Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN up Gateway up - No Internet

    Scheduled Pinned Locked Moved OpenVPN
    43 Posts 5 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senseCanuck @Dilligaf
      last edited by senseCanuck

      @dilligaf You seem to be a step above me. My gateway won't even show up. I've changed every rule I can find, changed the monitor address to 1.1.1.1, no luck. I'm so fed up with this I'm about to try out an OPNsense install.

      D 1 Reply Last reply Reply Quote 0
      • D
        Dilligaf @senseCanuck
        last edited by Dilligaf

        @sensecanuck I've have a very similar setup by the sounds and like you use cloudflare dns. And like you changed everything I could think of.

        All sorts of different issues: I've had it running but only at about 120mb/s (I'm expecting 400+). I thought at that point it was just hardware acceleration. Backed up that config but when I restored it no traffic.

        And had the gateway up but no traffic like you. I was mucking about with it late last night and can't repeat anything.

        I'm looking to overhaul my network as a suitable and more powerful NUC type box has come into my possession. There's an issue there with 2.5 I don't understand and want to use PFSense on it as everything generally just works, but don't really want to put the effort in on 2.4.5.

        And like you I'm testing OpnSense. Not getting the same VPN performance though. Generally 15-20% less. Beware of the NordVPN guide - do not follow the guide for dns prefetch suppork and prefetch dns key. It doesn't work!

        1 Reply Last reply Reply Quote 0
        • V
          vMAC @viragomann
          last edited by vMAC

          @viragomann
          Here is the routes:
          05379315-8341-4547-930f-048338dbc072-image.png

          I did a packet capture, but how can I tell if it is being properly routed? If you want me to post or DM let me know, I can do that. It's trivial to get a new IP address generated from my ISP, so I'm not to worried about that.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @vMAC
            last edited by

            @vmac said in VPN up Gateway up - No Internet:

            I did a packet capture, but how can I tell if it is being properly routed?

            Go to packet capture, select the NordVPN interface and set the protocol filter to ICMP and enter 8.8.8.8 at host and hit start. Than go to a devices out of the VPN group and do a ping to 8.8.8.8. Check if the ping is working. Then stop the capture and check the result.
            If the policy routing and NAT are working well you should see ICMP requests from your virtual VPN IP to 8.8.8.8 and replies coming back.

            You can find your virtual IP in Status > OpenVPN:
            2668a5ee-3aab-445c-a209-d27008e666a3-grafik.png

            1 Reply Last reply Reply Quote 0
            • S
              senseCanuck
              last edited by senseCanuck

              @viragomann I don't see the ICMP replies in my capture (only sends).

              • My config hasn't been touched since upgrading to 2.5.0.
              • Under Status -> Gateways my VPN shows offline even with 1.1.1.1 as the monitor
              • Under Status -> OpenVPN the status shows up and I get an IP
              • I have some selective DNS (I don't use the DNS resolver for my VPN interface) but I'm assuming that would be irrelevant to the ICMP test?

              NAT -> Outbound - If I disable the highlighted rule I get internet (bypasses my VPN). Which I find interesting because it means my NO_WAN_EGRESS tagging doesn't work.
              2cf9d200-a2dd-4556-831e-bce34e22470d-image.png

              Rules -> LAN - I always see 0/0 B on this one.
              9ebde0a1-593e-47f7-828c-b4bb8dd14abf-image.png

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @senseCanuck
                last edited by

                @sensecanuck said in VPN up Gateway up - No Internet:

                I don't see the ICMP replies in my capture (only sends).

                And what is the source address? I explained above how to check. Since you don't provide the infos, I can't verify.

                Pinging an IP doesn't need DNS. You must see response packets. If not either the source IP isn't correct (from outbound NAT) or it is something wrong at the VPN provider.

                There are other threads relating to outbound NAT on 2.5, but I did not go in.
                Maybe it helps to switch the outbound NAT into another mode and back again or drop the rule and add it again.

                S 1 Reply Last reply Reply Quote 0
                • S
                  senseCanuck @viragomann
                  last edited by senseCanuck

                  @viragomann

                  Recreating the NAT rule didn't make a difference.

                  The pings are coming from the virtual address but I don't get returns
                  5a8a4cce-e211-49cc-a0f1-d440157241b8-image.png

                  11:34:33.915913 IP 10.8.3.5 > 8.8.8.8: ICMP echo request, id 28931, seq 601, length 40
                  I can also see a number of non-ICMP request being sent out (again, no returns).

                  My gateway always shows down, whether I monitor 1.1.1.1 or 8.8.8.8 (don't know if that makes a difference).

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    senseCanuck @senseCanuck
                    last edited by

                    Update

                    The gateway now shows up with the default monitor port, but still no internet.
                    d4d7613e-e205-4edc-9003-7459c4b837a8-image.png

                    1 Reply Last reply Reply Quote 0
                    • S
                      senseCanuck
                      last edited by

                      Solved in this thread by disabling Data Encryption Negotiation.
                      https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10

                      V 1 Reply Last reply Reply Quote 1
                      • V
                        vMAC @senseCanuck
                        last edited by

                        @sensecanuck said in VPN up Gateway up - No Internet:

                        Solved in this thread by disabling Data Encryption Negotiation.
                        https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10

                        Thank you sir. Just got back to town and this worked. For those who are having this same issue the following two things will fix this issue:

                        1. Uncheck "Enable Data Encryption Negotiation"
                          or
                        2. Remove "tls-client" from custom option settings in OpenVPN
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.