Problem sending traffic to PIA VPN when connected to pfSense as OpenVPN Server
-
I have my pfSense router setup as an OpenVPN Server so that I can access it remotely and get on my home network. I'm also running an OpenVPN Client to connect to PIA.
When on my local network at home all traffic is sent down the PIA VPN and there is no DNS leak. I also have no problem connecting to the OpenVPN server remotely.
What I'd like to do is make sure that when I connect to my home network remotely, all of the traffic will get sent down the VPN tunnel to PIA. I've worked through some of the issues via this thread: https://forum.level1techs.com/t/solved-openvpn-server-and-pia-client-on-single-pfsense-router/122615, and I think everything is setup correctly but when I'm connected remotely and I check to see what my public IP address is, it is always the ISP address and not the IP address from PIA.
I came here hoping that someone might spot an issue with my NAT outbound settings or my firewall rules. My internal home network is 192.168.1.0/24 and the VPN server tunnel network is 192.168.2.0/24. Below are some screen caps for my setup. Let me know if there are any questions about it.
NAT Outbound
LAN rules
OpenVPN rules
-
While not related, you can do away with the rules that refer to port 500.
UDP port 500 is the ISAKMP port for establishing PHASE 1 of IPSEC tunnel. -
you need a OpenVPN to PIA rule in NAT outbound
-
you need a OpenVPN to PIA rule in NAT outbound
Thanks for the reply. My understanding is that my rule in NAT Outbound for the PIAVPN interface for the 192.168.2.0/24 network is the necessary rule. Am I mistaken? Can you elaborate on what the rule should look like?
-
This is my outbound nat rule
192.168.200.0/28 is my OpenVPN Server adress, PIA1 is Privat Internet access.
-
I have that exact rule in my NAT
-
Have you assigned an interface to your PIA client and OpenVPN server?
I have no rules -> firewall -> OpenVPN tab, only on interfaces -
Your OpenVPN rules allow any INBOUND connection from PIA into your firewall.
People simply do not understand that a VPN connection to a public provider needs to be treated like a WAN.
Assign interfaces to both. DELETE ALL RULES from the OpenVPN tab and the PIA tab. Pass traffic and policy route on the interface of the OpenVPN server only.
-
The issue appears to be in your OpenVPN tab because your rules are not explicit enough, which is causing traffic not to match properly and therefore routed out the WAN. Derelict's suggestion works, but you can also resolve the issue without creating an extra interface.
I've re-created your request on a remote box connected to AirVPN, tested it and it works as expected when the rules are explicit. Without creating an additional interface, here's what you need on your OpenVPN tab:
-
A rule allowing traffic explicitly sourced from your tunnel network and destined to your LAN net
-
A rule allowing traffic explicitly sourced from your tunnel network and destined to anything not matching your LAN net (i.e. inverse match LAN net), policy route matching traffic out the PIA gateway
When you're done, the only two rules on your OpenVPN tab should look like this:
Re-connect your client and you should be good to go.
Of course, this is all assuming you have the "Redirect IPv4 Gateway" flag set in your server config to begin with.
**On a side note unrelated to the issue, the LAN rule you have sourced from "force_vpn_group" appears redundant as the very next line is a catch-all routing everything out the PIA gateway. **
-
-
In order to do the outbound NAT to effectively use an OpenVPN provider you must create an assigned interface.
Rules on the OpenVPN tab will only affect inbound traffic (which should be none in almost all cases) not outbound.