OpenVPN Server/Client Issue

MeCJay12 · Apr 2, 2017, 7:21 PM

Hello All,

I had my pfsense box setup as an OpenVPN server. It worked great. I then set up my pfsense box as a vpn client (to PIA if it matters). Once I setup my box as a vpn client, all of the clients of MY vpn were no longer able to access the Internet. Here are my configs; I can clarify anything quickly. Thanks for the help in advance.

![IPsec Firewall.PNG](/public/imported_attachments/1/IPsec Firewall.PNG)
![IPsec Firewall.PNG_thumb](/public/imported_attachments/1/IPsec Firewall.PNG_thumb)
![LAN Firewall.PNG](/public/imported_attachments/1/LAN Firewall.PNG)
![LAN Firewall.PNG_thumb](/public/imported_attachments/1/LAN Firewall.PNG_thumb)
![OpenVPN Firewall.PNG](/public/imported_attachments/1/OpenVPN Firewall.PNG)
![OpenVPN Firewall.PNG_thumb](/public/imported_attachments/1/OpenVPN Firewall.PNG_thumb)
![WAN Firewall.PNG](/public/imported_attachments/1/WAN Firewall.PNG)
![WAN Firewall.PNG_thumb](/public/imported_attachments/1/WAN Firewall.PNG_thumb)

viragomann · Apr 2, 2017, 8:35 PM

Check the routes on pfSense. I guess the PIA provider pushes the default route to you, so the whole traffic is routed to the PIA server, but you will have no outbound NAT rule for the VPN clients on PIA interface.

If that is the case you can avoid it by checking "Don't pull routes" in the client settings.

MeCJay12 · Apr 2, 2017, 9:07 PM

I attached the routes below. Why would a default route to PIA break things? Ideally I want all of the traffic leaving my LAN to go to the vpn. Is that not possible? I thought I set up a NAT rule so it would work. Please Advise.

viragomann · Apr 2, 2017, 9:45 PM

Yes, the default route directs to PIA.

@MeCJay12:

Ideally I want all of the traffic leaving my LAN to go to the vpn. Is that not possible?

Surely that's possible. That would already be working yet anyway.
But now as the default route points to PIA server any upstream connection from all your interface are directed to PIA. I don't know if that's what you want. If you don't want this, you must avoid pulling routes from PIA server.

Your issue is, as you mentioned, that your VPN clients connected to pfSense can't reach the internet. So what is your intention? Should the whole upstream traffic from your clients go over the vpn and out to PIA also or should the go out the WAN interface?

MeCJay12 · Apr 2, 2017, 10:03 PM

I have a VPN so I can connect to my LAN services and PIA at the same time. For example: I have a samba share on my LAN I want to use and be able to browse the internet through PIA. So if any of my LAN devices or VPN clients want to access other LAN devices they can if any of those devices want to go out to the Internet that they can over the PIA tunnel. Right now my LAN is doing that exactly but my VPN clients only get LAN access. The VPN clients get absolutely no Internet access right now.

viragomann · Apr 2, 2017, 10:31 PM

So as mentioned above, I think you're missing outbound NAT rules for the vpn clients.

To give a better support here, it's necessary to know your interface settings. What is the PIA vpn client interface? Guess PIA. What is OpenVPN interface. What is/are the vpn clients tunnel subnet(s)?
It seems you have only selected the wrong interface in outbound NAT, all OpenVPN should be PIA, but without more infos that's just gambling.

MeCJay12 · Apr 2, 2017, 11:03 PM

Common Name - Interface Name - Network - IP
LAN - PCILAN - 192.168.1.0/24 - 192.168.1.1
VPN Clients - Dorm - 192.168.0.0/24 - 192.168.0.1
WAN - OnboardWAN - 10.90.13.0/24 - 10.90.13.224 (assigned to me not by choice)
PIA VPN - PIA - 10.38.12.0/24? - 10.38.12.6 (assigned to me not by choice)

Now that I typed that out I tried what you said and changed all the outbound OpenVPN rules to PIA and that fixed it. Thanks