PfSense as OpenVPN Client

joako

I have some VPN service and I would like to use pfSense as a client. Additionally I would want only the traffic I create rules for to be routed through the VPN.

I have tried many times but it seems the route from the VPN provider overrides the default gateway in pfSense and causes the hosts that don't have firewall rules to go through the VPN to instead loose connectivity.

Is it possible to ignore the default route from the OpenVPN client?

GruensFroeschli

Set in the allow-firewall rule on your LAN as gateway your actual gateway directly (not default, which is the routing table).

joako

I started over with a very minimal configuration instead of trying to copy-paste it from the desktop client.

But I had to add "route-nopull" otherwise traffic from pfsense is routed through the vpn (e.g traceroute)

ragoley

I am trying to do something very similar with SwissVPN and policy based routing. Can you share a bit of how you got your VPN setup with and possibly with what provider? I am not an amateur with firewalls but I am a bit of newbie with VPNs. Trying to fix that…

jony

someone can solve this? Waitting for the reply

heper

@GruensFroeschli:

Set in the allow-firewall rule on your LAN as gateway your actual gateway directly (not default, which is the routing table).

The answer has been given allready, set your isp's gateway on the default "allow all" rule (edit–>advanced section)

pelle_chanslos

The solution suggested here works in the sense that it will allow clients on the interfaces that are routed through the WAN gateway instead of the the default one access the internet without going through the vpn connection. But using the WAN gateway means that they are unable to access any other interface than the WAN (other local interfaces, eg if you have several LANs connected in pfsense).

Is there a solution to this?

Logically, it would be nice to let the interfaces that should use the vpn connection use a special gateway for this, and don't let openvpn mess with the default gateway. I guess you would have to turn of openvpn's auto routing and route yourself then. Question is how to configure the openvpn gateway (in my suggestion above) to give access to both other LANs and the WAN (WAN only through the VPN, of course).

GruensFroeschli

If you don't want the openVPN to consider the routes provided by the openVPN server, then use the route-nopull as joako wrote.
–> This implies that you have to handle routing yourself: what you want to push into the tunnel and what not.

In such i case i would probably force the default gateway of the allow-all rule to the WAN.
Allow the openVPN to change your routing table.
Then create an alias with all the clients which need to use the OpenVPN.
Create above the allow-all rule a new rule using the routing table (default) which is overritten adjusted by openVPN.

I'm not sure what your requirement is, so i may missunderstand what you want to do.
(Also there are multiple ways to achieve the same)

pelle_chanslos

@GruensFroeschli:

I'm not sure what your requirement is, so i may missunderstand what you want to do.
(Also there are multiple ways to achieve the same)

Thank you for the reply, apologies for the late response..

The problem is, as you might have guessed, that I'm not very familiar with routing or networks at all. But I've managed to set up pfsense and do a lot of things I didn't know how to do just a few weeks ago, so I'm staying positive!

I don't completely understand your instructions, but let me tell you more precisely what I want to accomplish.

I have four interfaces set up in pfsense (version 2.1-BETA1):
WAN
LAN (connected to a switch that wired clients connect to) - 192.168.1.1
WIFI1 (connected to a 2.4 GHz-AP that wireless clients connect to) - 192.168.2.1
WIFI2 (connected to a 5 GHz-AP that wireless clients connect to) - 192.168.3.1

Each interface has its own DHCP-server running for its clients. I have firewall rules for LAN, WIFI1 and WIFI2 that allows any traffic from them to any destination (IPv4). This works fine, and they can all communicate with each other and with the internet through the WAN.

Using the OpenVPN-client in the web-GUI in pfsense I then added a connection to a commercial VPN-service (using OpenVPN) that will disguise my IP. This also works well, but I have to go to Firewall: NAT: Outbound and select Manual Outbound NAT rule generation. I then create rules for the OpenVPN-interface (I suppose the OVPN-client created this interface?) for each subnet. The rules says to allow any destination and port and the "NAT address"-field is "OpenVPN address". I don't know exactly what this does, but it makes the OVPN connection work fine for all clients connected to any of the interfaces.

