Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [OpenVPN] Traffic not flowing when tunneling specific subnets only

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 670 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      CaptainPistache
      last edited by CaptainPistache

      Hello everyone,

      I'm having a hard time debugging this one.

      I have set up a OpenVPN Server on my pfSense instance. The authentication works and the VPN tunnel is correctly created (no error on the OpenVPN server logs, verbose level 6).

      I would like to tunnel only specific LAN subnets. However, the traffic correctly flows inside the tunnel only when "Redirect IPv4 Gateway" is checked. If I specify subnets in the "IPv4 Local network(s)" option, no traffic pass through the tunnel. Same behavior if I specify the whole private range ("192.168.0.0/16").

      When I say no traffic pass through the tunnel, I mean there's really not any packet coming through the OpenVPN interface on the server. No, it's not a firewall issue because everything on every interface is wide opened and no dropped packet are logged on the "System logs > Firewall" tab.

      Ok, now comes the really weird part. Two scenarios :

      Scenario A :

      • I enable "Redirect IPv4 Gateway" on the WebGUI. When I try to ping an IP address inside the LAN from the client, it works.

      Scenario B :

      • I disable the "Redirect IPv4 Gateway" on the WebGUI and manually add the following options on the "Custom options" box :
      push "route 0.0.0.0 128.0.0.0 192.168.40.1";push "route 128.0.0.0 128.0.0.0 192.168.40.1"
      

      thus creating the exact same routes on the client. When I try to ping the same IP address inside the LAN, no echo reply. Packet capture on the destination IP address shows no ICMP packets coming.

      On the client (Windows 10), the behavior is exactly the same in the two scenarios :

      The ICMP packets are leaving the right interface, the destination MAC address on the Ethernet layer is exactly the same in both case (the virtual IP of the OpenVPN server) but in Scenario B, no echo reply.

      I have manually checked the OpenVPN server conf file on pfSense and between the scenarios, the diff is only the following which appears correct :

      34a35
      > push "redirect-gateway def1"
      44,45d44
      < push "route 0.0.0.0 128.0.0.0 192.168.40.1"
      < push "route 128.0.0.0 128.0.0.0 192.168.40.1"
      

      On the OpenVPN client, the configuration is exactly the same in both scenarios.
      I have also tested with the latest OpenVPN client (2.5-rc3 insteand of 2.4.9) and on a Windows 8.1 client, no more success.

      This is a tough one. Any idea ?

      Thanks a lot for your help.

      Kind regards,
      Captain

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        The servers IP is not to be stated in the route command.

        What does the clients routing table show?

        C 1 Reply Last reply Reply Quote 0
        • RicoR Offline
          Rico LAYER 8 Rebel Alliance
          last edited by

          Work through https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn.html

          -Rico

          1 Reply Last reply Reply Quote 0
          • C Offline
            CaptainPistache @viragomann
            last edited by

            Thanks for your answers.

            @viragomann said in [OpenVPN] Traffic not flowing when tunneling specific subnets only:

            The servers IP is not to be stated in the route command.

            What does the clients routing table show?

            The routing table is exactly the same on both scenarios.

            @Rico said in [OpenVPN] Traffic not flowing when tunneling specific subnets only:

            Work through https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn.html

            -Rico

            Already done before posting here. It didn't help me finding the culprit.

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @CaptainPistache
              last edited by

              @CaptainPistache
              With that Info there is sadly no way to help.

              1 Reply Last reply Reply Quote 0
              • C Offline
                CaptainPistache
                last edited by

                OMG I've found it.

                For testing purpose, the "WAN" interface on which the OpenVPN client connects to was in a LAN subnet. And this very specific LAN subnet was also included on the subnets I was trying to tunnel...

                That issue was driving me crazy and the solution was right in front of me 😅

                Thanks anyway for your quick replies !

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.