Redirect Gateway/ Default Route - Via OpenVPN Client connections, not Server

jimlad

Dear All,

I'm sure this is possible but I'm struggling to get the correct config.

I have a VPS on the Internet that has an OpenVPN client configured to VPN back in to my PFsense OpenVPN Server. I want to use policy-based routing for certain source IP address (behind PFSense) to tunnel all their IP traffic over the OpenVPN tunnel and NAT on to the Internet via the VPS (VPS NAT rules via PF are working correctly). Routing for local subnets is all configured and working correctly. The firewall rule with the gateway of the VPS OpenVPN client IP address is working, but I cannot work out how to make it the default route (0.0.0.0/0). Obviously if it was the other ways round, VPS was server and PFsense was client i could use the push Redirect-Gateway directive, but I cannot change the topology. I can only tunnel out from the VPS, I cannot port forward and VPN in to the VPS.

What does work…....

I can for example put an additional network in to the IPv4 Remote Network/s for the OpenVPN client on the VPS of 8.8.8.8/32 in to the server config and ping from one of the source IPs that applies to the policy-based routing rule. This works..... What i need, but know I cannot do, is add 0.0.0.0/0 to the IPv4 Remote Network/s in the server config.

Has anyone done achieved this, using a client VPN connection as a default route?

viragomann

Why want you set the default route to the VPS while you only want to route certain hosts over it?

jimlad

I want certain source IPs to route all their Internet bound IP traffic out via the VPS. An example, though I'm not using it for this is US Netflix via a VPS in the US. Rather than knowing the Netflix Networks in the US, just route all traffic through the VPS. Again, this is not my purpose, just thought it was a clear example.

Also, its not a default route in that the route is in the routing table. As I'm using policy-based routing (which works) the real issue is OpenVPN is dropping any traffic on the Interface that isn't part of the IPv4 Remote Network/s . E.g. pinging 8.8.8.8 without 8.8.8.8/32 in the  IPv4 Remote Network/s give you the following log entry.

GET INST BY VIRT: 8.8.8.8 [failed]

viragomann

I see. You may set the route with "client specific overrides". Set up one for the partcular client and add the default route in "Remote networks".
However, I'm afraid this is applied to all hosts.

jimlad

Thats exactly what I am doing, I'm using "Client Specific Overrides" but you cannot use 0.0.0.0/0 as a network. It doesn't work.

Technically there isn't any reason why this shouldn't work. In fact it does work, just the OpenVPN (server) is dropping the packets because I can't use 0.0.0.0/0 to cover all IPs. As I said, i can put an additional network in to the IPv4 Remote Network/s for the OpenVPN client on the VPS of 8.8.8.8/32 in to the server config ("Client Specific Overrides") and ping from one of the source IPs that applies to the policy-based routing rule

viragomann

Try "0.0.0.0/1,128.0.0.0/1".
That is what also "redirect gateway" in the server settings do in fact.

duren

Why not set up two VPN servers on the vps, one routing traffic through and one not, and then just use the appropriate one on each client?

jimlad

@duren:

Why not set up two VPN servers on the vps, one routing traffic through and one not, and then just use the appropriate one on each client?

I'm not sure I understand what you mean. The issue here is OpenVPN and it routing IPs destined for the Internet. The policy-based routing is work as if ping 8.8.8.8 from a client I want to route its Internet traffic via the OpenVPN/VPS the ICMP hits the OpenVPN interface but then gets dropped by OpenVPN with GET INST BY VIRT: 8.8.8.8 [failed].

If i add 8.8.8.8/32 to the IPv4 Remote Network/s then it works correct and OpenVPN does drop with GET INST BY VIRT: 8.8.8.8 [failed].

adding 0.0.0.0/1 and 128.0.0.0/1 doesn't work.

jimlad

The issue seems to be that the subnet 0.0.0.0/1 is ignored, but 128.0.0.0/1 is evaluated because…..

with

IPv4 Remote Network/s = 0.0.0.0/1,128.0.0.0/1

I can ping www.bbc.co.uk

PING www.bbc.net.uk (212.58.246.90) 56(84) bytes of data.                                                                                                                             
64 bytes from bbc-vip011.cwwtf.bbc.co.uk (212.58.246.90): icmp_seq=1 ttl=54 time=15.0 ms                                                                                             
64 bytes from bbc-vip011.cwwtf.bbc.co.uk (212.58.246.90): icmp_seq=2 ttl=54 time=13.7 ms

but cannot ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.                                                                                                                                         
c^C                                                                                                                                                                                   
--- 8.8.8.8 ping statistics ---                                                                                                                                                       
3 packets transmitted, 0 received, 100% packet loss, time 2006ms

So any IP below 128.0.0.0 is dropped by OpenVPN GET INST BY VIRT: 8.8.8.8 [failed]