What I would like to do is to:

Be able to choose which interfaces goes through the OVPN and which interfaces that goes through the regular WAN without going into the OVPN-connection.
Be able to run a PPTP server in pfsense that can be reached by my WAN-address (not the OVPN one) so that the PPTP-clients can reach all of my local interfaces and also the internet through the OVPN-connection.

Is it:

Possible to understand what I want to do?
Possible to make such a configuration work?

Again, thanks alot for your help!

georgeman

That can be achieved by modifying the gateway setting on the default rule for each interface. Routing between the interfaces lying within pfSense should be affected (pfSense will route traffic through a gateway only when the destination is not within its interfaces, by default). If you want some specific traffic not to go through the VPN, you can create another rule and place it ABOVE the default one, specifying what gateway it should get sent to (or leave it blank to use the current system routing table). Remeber rules are matched from the top to the bottom, the first match wins and rules are not evaluated anymore (there's an option to override this, though).

Cheers!

joako

@pelle_chanslos:

The solution suggested here works in the sense that it will allow clients on the interfaces that are routed through the WAN gateway instead of the the default one access the internet without going through the vpn connection. But using the WAN gateway means that they are unable to access any other interface than the WAN (other local interfaces, eg if you have several LANs connected in pfsense).

Is there a solution to this?

Logically, it would be nice to let the interfaces that should use the vpn connection use a special gateway for this, and don't let openvpn mess with the default gateway. I guess you would have to turn of openvpn's auto routing and route yourself then. Question is how to configure the openvpn gateway (in my suggestion above) to give access to both other LANs and the WAN (WAN only through the VPN, of course).

This is just a matter of managing the firewall rules as you normally would when using multiple interfaces. For E.g if you want to have LAN subnet access to OPT2 subnet, 192.168.1.5 to access the internet through your VPN and everything else to go through you WAN your rules from top to bottom should look like this:

Source: LAN Subnet
Destination OPT2 Subnet
Gateway: * (Default)

Source: 192.168.1.5
Destination: *
Gateway: VPN_GW

Source *
Destination *
Gateway *

Remember that rules are evaluated from top to bottom until the first match if found. I suspect you have something like this:

Source: 192.168.1.5
Destination *
Gateway: VPN_GW

Source: *
Destiantion: *
Gateway: WAN_GW

With this configuration your traffic from 192.168.1.5 goes to VPN and everything else is sent to the WAN. No traffic to OPT2 is passed.

pelle_chanslos

@joako:

This is just a matter of managing the firewall rules as you normally would when using multiple interfaces. For E.g if you want to have LAN subnet access to OPT2 subnet, 192.168.1.5 to access the internet through your VPN and everything else to go through you WAN your rules from top to bottom should look like this:

Source: LAN Subnet
Destination OPT2 Subnet
Gateway: * (Default)

Source: 192.168.1.5
Destination: *
Gateway: VPN_GW

Source *
Destination *
Gateway *

Remember that rules are evaluated from top to bottom until the first match if found. I suspect you have something like this:

Source: 192.168.1.5
Destination *
Gateway: VPN_GW

Source: *
Destiantion: *
Gateway: WAN_GW

With this configuration your traffic from 192.168.1.5 goes to VPN and everything else is sent to the WAN. No traffic to OPT2 is passed.

Thanks for the reply! I can't get it to work, though. There are a number of discrepancies between your solution and the way my pfsense looks like.
First, I don't have all the rules in one table. In my version of pfsense (2.1Beta-1) all the interfaces have their own tabs with rules, so I don't know in which one to enter the rules you mention. I suppose they would be in different ones.
Second, the default gateway is altered somehow when connecting to an OVPN client, so the DEFAULT gateway is the VPN_GW in your example. There is another GW present once I have connected to the OVPN client called "WAN_DHCP (ip.addr.of.isp)". If I choose this gateway for the default rule on an interface AND also change the NAT outbound to use WAN instead of "OpenVPN Adress", then that inteface CAN connect to the internet via the WAN, but not to any clients connected to other interfaces on pfsense (like local LAN machines).

