Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3.3 vs 2.3.2 - OpenVPN issue accessing 80/443 on same IP as OpenVPN Server

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      humm3r
      last edited by

      Hi There,

      I am not sure what has changed in 2.3.3 to make this occur, but I can no longer "loop back" to the same IP as the OpenVPN server while using Policy Based Routing to push specific IPs/Sites over the VPN.

      My example:

      IP 1.2.3.4 is my VPN/Seedbox. I connect 10.1.0.1 (PFSense FW) as an OpenVPN Client to 1.2.3.4. The connection comes up just fine. I can access port 80/443 of 1.2.3.4 over the VPN connection between 10.1.0.1 and 1.2.3.4.  I am able to see my public IP as being that of the VPN and access deluge on my seedbox just fine.

      Once I upgrade 2.3.2 to 2.3.3 and make no adjustments at all to configuration, I can still see the public IP and access anything other than 1.2.3.4, but now I am unable to connect to deluge at all.

      Does anyone know if something has changed in OpenVPN under PfSense 2.3.3 / to the routing under 2.3.3 to make this issue come up now?

      For testing puposes I have two virtual machines, both from the 2.3.2 official OVA from PfSense Gold, and used a new, clean, manual configuration on VM1. I then copied it to VM2 and restored it, tests fine as expected. When I upgrade VM2, it breaks the deluge.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Looks like this is a change in OpenVPN, try adding this to your config:

        --allow-recursive-routing : When this option is set, OpenVPN will not drop
                          incoming tun packets with same destination as host.
        

        So in the advanced options or in the client config, add that without the "–" in front.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H Offline
          humm3r
          last edited by

          You sir are awesome! I will try this during the afternoon, I bet it will work since that looks exactly like the wall I am hitting.

          Will try in the VM first, and if it works, re-upgrade my PROD firewall. I had downgraded it to 2.3.2-RELEASE and clobbered together some old backups and restored sections to get up and running so if this can fix it, I can re-ugprade to 2.3.3 and put back the original config as it was.

          1 Reply Last reply Reply Quote 0
          • H Offline
            humm3r
            last edited by

            Confirmed, this fixes it. Thanks for the quick reply!

            I got a gold sub in the fall when I was super impressed with how far 2.3 has come and how easy I got out of a sticky situation with a full backup/restore, this makes it even more worthwhile!

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              Great news! I'll look into adding a GUI knob for that, I have a couple others that need to go in as well and it may be good to have set by default for upgrades to preserve the existing behavior.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.