interface
created a gateway under routing

stephenw10

What guide did you follow?

Steve

xbipin

http://forum.pfsense.org/index.php/topic,29944.0.html

stephenw10

Ah OK.
Pretty much exactly what I had in mind. I would probably have tried to use a tap interface but if you can use tun so much the better.

It's not obvious why AON has to be enabled, and clearly it wasn't required when that guide was first written, I'll have to read through the thread.

Did you change the firewall rule so it only routed traffic from your VOIP server? Following the guide exactly would indeed route all your traffic via the VPN.
Also make sure the VPN gateway is not set as default and that the correct outbound NAT rules are in place after you switch to AON.

Steve

Edit: OK the AON requirement is explained here.

stephenw10

There's also Chris's comment in that thread:
@cmb:

That's ok for your typical home setup, but what you're actually doing there is overriding the fact that StrongVPN is pushing you a default route and modifying your firewall's routing table so it sends everything over the VPN (unless you override it with policy routing as you're doing). That will cause a number of issues with more advanced setups, as it's going to default to sending traffic initiated from the firewall out of the VPN which is usually going to be undesirable.

If the VPN connection is indeed pushing a new default route, which is undesirable, then that too would explain your problem.
You could get around this by changing the gateway of the default 'LAN to any' rule but as Chris says that won't help traffic generated by pfSense.
A better solution would be to prevent the default route changing the pfSense routing table but I'm unsure how to do that.

Steve

pkwong

It's doable. Pick your voip adapter, run siproxd and have the outgoing interface point to the vpn interface. In other words, create an interface and assign the openvpn tunnel to it. You'll have more flexibility with the way it's set up.

xbipin

@stephenw10:

Ah OK.
Pretty much exactly what I had in mind. I would probably have tried to use a tap interface but if you can use tun so much the better.

It's not obvious why AON has to be enabled, and clearly it wasn't required when that guide was first written, I'll have to read through the thread.

Did you change the firewall rule so it only routed traffic from your VOIP server? Following the guide exactly would indeed route all your traffic via the VPN.
Also make sure the VPN gateway is not set as default and that the correct outbound NAT rules are in place after you switch to AON.

Steve

Edit: OK the AON requirement is explained here.

the vpn gateway isnt set as default, default would be the pppoe connection to my isp on the wan interface. after some openvpn changes mentioned in the same thread, its now required to switch to AON to make all ur lan traffic to route through the vpn, the only problem i face is to route everything on wan but just voip traffic through vpn.

i havent changed any firewall rules, tried to create a few but didnt work, will need to try to edit the default lan to any to route using wan and lan to voip server using vpn, will let u know if that works.

what i wanted to know is once i switch to AON, do i need to create rules there to route differently?

xbipin

@pkwong:

It's doable. Pick your voip adapter, run siproxd and have the outgoing interface point to the vpn interface. In other words, create an interface and assign the openvpn tunnel to it. You'll have more flexibility with the way it's set up.

if i do this how do i still stop rest of the lan traffic going through vpn?

stephenw10

When you switch to AON the existing auto rules should be filled in for you. If you then subsequently add any further interfaces you will have to manually add rules.
If you post some screen shots I'm sure we can resolve this for you.

If it is a problem with the remote VPN network pushing a new default route to you then you should be able to see that change in Diagnostics: Routes: in the GUI.

Steve

xbipin

i managed to get it up and routing properly

enabled AON
in rules edited the default lan to any rule and set it to wan gateway
created a new rule under lan for lan to sip server ip and set it to vpn gateway

this did it for me but some other issues came up

under floating i have 2 rules for lan to sip server and sip server to lan without any gateway specified but given the voip queue so traffic shaper can prioritize that, but after setting this vpn up, i only see the qVoIP on LAN getting pupulated and the the uplaod goes to the default qp2p instead of the qVoIP on WAN, any fix for that so this voip over vpn goes to the proper up and down qVoIP queue?

stephenw10

Reading through this:
http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
and then this:
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

It would appear that the reason your routing table is being overwritten is due to the advanced command in the openvpn client setup: redirect-gateway def1
Assuming you copied this from the StrongVPN guide.

First check that your routing table is being changed as I outlined in my previous post. Then try removing this command and recheck.
If this successfully prevents your default route changing then you can remove the gateway settings from the 'lan to any' rule.

Steve

xbipin

well i didnt, i use the below commands only

fast-io;route-delay 2;verb 5;tun-mtu 1500;mssfix 1450;fragment 1300;persist-key;

expressvpn gave me a ovpn file with the below contents so could u recommend what commands should i use out of them

dev tun
fast-io
#proto tcp-client
persist-key
persist-tun
replay-persist cur-replay-protection.cache
nobind
remote canada-cluster.expressnetwork.net 1194
remote canada-cluster2.expressnetwork.net 1194
remote canada-cluster3.expressnetwork.net 1194
remote canada-cluster4.expressnetwork.net 1194
remote-random
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
verb 3
cert ssl/client.crt
key ssl/client.key
ca ssl/ca.crt

route-method exe
route-delay 2

tun-mtu 1500
fragment 1300
mssfix 1450

stephenw10

We have reached the limits of my own experience with this, anything further is experimental! ::)
However since something apparently is causing you default route to change I think you first need to confirm this is happening when you connect the OpenVPN tunnel by comparing your routing table before and after.

Steve

xbipin

i dont think the default gateway is being changed

screenshot attached for before vpn and after vpn

CropperCapture[2].jpg
CropperCapture[2].jpg_thumb
CropperCapture[1].jpg
CropperCapture[1].jpg_thumb

stephenw10

No but it is pushing a route, 0.0.0.0/1, which includes the entire internet! It never has to use the default route any more because it has a route to everywhere.

This is the expected behaviour if the server is pushing the redirect-gateway def1 command:

Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

You could prevent this by using the 'route-nopull' option in the client config but that will probably prevent any routing information being sent making the vpn connection useless. Might be worth a try though. :-\

Steve

Edit: You can add routes back manually to the config file:
route yourvoipserverIP;

xbipin

after i added route-nopull i get the below routing table which seems correct now

CropperCapture[3].jpg
CropperCapture[3].jpg_thumb

xbipin

if i added the 'route-nopull' then went to AON and switched it back to Auto and under rules in lan to any removed the gateway which was as wan, all traffic goes out the default wan conenction which earlier wasnting working at all untill i specified wan as gateway so i guess that got solved.

according to this thread http://forum.pfsense.org/index.php/topic,7361.0.html its not possible to shape traffic that goes inside a tunnel so the whole tunnel traffic needs to be sent to a single queue so i just want to route the voip so i added 2 rules under floating tab one with direction out and selected source as any and destination as vpn subnet and other as traffic in, source vpn subnet and destination any and assigned the qvoip to both but only the in traffic goes to qvoip and the out still goes to qp2p. both the rules r set as queues

xbipin

i guess i spoke too soon, AON needs to be left on but the default lan to any doesnt need a gateway atleast

stephenw10

You will always need AON enabled due to changes in openvpn setup detailed by ermal.

That's a good result though. Did you have to add a route back in the client config?

Steve

xbipin

no i didnt add any client config, all i did is add ur recommended command under advanced configuration in the client openvpn section which looks like this now

fast-io;route-delay 2;route-nopull;verb 5;tun-mtu 1500;mssfix 1450;fragment 1300;persist-key;