Side effect of OpenVPN
-
I have 2.4.4-Release (no packages/plugins) with OpenVPN client which works fine (when used). Everything works fine from all clients when OpenVPN is enabled except some multiplayer online games (I was testing with Call of Duty 4 which reports a problem contacting servers). Turning off OpenVPN fixes the problem and games start OK.
I tried to pinpoint the reason for this interference and I can't find anything suspicious. No game traffic ever goes through OpenVPN (which is how it should be), no blocking rules trigger and packet caps show no significant difference whether OpenVPN is on or off when launching Call of Duty - the same game servers (by IP) are contacted (but obviously respond differently). I tried changing a lot of pfSense options but the only one which I found to help is shutting down OpenVPN.
I would appreciate any ideas what to else to try or how else to debug the problem.
-
@mig said in Side effect of OpenVPN:
No game traffic ever goes through OpenVPN
Are you absolutely positive about this statement: "No game traffic ever goes through OpenVPN" ?
I assume you have a VPN provider in place as that seems to be all the rage these days for some reason. A number of the VPN provider configuration guides instruct you to enable a setting to pull routes from the VPN provider. If that's your case, your traffic is likely still bouncing through your VPN provider's network instead of that of your ISP. And I bet that VPN provider's IP space is on a blacklist used by the gaming site you are trying to visit.
-
Why don't you put your game system (I'm assuming it's a PS4 or XBox console) on a separate network or physical/virtual interface that doesn't touch the OpenVPN connection? Seems to me that would fix the problem right there...
You don't really need to VPN your game traffic, right?
Jeff
-
Post your client1.conf
Post your LAN rules
-
@akuma1x Could you explain what you mean by "put your game system on a separate network or physical/virtual interface". My entire LAN is connected to the Internet though pfSense and gaming systems (PC and Xbox) should communicate without using OpenVPN. OpenVPN is only occasionally used by several other client computers and there are very specific rules for them to go via OpenVPN (based on fixed IPs).
-
@marvosa
OK, the output of (cat /var/etc/openvpn/client1.conf) is below:
dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 82.22.94.219
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 1-ie.cg-dialup.net 443
auth-user-pass /var/etc/openvpn/client1.up
auth-retry nointeract
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
ncp-disable
comp-lzo adaptive
resolv-retry infinite
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 4As far as I can see it's mostly VPN configuration (which works fine when it's used) and doesn't shed much light on why OpenVPN may be interfering with communications to gaming servers...
-
Am I right that you didn't tick the checkbox Don't pull routes in your openVPN client config. At least I don't see the option in your client1.conf output (route-nopull).
Without it, I believe all traffic is routed over your VPN instead the WAN, meaning your Xbox probably will have strict or double NAT now in the network setting.
Can you post a screenshot of your NAT en Firewall rules? Did you follow any VPN provider guide to setup your VPN client?
-
Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.
If your goal is to exclude certain traffic (i.e. gaming, etc) traffic from the VPN, you'll want to remove "redirect-gateway def1", add "route-nopull", and add explicit rules on your LAN tab to policy route only the traffic you want traversing the tunnel.
-
@bmeeks I dug more into "No game traffic ever goes through OpenVPN" and discovered that while packet captures on pfSense do not show any activity on VPN/OpenVPN interfaces, the traceroute on the client indicates that traffic directed at game servers (e.g. 185.34.104.231 for CoD) does go through OpenVPN. I should therefore re-state my question and add one more:
- Why could it be that OpenVPN gateway may used in preference to the default WAN gateway? (There are no rules to select VPN gateway.)
- Why would pfSense' packet capture on VPN/OpenVPN interface show no packets if really there are some? (Could it be that the source "Host address" IP is not recognized for VPN packets? Or do VPN packet captures require something special?)
-
@marvosa said in Side effect of OpenVPN:
Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.
It appears that you are right, many thanks! After replacing "redirect-gateway def1" with "route-nopull" the games stopped misbehaving while VPN-enabling rules (based on IP) still work. I'll do a bit more testing but it looks like your advice was spot on. Thanks a million!
It appears that IRC "redirect-gateway def1" option changes the default gateway to VPN while pfSense still reports non-VPN gateway as default - this is quite confusing.
