Outbound openvpn to Expressvpn and route voIP traffic through it only - Bid $

xbipin

well i didnt, i use the below commands only

fast-io;route-delay 2;verb 5;tun-mtu 1500;mssfix 1450;fragment 1300;persist-key;

expressvpn gave me a ovpn file with the below contents so could u recommend what commands should i use out of them

dev tun
fast-io
#proto tcp-client
persist-key
persist-tun
replay-persist cur-replay-protection.cache
nobind
remote canada-cluster.expressnetwork.net 1194
remote canada-cluster2.expressnetwork.net 1194
remote canada-cluster3.expressnetwork.net 1194
remote canada-cluster4.expressnetwork.net 1194
remote-random
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
verb 3
cert ssl/client.crt
key ssl/client.key
ca ssl/ca.crt

route-method exe
route-delay 2

tun-mtu 1500
fragment 1300
mssfix 1450

stephenw10

We have reached the limits of my own experience with this, anything further is experimental!  ::)
However since something apparently is causing you default route to change I think you first need to confirm this is happening when you connect the OpenVPN tunnel by comparing your routing table before and after.

Steve

xbipin

i dont think the default gateway is being changed

screenshot attached for before vpn and after vpn

stephenw10

No but it is pushing a route, 0.0.0.0/1, which includes the entire internet! It never has to use the default route any more because it has a route to everywhere.

This is the expected behaviour if the server is pushing the redirect-gateway def1 command:

Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

You could prevent this by using the 'route-nopull' option in the client config but that will probably prevent any routing information being sent making the vpn connection useless. Might be worth a try though.  :-\

Steve

Edit: You can add routes back manually to the config file:
route yourvoipserverIP;

xbipin

after i added route-nopull i get the below routing table which seems correct now

xbipin

if i added the 'route-nopull' then went to AON and switched it back to Auto and under rules in lan to any removed the gateway which was as wan, all traffic goes out the default wan conenction which earlier wasnting working at all untill i specified wan as gateway so i guess that got solved.

according to this thread http://forum.pfsense.org/index.php/topic,7361.0.html its not possible to shape traffic that goes inside a tunnel so the whole tunnel traffic needs to be sent to a single queue so i just want to route the voip so i added 2 rules under floating tab one with direction out and selected source as any and destination as vpn subnet and other as traffic in, source vpn subnet and destination any and assigned the qvoip to both but only the in traffic goes to qvoip and the out still goes to qp2p. both the rules r set as queues

xbipin

i guess i spoke too soon, AON needs to be left on but the default lan to any doesnt need a gateway atleast

stephenw10

You will always need AON enabled due to changes in openvpn setup detailed by ermal.

That's a good result though. Did you have to add a route back in the client config?

Steve

xbipin

no i didnt add any client config, all i did is add ur recommended command under advanced configuration in the client openvpn section which looks like this now

fast-io;route-delay 2;route-nopull;verb 5;tun-mtu 1500;mssfix 1450;fragment 1300;persist-key;

stephenw10

@xbipin:

according to this thread http://forum.pfsense.org/index.php/topic,7361.0.html its not possible to shape traffic that goes inside a tunnel so the whole tunnel traffic needs to be sent to a single queue

That's only true for traffic in tunnel going through the pfSense box. Since the traffic destined for the VPN enters pfSense unencrypted it should be possible to shape it. Though I'm not sure quite how!

@xbipin:

i just want to route the voip so i added 2 rules under floating tab one with direction out and selected source as any and destination as vpn subnet and other as traffic in, source vpn subnet and destination any and assigned the qvoip to both but only the in traffic goes to qvoip and the out still goes to qp2p. both the rules r set as queues

Probably the out rule is not catching traffic because the VOIP server is not in the VPN subnet. Though the IN rule is catching traffic.  :-\

Steve

xbipin

but if u see, the rule under lan that says lan to sip server should go through vpn gateway, pfsense catches that and send it to the proper gateway so basically its able to detect upload traffic so then y cant it just assign the proper queue.

any1 else have any idea on how to send vpn traffic to the proper queue as all i would be sending through the tunnel is voip only so might as well send all vpn to the voip quene entirely

stephenw10

Can you give some screen shots of your queue rules, firewall rules etc?

Steve

xbipin

the rules on the floating tab are just queues

xbipin

few more screenshots

xbipin

the 2 rules on floating tab that say * to mysip and mysip to * were originally created when i wasnt using vpn and voip used to work directly through wan. after vpn, the only additional rule i created was under lan for UDP * to mysip using gateway expressvpn

stephenw10

Well this is definitely outside my experience now.  ;)
However I think you need to disable the * to mysip rules on floating in order to make sure it's not them that are catching the inbound traffic and sending it to qvoip.

Also I can't see how outbound traffic can possibly end up in qp2p when the only reference to it is for port 28183.  :-\

Steve

xbipin

well the 2 rules for mysip were made so traffic goes to qvoip, if i remove that then wont both up and down goto qp2p, we r trying here to send traffic tot he qvoip

stephenw10

It may well but at least that would tell us which rule is sending traffic to qvoip, mysip to * or VPN to *.

I still don't understand why any of that traffic would go to qp2p, is there a rule I'm missing?

Busily reading the chapter 16 of the definitive guide…..

Steve

xbipin

attached r screenshots of the traffic shaper and i added the same queues under expressvpn interface which initially were not there, after doing so i see the voiptraffic going out of vpn under queue qvoip in lan and qvoip in expressvpn but all list in qp2p on wan under queues, i dont know if this is correct or no coz i think i have rules missing which would make the total traffic go out of qvoip on wan mayb because thats encrypted openvpn traffic, so could u tell me what rule to create for openvpnt raffic, i mean does it come under gre, udp or tcp or any specific ports?

stephenw10

Hmm, I think at this point I'm just guessing. My experience with traffic shaping is limited (pun intended!).

Now that you have setup an ExpressVPN connection and have routing correctly configured perhaps you should start a new thread in the traffic shaping sub-forum.

Informed guess work follows…
There is relatively little documentation about this and what there is mostly relates to 1.2.X (the definitive guide). It's worth thinking about what point in the chain the vpn encryption happens in combination with how the traffic shaper works with queues.
The inbound queue is working because that actually limits traffic as it leaves the LAN interface. At that point it is unencrypted VOIP traffic (UDP on whatever port you are using). However the outbound queue is liming traffic leaving the box which is encrypted TCP probably on port 1194. Further confusing matters is that this traffic leaves as an encrypted stream on WAN but it also leaves on ExpressVPN, is it encrypted at this point?  :-
Since you have added rules on ExpressVPN which are catching traffic leaving that must provide a clue.
You must have some catch-all rule sending stuff to qp2p or is that the default queue?
Like I said guesswork!  ::)

Steve