So then I tried adding a rule for my (testing) interface that was placed above the standard allow all rule, with the difference that this rule only applied to "Destination: WAN subnet" and I also changed the gateway to WAN_DHCP in this rule.
Regardless if I have the NAT outbound rule to WAN or OpenVPN Adress for that interface, it doesn't work when I have "Destination: WAN subnet (or WAN address) in the rule.

Do you understand what I'm doing wrong? Because I don't..

georgeman

The rules mentioned above should be on the LAN tab.

Do you say that playing around with the gateway setting breaks connectivity towards your OPT2? There's something wrong there. pfSense will only route through a specified gateway for traffic that is directed to a subnet that is NOT hanging on its own interfaces. You cannot break inter-interface traffic just by messing up with the gateways, there's must be something else.

Also be careful with the outbound NAT. You mention several times "changing the outbound NAT from WAN to OpenVPN", I don't think there is any need to change anything once it's properly set up to alter the behaviour.

On your setup, outbound NAT should be set up to NAT traffic coming from ANY, destination ANY, on the WAN interface and also on the OpenVPN (two rules). You can leave both rules on at the same time and forget about them (unless there is a private subnet hanging on your WAN or something like that).

Reading your post once again, I think your problem is with the outbound NAT. Looks like your internal traffic towards OPT2 is being NAT'ed as well. Post your Outbound NAT rules and let's see, this shouldn't be this difficult…

EDIT: something else, I don't think you need rules matching "Destination WAN subnet" or "Destination WAN address". Those rules will NOT match traffic going out to the Internet through your WAN. The destination is the final destination of the package, which would be for example Google's IP address, not you WAN IP. Any time you want to match all outgoing traffic going to the Internet you need to specify destination ANY over the WAN interface, considering you are handling the "exceptions" with other rules above it.
Destination WAN address will only match traffic targeted at your ISP router (or whatever device is hanging off your WAN). Destination WAN subnet is useful if you have another devices hanging off your WAN subnet and you need to handle that traffic (for example if your ISP provides multiple public IPs over the same subnet, and you have something else plugged to your modem, outside your pfSense realm)

pelle_chanslos

@georgeman:

The rules mentioned above should be on the LAN tab.

Do you say that playing around with the gateway setting breaks connectivity towards your OPT2? There's something wrong there. pfSense will only route through a specified gateway for traffic that is directed to a subnet that is NOT hanging on its own interfaces. You cannot break inter-interface traffic just by messing up with the gateways, there's must be something else.

Also be careful with the outbound NAT. You mention several times "changing the outbound NAT from WAN to OpenVPN", I don't think there is any need to change anything once it's properly set up to alter the behaviour.

On your setup, outbound NAT should be set up to NAT traffic coming from ANY, destination ANY, on the WAN interface and also on the OpenVPN (two rules). You can leave both rules on at the same time and forget about them (unless there is a private subnet hanging on your WAN or something like that).

Reading your post once again, I think your problem is with the outbound NAT. Looks like your internal traffic towards OPT2 is being NAT'ed as well. Post your Outbound NAT rules and let's see, this shouldn't be this difficult…

EDIT: something else, I don't think you need rules matching "Destination WAN subnet" or "Destination WAN address". Those rules will NOT match traffic going out to the Internet through your WAN. The destination is the final destination of the package, which would be for example Google's IP address, not you WAN IP. Any time you want to match all outgoing traffic going to the Internet you need to specify destination ANY over the WAN interface, considering you are handling the "exceptions" with other rules above it.
Destination WAN address will only match traffic targeted at your ISP router (or whatever device is hanging off your WAN). Destination WAN subnet is useful if you have another devices hanging off your WAN subnet and you need to handle that traffic (for example if your ISP provides multiple public IPs over the same subnet, and you have something else plugged to your modem, outside your pfSense realm)

