Force one virtual interface through OpenVPN
-
Hi All,
I have struggled a lot to set up a openVPN connection to a Digital Ocean droplet VPN server from pfSense. I can connect to the Digital Ocean VPN with my phone and desktop, so that is not the problem.
My challenge is that I want an entire interface (that houses a separate subnet) to be forced through the VPN (red lines in the network map). The VPN connection works correctly (according to the pfsense dashboard), but the traffic from the interface is not routed through the openVPN connection. The one weird thing is that when I go to gateways it says that my OPENVPN gateway is offline? But I can ping through the openVPN_interface (getting the correct VPN IP), however when I try to ping through my DO_VPN (the virtual bridge where I have my devices connected to) it goes through the normal WAN port.
I have tried to follow several guides, to change the NAT to manual and also do specific firewalls, but nothing seems to work. Does anyone have any idea?
I also attach my config screenshots.
I would really appreciate some help…I am completely lost.
-
The one weird thing is that when I go to gateways it says that my OPENVPN gateway is offline? But I can ping through the openVPN_interface (getting the correct VPN IP),
How have you figured that out, since you have no route to the vpn?
That the gateway is shown as offline means that dpinger does not get any response. The vpn can work anyway.
Two mistakes I've found in your setup:
You need an outbound NAT rule for the VPN connection. Don't know, what the rule on OpenVPN interface is for, but you need one for the "OpenVPN_interface" interface.In the firewall rule for DO_VPN you have to change the gateway to that one of OpenVPN_interface.
-
That the gateway is shown as offline means that dpinger does not get any response. The vpn can work anyway.
That is true, I found that out that it is working but the pinger is not getting any responses. I just saw it as red and offline, so thought that was a problem but it isnt.
Two mistakes I've found in your setup:
You need an outbound NAT rule for the VPN connection. Don't know, what the rule on OpenVPN interface is for, but you need one for the "OpenVPN_interface" interface.In the firewall rule for DO_VPN you have to change the gateway to that one of OpenVPN_interface.
Thank you! I now changed this, please see attached screenshots. Unfortunately it still didn't work, now when I start the OpenVPN service it actually brings down all my interfaces internet access…I haven't even configured NAT rules for the other interfaces so I assumed that the openVPN service should have no influence on them?
-
The interface called "openVPN" is in fact an interface group. So you don't know which interface you really get.
Consider that that rule on the DO_VPN interface only permits traffic over vpn. If your hosts are configured to use DNS from pfSense they won't get access to it. So you should set them to use an external DNS.
If it is set by DHCP you may push external DNS servers by DHCP. DHCP access, if it is activated, is allowed by an invisible rule in newer versions. -
The interface called "openVPN" is in fact an interface group. So you don't know which interface you really get.
Consider that that rule on the DO_VPN interface only permits traffic over vpn. If your hosts are configured to use DNS from pfSense they won't get access to it. So you should set them to use an external DNS.
If it is set by DHCP you may push external DNS servers by DHCP. DHCP access, if it is activated, is allowed by an invisible rule in newer versions.Sorry if these are stupid questions, I am a beginner when it comes to pfSense, anyway:
-
The OPENVPN_interface is what I assigned in the Interfaces to network port ovpnc1, the other OpenVPN was created automatically when initializing OpenVPN service however there was no gateway created so that is why I bound the Network port ovpnc1 to a OpenVPN_interface. I assume this is the one I should be using?
-
I have DHCP activated on DO_VPN interface (and subnet), however the OpenVPN_Interface has both ipv4 and ipv6 types set as None.
-
I have specified explicitly the DNS servers for the DO_VPN DHCP_Server, please see attached screenshot. However, for LAN and OPT1 I haven't explicitly specified it and I assume they will be able to pull it automatically from my ISP through the WAN interface?
Again, apologies for not really understanding you. If it helps, I am running pfSense version 2.4.2 which should be fairly new.
![DO_VPN DHCP.JPG](/public/imported_attachments/1/DO_VPN DHCP.JPG)
![DO_VPN DHCP.JPG_thumb](/public/imported_attachments/1/DO_VPN DHCP.JPG_thumb) -
-
- The OPENVPN_interface is what I assigned in the Interfaces to network port ovpnc1, the other OpenVPN was created automatically when initializing OpenVPN service however there was no gateway created so that is why I bound the Network port ovpnc1 to a OpenVPN_interface. I assume this is the one I should be using?
- I have DHCP activated on DO_VPN interface (and subnet), however the OpenVPN_Interface has both ipv4 and ipv6 types set as None.
- I have specified explicitly the DNS servers for the DO_VPN DHCP_Server, please see attached screenshot. However, for LAN and OPT1 I haven't explicitly specified it and I assume they will be able to pull it automatically from my ISP through the WAN interface?