• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Redirect Gateway/ Default Route - Via OpenVPN Client connections, not Server

Scheduled Pinned Locked Moved OpenVPN
9 Posts 3 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jimlad
    last edited by Apr 9, 2017, 4:21 PM Apr 9, 2017, 4:08 PM

    Dear All,

    I'm sure this is possible but I'm struggling to get the correct config.

    I have a VPS on the Internet that has an OpenVPN client configured to VPN back in to my PFsense OpenVPN Server. I want to use policy-based routing for certain source IP address (behind PFSense) to tunnel all their IP traffic over the OpenVPN tunnel and NAT on to the Internet via the VPS (VPS NAT rules via PF are working correctly). Routing for local subnets is all configured and working correctly. The firewall rule with the gateway of the VPS OpenVPN client IP address is working, but I cannot work out how to make it the default route (0.0.0.0/0). Obviously if it was the other ways round, VPS was server and PFsense was client i could use the push Redirect-Gateway directive, but I cannot change the topology. I can only tunnel out from the VPS, I cannot port forward and VPN in to the VPS.

    What does work…....

    I can for example put an additional network in to the IPv4 Remote Network/s for the OpenVPN client on the VPS of 8.8.8.8/32 in to the server config and ping from one of the source IPs that applies to the policy-based routing rule. This works..... What i need, but know I cannot do, is add 0.0.0.0/0 to the IPv4 Remote Network/s in the server config.

    Has anyone done achieved this, using a client VPN connection as a default route?

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Apr 9, 2017, 5:12 PM

      Why want you set the default route to the VPS while you only want to route certain hosts over it?

      1 Reply Last reply Reply Quote 0
      • J
        jimlad
        last edited by Apr 9, 2017, 5:21 PM Apr 9, 2017, 5:16 PM

        I want certain source IPs to route all their Internet bound IP traffic out via the VPS. An example, though I'm not using it for this is US Netflix via a VPS in the US. Rather than knowing the Netflix Networks in the US, just route all traffic through the VPS. Again, this is not my purpose, just thought it was a clear example.

        Also, its not a default route in that the route is in the routing table. As I'm using policy-based routing (which works) the real issue is OpenVPN is dropping any traffic on the Interface that isn't part of the IPv4 Remote Network/s . E.g. pinging 8.8.8.8 without 8.8.8.8/32 in the  IPv4 Remote Network/s give you the following log entry.

        GET INST BY VIRT: 8.8.8.8 [failed]

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by Apr 9, 2017, 6:04 PM

          I see. You may set the route with "client specific overrides". Set up one for the partcular client and add the default route in "Remote networks".
          However, I'm afraid this is applied to all hosts.

          1 Reply Last reply Reply Quote 0
          • J
            jimlad
            last edited by Apr 9, 2017, 6:21 PM

            Thats exactly what I am doing, I'm using "Client Specific Overrides" but you cannot use 0.0.0.0/0 as a network. It doesn't work.

            Technically there isn't any reason why this shouldn't work. In fact it does work, just the OpenVPN (server) is dropping the packets because I can't use 0.0.0.0/0 to cover all IPs. As I said, i can put an additional network in to the IPv4 Remote Network/s for the OpenVPN client on the VPS of 8.8.8.8/32 in to the server config ("Client Specific Overrides") and ping from one of the source IPs that applies to the policy-based routing rule

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by Apr 9, 2017, 7:10 PM

              Try "0.0.0.0/1,128.0.0.0/1".
              That is what also "redirect gateway" in the server settings do in fact.

              1 Reply Last reply Reply Quote 0
              • D
                duren
                last edited by Apr 13, 2017, 11:05 AM

                Why not set up two VPN servers on the vps, one routing traffic through and one not, and then just use the appropriate one on each client?

                1 Reply Last reply Reply Quote 0
                • J
                  jimlad
                  last edited by Apr 17, 2017, 12:43 PM Apr 17, 2017, 10:38 AM

                  @duren:

                  Why not set up two VPN servers on the vps, one routing traffic through and one not, and then just use the appropriate one on each client?

                  I'm not sure I understand what you mean. The issue here is OpenVPN and it routing IPs destined for the Internet. The policy-based routing is work as if ping 8.8.8.8 from a client I want to route its Internet traffic via the OpenVPN/VPS the ICMP hits the OpenVPN interface but then gets dropped by OpenVPN with GET INST BY VIRT: 8.8.8.8 [failed].

                  If i add 8.8.8.8/32 to the IPv4 Remote Network/s then it works correct and OpenVPN does drop with GET INST BY VIRT: 8.8.8.8 [failed].

                  adding 0.0.0.0/1 and 128.0.0.0/1 doesn't work.

                  openvpn.png_thumb
                  openvpn.png

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimlad
                    last edited by Apr 17, 2017, 11:06 AM

                    The issue seems to be that the subnet 0.0.0.0/1 is ignored, but 128.0.0.0/1 is evaluated because…..

                    with

                    IPv4 Remote Network/s = 0.0.0.0/1,128.0.0.0/1

                    I can ping www.bbc.co.uk

                    PING www.bbc.net.uk (212.58.246.90) 56(84) bytes of data.                                                                                                                             
                    64 bytes from bbc-vip011.cwwtf.bbc.co.uk (212.58.246.90): icmp_seq=1 ttl=54 time=15.0 ms                                                                                             
                    64 bytes from bbc-vip011.cwwtf.bbc.co.uk (212.58.246.90): icmp_seq=2 ttl=54 time=13.7 ms

                    but cannot ping 8.8.8.8

                    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.                                                                                                                                         
                    c^C                                                                                                                                                                                   
                    --- 8.8.8.8 ping statistics ---                                                                                                                                                       
                    3 packets transmitted, 0 received, 100% packet loss, time 2006ms

                    So any IP below 128.0.0.0 is dropped by OpenVPN GET INST BY VIRT: 8.8.8.8 [failed]

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received