Very informative, thank you! By changing the outbound NAT rules to what you suggested (just two rules configured as you said), I can now make one of my interfaces (in my case all clients on the 2.4ghz AP are affected) go through my regular (unmasked) ISP internet connection while all the other interfaces goes through the VPN connection when accessing the internet. I do this by changing the allow-all rule gateway to WAN_DHCP instead of default on the interface I want to keep outside the VPN connection.

The problem is that any clients on that interface can't connect to my LAN (or any local subnet), only the internet. I can't ping my NAS and other servers connected to my pfsense box (in this case they are connected on another subnet, the wired LAN). The interfaces that have their allow-all rule set to use the default gateway can access all other local clients fine.

Based on what you have said, I'm beginning to speculate that the reason for this behavior is that the openvpn server I'm connecting to changes the pfsense routing table (or something like that, I'm not very good at network related stuff). That could perhaps explain why changing the gateway to WAN_DHCP for the allow-all firewall rule on the 2.4ghz-AP-interface (or OPT2, or whatever we want to call it) will make it connect to the internet without going through the VPN, but not connect to other local clients.

This is all very complicated to me, but I know there is a command I can use when connecting to the VPN server from pfsense (route-nopull) that will inhibit the vpn server from changing the pfsense routing table. If I add that command, the openvpn client in pfsense connects fine to the vpn server but no clients (on any interface) go through the vpn connection, all use my regular IP. So perhaps if I go that route (no pun intended) instead, and try to define what interfaces will be routed through the vpn rather than the other way around? I don't know how to do that routing, though.. I suppose I will need some firewall rules as well.

Do you have any ideas?

georgeman

You have a routing problem there. Mmm what IP/mask do you get from the OpenVPN connection? The same as any of your internal networks? Looks like the VPN is pushing routes that direct the traffic intended to the other interfaces through the VPN. What if you use a completely different network segment for your internal networks?

phil.davis

I suspect you are best to use a "not" rule. For example, on WIFI1, you want to route all traffic except for packets with destination (LAN or WIFI2), to WAN_DHCP.
a) Put the default rule back the way it was (so it will allow any packets that don't match special rules, and those packets will get routed by the normal routing table, e.g. WIFI1 to LAN, WIFI1 to WIFI2).
b) Add a rule to WIFI1 passing source WIFI1 Net, destination not LAN Net, gateway WAN_DHCP - this will not match traffic to LAN, so traffic to LAN will fall through to the default rule and get normal routing. All other traffic will head out WAN_DHCP.

For you, (b) is not quite right. You really want "destination (not LAN) and (not WIFI2)". To do that, add an Alias which has the network IP ranges for LAN and WIFI2 in it - e.g. name it InternalIPs - then in (b) make the destination (not InternalIPs).

Essentially, you want a way to specify destination "all addresses not in my internal network", and do the policy-based routing to WAN_DHCP on those only. In your case, you can even use (not 192.168.0.0/16) - then if you add other 192.168.n.0/24 nets to your internal network in future, the rules will work. It would be handy if there was a "built-in" alias for the private IPv4 address space, then it would be easy for anyone to specify rules to match (private IPv4 address) and (not private IPv4 address) - hmm now I'm rambling:)

pelle_chanslos

@georgeman:

You have a routing problem there. Mmm what IP/mask do you get from the OpenVPN connection? The same as any of your internal networks? Looks like the VPN is pushing routes that direct the traffic intended to the other interfaces through the VPN. What if you use a completely different network segment for your internal networks?

