Why does starting a OpenVPN service break my AP?

SteelCityColt

@NollipfSense apologises, novice here, what would should I post up?

NollipfSense

@SteelCityColt No problem...I would start with Status>System Logs>SystemGeneral when you enable openVPN, and also openVPN.

SteelCityColt

No VPN.txt With VPN.txt

Ran packet trace on the LAN with and without the VPN as per the attached. pinged AP from router, pinged router from AP, and then pinged and nslookup of google as well as a speed test from a wi-fi device. With VPN on, I can only ping the AP from the router.

Nothing seems amiss in the openVPN log. In system log I can see these when I start the VPN:

Feb 23 15:21:03 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to b0:5a:da:87:7d:68 on igb1
Feb 23 15:27:13 kernel arp: 192.168.0.136 moved from 00:26:55:df:f3:c1 to b0:5a:da:87:7d:69 on igb1
Feb 23 15:41:17 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to 00:26:55:df:f3:c1 on igb1
Feb 23 16:00:58 kernel arp: 192.168.0.21 moved from 00:26:55:df:f3:c0 to b0:5a:da:87:7d:68 on igb1

.21 is an unRaid server (which is also playing silly buggers right now on the networking side, will on work on auto DHCP, setting the same static network settings and it can't break out either), .136 is another NIC on the same server. the MACs are physical NICs on that machine.

NollipfSense

@SteelCityColt Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight. For the VPN, any reason why you didn't use the default port 1194UDP especially since you used the wizard?

SteelCityColt

@NollipfSense as per the original post, the VPN provider I use for my WAN interface will only open ports above 2048.

JKnott

@NollipfSense said in Why does starting a OpenVPN service break my AP?:

Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight.

If those devices are on the same LAN as where he's testing from, it has nothing to do with routing. Also, you never see the original MAC on a routed packet. You only see the MAC of the nearest interface.

SteelCityColt

So trying to think this through logically there's only 3 variables I set when using the wizard:

1. The port used (currently 3389)
2. The tunnel network (10.0.8.0/24)
3. The LAN network (192.168.0.0/24)

I might play around with changing these in case it's causing a conflict with the Ubiquiti AP.

From the tcpdumps the line that sticks out to me "Null Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 46" but I have no idea what it means.

NollipfSense

@JKnott said in Why does starting a OpenVPN service break my AP?:

those devices are on the same LAN

Just realize...must have been seeing doubles yesterday...thanks!

NollipfSense

@SteelCityColt Have you checked with Uniquite on whether there is any known issue?

SteelCityColt

@NollipfSense said in Why does starting a OpenVPN service break my AP?:

@SteelCityColt Have you checked with Uniquite on whether there is any known issue?

Raised same question on their forums too.

SteelCityColt

Sorry to bump, but I have made some progress.

Although it's still only the wireless AP that seems to be affected which I can't quite my head around, it may well be a routing issue.

I found if I turn off my OpenVPN client on the pfsense box, then the OpenVPN server doesn't break net access for the wireless AP. Reading up on people having similar issues trying to run a client/server at same time, it seems the key is to check "don't pull routes". The issue then is how do I set up the routing manually to push out everything on the LAN via the VPN client. I'm guessing a combo of firewall and NAT?