2.3.3 vs 2.3.2 - OpenVPN issue accessing 80/443 on same IP as OpenVPN Server



  • Hi There,

    I am not sure what has changed in 2.3.3 to make this occur, but I can no longer "loop back" to the same IP as the OpenVPN server while using Policy Based Routing to push specific IPs/Sites over the VPN.

    My example:

    IP 1.2.3.4 is my VPN/Seedbox. I connect 10.1.0.1 (PFSense FW) as an OpenVPN Client to 1.2.3.4. The connection comes up just fine. I can access port 80/443 of 1.2.3.4 over the VPN connection between 10.1.0.1 and 1.2.3.4.  I am able to see my public IP as being that of the VPN and access deluge on my seedbox just fine.

    Once I upgrade 2.3.2 to 2.3.3 and make no adjustments at all to configuration, I can still see the public IP and access anything other than 1.2.3.4, but now I am unable to connect to deluge at all.

    Does anyone know if something has changed in OpenVPN under PfSense 2.3.3 / to the routing under 2.3.3 to make this issue come up now?

    For testing puposes I have two virtual machines, both from the 2.3.2 official OVA from PfSense Gold, and used a new, clean, manual configuration on VM1. I then copied it to VM2 and restored it, tests fine as expected. When I upgrade VM2, it breaks the deluge.


  • Rebel Alliance Developer Netgate

    Looks like this is a change in OpenVPN, try adding this to your config:

    --allow-recursive-routing : When this option is set, OpenVPN will not drop
                      incoming tun packets with same destination as host.
    

    So in the advanced options or in the client config, add that without the "–" in front.



  • You sir are awesome! I will try this during the afternoon, I bet it will work since that looks exactly like the wall I am hitting.

    Will try in the VM first, and if it works, re-upgrade my PROD firewall. I had downgraded it to 2.3.2-RELEASE and clobbered together some old backups and restored sections to get up and running so if this can fix it, I can re-ugprade to 2.3.3 and put back the original config as it was.



  • Confirmed, this fixes it. Thanks for the quick reply!

    I got a gold sub in the fall when I was super impressed with how far 2.3 has come and how easy I got out of a sticky situation with a full backup/restore, this makes it even more worthwhile!


  • Rebel Alliance Developer Netgate

    Great news! I'll look into adding a GUI knob for that, I have a couple others that need to go in as well and it may be good to have set by default for upgrades to preserve the existing behavior.


Log in to reply