I don't think the IP I get from the OVPN connection interferes with any of my internal ones actually, its in a completely different range. This is what the logon sequence looks like:

Feb 10 11:09:40	openvpn[52909]: [ovpn1] Peer Connection Initiated with [AF_INET]178.132.75.50:1194
Feb 10 11:09:43	openvpn[52909]: SENT CONTROL [ovpn1]: 'PUSH_REQUEST' (status=1)
Feb 10 11:09:43	openvpn[52909]: PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2a03:8600:1001:2037::1009/64 2a03:8600:1001:2037::1,route-ipv6 2000::/3 2A03:8600:1001:2037::1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 178.132.75.60,tun-ipv6,route-gateway 178.132.78.193,topology subnet,ping 3,ping-restart 15,ifconfig 178.132.78.203 255.255.255.224'
Feb 10 11:09:43	openvpn[52909]: OPTIONS IMPORT: timers and/or timeouts modified
Feb 10 11:09:43	openvpn[52909]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 10 11:09:43	openvpn[52909]: OPTIONS IMPORT: route options modified
Feb 10 11:09:43	openvpn[52909]: OPTIONS IMPORT: route-related options modified
Feb 10 11:09:43	openvpn[52909]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 10 11:09:43	openvpn[52909]: ROUTE default_gateway= <myispsgatewayipaddress>Feb 10 11:09:43	openvpn[52909]: ROUTE6: default_gateway=UNDEF
Feb 10 11:09:43	openvpn[52909]: TUN/TAP device /dev/tun2 opened
Feb 10 11:09:43	openvpn[52909]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Feb 10 11:09:43	openvpn[52909]: /sbin/ifconfig ovpnc2 178.132.78.203 netmask 255.255.255.224 mtu 1500 up
Feb 10 11:09:43	openvpn[52909]: /sbin/route add -net 178.132.78.192 178.132.78.203 255.255.255.224
Feb 10 11:09:43	openvpn[52909]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 10 11:09:43	openvpn[52909]: /sbin/ifconfig ovpnc2 inet6 2a03:8600:1001:2037::1009/64
Feb 10 11:09:43	openvpn[52909]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1541 178.132.78.203 255.255.255.224 init
Feb 10 11:09:43	openvpn[52909]: /sbin/route add -net 178.132.75.50 130.243.232.1 255.255.255.255
Feb 10 11:09:43	openvpn[52909]: /sbin/route add -net 0.0.0.0 178.132.78.193 128.0.0.0
Feb 10 11:09:43	openvpn[52909]: /sbin/route add -net 128.0.0.0 178.132.78.193 128.0.0.0
Feb 10 11:09:43	openvpn[52909]: add_route_ipv6(2000::/3 -> 2a03:8600:1001:2037::1 metric 0) dev ovpnc2
Feb 10 11:09:43	openvpn[52909]: /sbin/route add -inet6 2000::/3 -iface ovpnc2
Feb 10 11:09:43	openvpn[52909]: Initialization Sequence Completed</myispsgatewayipaddress>

I also noted something strange today. The OVPN connection went down for some reason, in the logs it said it couldn't resolve the address to the OVPN server. This made all internet access go down from all clients, including the clients on the interface that I had told to use the WAN_DHCP-gateway (to get a non-VPN-IP). When I restarted the OVPN-connection, it connected fine and everything worked.

Is it hard to route/firewall-rule-stuff through the OVPN connection if I choose to use the route-nopull command for the OVPN connection?

pelle_chanslos

@phil.davis:

I suspect you are best to use a "not" rule. For example, on WIFI1, you want to route all traffic except for packets with destination (LAN or WIFI2), to WAN_DHCP.
a) Put the default rule back the way it was (so it will allow any packets that don't match special rules, and those packets will get routed by the normal routing table, e.g. WIFI1 to LAN, WIFI1 to WIFI2).
b) Add a rule to WIFI1 passing source WIFI1 Net, destination not LAN Net, gateway WAN_DHCP - this will not match traffic to LAN, so traffic to LAN will fall through to the default rule and get normal routing. All other traffic will head out WAN_DHCP.

