Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring pfSense as OpenVPN client

    Scheduled Pinned Locked Moved OpenVPN
    17 Posts 4 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by Derelict

      OK. /32 has nothing to do with anything. What matters is the contents of your RFC1918 alias there.

      It is intended that the RFC1918 alias be a network alias containing:

      10.0.0.0/8
      172.16.0.0/12
      192.168.0.0/16

      The RFC1918 alias would be created in Firewall > Aliases

      I didn't watch the whole video. It might have been presumed one would know to do that basic step.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      M 1 Reply Last reply Reply Quote 0
      • M
        Mascot @Derelict
        last edited by

        I created "RFC1918" alias and specified it as a Source in Firewall / NAT / Ooutbound:

        0_1542171132361_10 Firewall-Aliases-RFC1918.png
        0_1542171142782_09 Firewall-NAT-Outbound-rule.png

        Alas, internet through OpenVPN still doesn't work.

        1 Reply Last reply Reply Quote 0
        • M
          Mascot
          last edited by

          This OpenVPN provider does not route all the traffic via VPN, but only traffic to certain websites. So how to make pfSense use routes sent by this OpenVPN server?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            It doesn't work that way. Or at least I have never seen one that takes that responsibility.

            You either accept a default route from them or you policy route the traffic you want over the VPN.

            If they are sending you routes and you trust them, uncheck Don't pull routes on the client configuration.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            M 1 Reply Last reply Reply Quote 0
            • M
              Mascot @Derelict
              last edited by

              @derelict said in Configuring pfSense as OpenVPN client:

              It doesn't work that way.

              Usually VPN doesn't work that way, but this particular one - does.

              uncheck Don't pull routes on the client configuration.

              It is unchecked.

              I don't know, what else should I try to make it work? Maybe it is simply impossible to make pfSense work with this type of OpenVPN?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Are you getting routes from them? Simple enough to look at pfsense route table... Do you see a shitton of routes? To wherever you would want to go out your vpn vs the default one?

                Your not sending traffic out a specific gateway are you - if so then your not using the pfsense route table no matter what or how many routes it has in it.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  Mascot
                  last edited by

                  @johnpoz said in Configuring pfSense as OpenVPN client:

                  Are you getting routes from them? Simple enough to look at pfsense route table... Do you see a shitton of routes?

                  I see many /sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 entries in OpenVPN log (where XXX - are various IP addresses).

                  I also see these same IP addresses in Diagnostics / Routes with gateway being 192.168.100.1 (that is IP address assigned by pfSense to OpenVPN inteface).

                  Your not sending traffic out a specific gateway are you - if so then your not using the pfsense route table no matter what or how many routes it has in it.

                  In Firewall / Rules / LAN I edited Default allow LAN to any rule setting gateway to be OPT2 (192.168.100.1), that is OpenVPN interface. At this point I lose internet connection. If you mean something else, then please explain how do I send traffic out a specific gateway?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Seeing route -add doesn't mean it actually happens.

                    Look in the actual route table.. If you set openvpn to NOT pull routes they could be set to be put in but not actually put in.. Setting a gateway yes will force traffic out that gateway, and the route table will not even be looked at.

                    So if your wanting IP x to go out vpn and IP y to go out your wan without the vpn then setting gateway all traffic will go out that interface.

                    What is your outbound nat setup like - even if the traffic would be allowed to go out the vpn and get where it ultimately needs to go, if you do not nat your local traffic to the vpn interface IP its not going to work.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mascot
                      last edited by

                      @johnpoz said in Configuring pfSense as OpenVPN client:

                      Look in the actual route table.

                      Isn't Diagnostics / Routes a route table? Like I said, these IP addresses are there. If it is not a route table, then where should I look for it in pfSense?

                      What is your outbound nat setup like - even if the traffic would be allowed to go out the vpn and get where it ultimately needs to go, if you do not nat your local traffic to the vpn interface IP its not going to work.

                      I didn't change Firewall / NAT / Ooutbound setup since I posted screenshot of these settings. Interface is set to be OPT2 (OpenVPN).

                      Could you please describe step by step how should I set up pfSense to work with this OpenVPN? If it is even possible? I guess otherwise I just will have to accept that pfSense simply cannot be configured to work with this OpenVPN provider.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        What VPN provider is this?

                        Have you verified that the routes being pushed actually cover the addresses of the sites you think should be routed that way?

                        Are any of the route add logs indicating failure?

                        Are the pushed routes actually going tinto the routing table?

                        If so, pfSense and OpenVPN are working fine here.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.