For you, (b) is not quite right. You really want "destination (not LAN) and (not WIFI2)". To do that, add an Alias which has the network IP ranges for LAN and WIFI2 in it - e.g. name it InternalIPs - then in (b) make the destination (not InternalIPs).

Essentially, you want a way to specify destination "all addresses not in my internal network", and do the policy-based routing to WAN_DHCP on those only. In your case, you can even use (not 192.168.0.0/16) - then if you add other 192.168.n.0/24 nets to your internal network in future, the rules will work. It would be handy if there was a "built-in" alias for the private IPv4 address space, then it would be easy for anyone to specify rules to match (private IPv4 address) and (not private IPv4 address) - hmm now I'm rambling:)

Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?

pelle_chanslos

UPDATE: I went ahead and tried doing it the route-nopull way instead. Had some success!

I added the route-nopull command to the OVPN client config. This leaves my routing intact, I think. Then I added this OVPN client connection as an interface, named it "VPN". This made the VPN appear under "Gateways", but the default is still my usual ISP on WAN. I then under "Outbound NAT", I removed all the rules, switched to automatic, saved, and then back to manual and saved. This created a number of rules apparently needed for this to work. Applied the changes.

Then I created rules for interfaces LAN, WIFI1, WIFI2. For all interfaces, I added three rules at the top that tells any traffic that has destination LAN, WIFI2, and WIFI2 to use default gateway (). For LAN and WIFI1 I then added a fourth rule at the bottom for any traffic with any destination to use the VPN gateway instead. So everything that isn't headed for LAN, WIFI1 or WIFI2 will go through the VPN instead. For WIFI2 I just set the fourth any rule to go through the default gateway (), so that one goes through my usual internet connection.

This actually worked!

The downside is that for some reason, this causes the CPU use of the pfsense machine to be at around 50% at IDLE. Load is 3,5-ish. This is without any heavy traffic over the VPN. When I use the VPN normally (before doing these latest changes), like downloading at 1 MB/s, I certainly see an increase in CPU use (like 20-30%) due to the encryption going on, but now it is constantly there instead. Very strange.

Also, one machine is connected to IRC, and that connection drops frequently (start lagging, and then reconnects) after these last changes.

Any ideas? Maybe I've done some configuration wrong, but what I don't get is what's causing all this CPU use.

EDIT: Something strange is definitely going on. When downloading, general speed to the internet slows down in a way that it doesn't normally do. Also, when I look under Status->Gateways, the VPN-gateway shows as Offline while the WAN-gateway is Online. The VPN still works for all interfaces using it, though…

EDIT2: Download speeds are also very unstable, varying between 50-1000 kb/s for the same torrent over time. Distinctly different behavior from before my latest changes.

EDIT3: Now I got a message in pfsense that something crashed (something with PHP..), and after that CPU use normalized. Download speeds are still going up and down like crazy though. Torrents sometime stop downloading completely for 5 min and then go up to 1 MB/s again.

EDIT4: I think I got rid of the problem with losing internet access. I disabled flushing of states when a gateway goes down. Seems like when I saturated the connection, "apinger" (or whatever it's called) couldn't ping my WAN gateway so it flushed states, making the connection go down for a couple of minutes. WHY this started happening with my new conf, I have no idea..

georgeman

Alright, you have enough for a couple of topics right there XD

Going back to your first problem, I think the problem is the "redirect-gateway" option you seem to have on the ovpn config. Could you try disabling that and manually direct traffic to the right gateway through rules? (as we have been suggesting). I insist that all this "playing around with the gateway option and outbound NAT" mess shouldn't be needed. The redirect-gateway seems to be messing up your default gateway (which you don't want to be changed! You want to send specific traffic through it)

Cheers!