OpenVPN routing issues using pFSense client



  • I have two pFSense appliances running 2.3.4, one is a router/vpn server at an office and the other is a router/vpn client at home.

    OFFICE:

    WAN: Public static IP
    LAN: 192.168.4.1
    VPN 10.10.1.0/24

    HOME:

    WAN: 192.168.1.160 (double NAT. I can't fix that so don't ask)
    LAN: 192.168.2.1

    The purpose of the tunnel is to route only traffic to the OFFICE LAN across the VPN. I am not using the redirect gateway because I do not want ALL traffic across the VPN, just traffic destined for 192.168.4.0/24.

    I can fire up the OpenVPN Windows client, connect to my OFFICE open VPN server from anywhere and it works as expected, only traffic to 10.10.1.0/24 and 192.168.4.0/24 go across the VPN and I can access everything.

    If I use the OpenVPN client on pFSense I can get connected but I can only access 10.10.1.1 not 192.168.4.0/24.

    Log1 attached with details.

    192.168.4.0/24 wants to route through my HOME WAN.

    I created a client specific override on the VPN Server to redirect the gateway:

    push "redirect-gateway def1"

    Reconnect to the VPN and Log2 is my results. I can successfully get to 192.168.4.1, mainly because I know that ALL traffic is being routed across the VPN.

    During my VPN Client setup on HOME I went and created the OPT1 interface for the openvpn connection and went in to Firewall => NAT => Outbound and changed it to Manual and duplicated the WAN rules like nearly all of the guides said to do.

    I'm at a bit of a loss on what to do or what to try/change.



    log1.txt
    log2.txt



  • @Borkness:

    192.168.4.0/24 wants to route through my HOME WAN.

    Why do you think so?
    Corresponding to the log, the route should be set correctly.
    Check the pfSense routing table. Diagnostic > Routes

    @Borkness:

    I created a client specific override on the VPN Server to redirect the gateway:
    push "redirect-gateway def1"

    In the client specific override enter the clients LAN network at "Remote networks".

    @Borkness:

    During my VPN Client setup on HOME I went and created the OPT1 interface for the openvpn connection and went in to Firewall => NAT => Outbound and changed it to Manual and duplicated the WAN rules like nearly all of the guides said to do.

    That shouldn't be necessary any more after you have configured the remote network in the CCO.



  • @viragomann:

    @Borkness:

    192.168.4.0/24 wants to route through my HOME WAN.

    Why do you think so?
    Corresponding to the log, the route should be set correctly.
    Check the pfSense routing table. Diagnostic > Routes

    I was using the diagnostics on pFSense in the GUI as well as the command shell to traceroute to 192.168.4.1 and the trace returned nothing, all "*". I was probably wrong in my assumption and should have done the trace from a machine on my LAN but it's too late.

    @viragomann:

    @Borkness:

    I created a client specific override on the VPN Server to redirect the gateway:
    push "redirect-gateway def1"

    In the client specific override enter the clients LAN network at "Remote networks".

    Are you suggesting to do this on the OFFICE VPN Server by setting up the client specific override? Or doing it on the HOME VPN Server by editing the VPN settings.

    @viragomann:

    @Borkness:

    During my VPN Client setup on HOME I went and created the OPT1 interface for the openvpn connection and went in to Firewall => NAT => Outbound and changed it to Manual and duplicated the WAN rules like nearly all of the guides said to do.

    That shouldn't be necessary any more after you have configured the remote network in the CCO.

    For what ever reason it is currently working with the OPT interface and the manual outbound NAT. I've rebooted my  HOME router twice and attached are the route tables.

    I'm hesitant to monkey any more and change NAT back to Auto, remove the manual rules that were created and delete the OPT1 interface.

    I'm completely open to suggestions as to how to do it "right". If you say to change the OPT1/NAT I'll try it but most all of the VPN Client guides I've seen say to do it that way and I did it as a last resort trying to debug it.




  • The client specific override has to be set on the server.
    That is the first to do.
    After you have set the remote network and reconnect to the server, the server should have a route to the clients LAN network pointing on the clients tunnel address.



  • Sorry for the delayed response.

    On the OFFICE VPN Server, the global configuration for the server already had the IPv4 Local Networks set as 192.168.4.0/24, this setting is was was pushing the route to my HOME VPN Client.

    As of me writing this, my HOME routers VPN client is working correctly, routing traffic for 192.168.4.0/24 across the VPN to the OFFICE network. I can't say what made it "work" all of a sudden but it is.

    Do I still need to keep the manually configured NAT and OPT1 interfaces?



  • With the CSO the NAT rule is unnecessary. But the interface is still needed for routing traffic to the server.



  • Hmm, I went and set NAT back to Auto, removed the manually created rules, saved and rebooted the HOME router and could not longer access 10.10.1.1 (OFFICE router/vpn server) and 192.168.4.0/24 (OFFICE LAN)

    I went back and set NAT to manual, duplicated the rules again and I was able to access the OFFICE router/lan.






  • @Borkness:

    Hmm, I went and set NAT back to Auto, removed the manually created rules, saved and rebooted the HOME router and could not longer access 10.10.1.1 (OFFICE router/vpn server) and 192.168.4.0/24 (OFFICE LAN)

    You cannot ping the OpenVPN server at 10.10.1.1 without that NAT rule?? From which device? The home router or a LAN device?



  • WITHOUT the NAT rules on the HOME router vpn client rule I CAN ping 10.10.1.1 and 192.168.4.1 from the router.

    WITHOUT the NAT rules on a computer behind the HOME router vpn client on 192.168.2.0/24 I CAN NOT ping 10.10.1.1 nor 192.168.4.1.

    put the NAT rule in place, restart the VPN client and my computers behind the HOME router on 192.168.2.0/24 can ping and access both 10.10.1.1 and 192.168.4.1



  • Okay, so presumably the office router is missing the route to 192.168.2.0/24.
    You may also do well with NAT. That's only results to translating the source address to the clients vpn address, so you're not able to determine the really origin device at office site.

    If you don't like this behavior you have to set the routes at the server.
    Have you already set the CSO on the office pfSense with 192.168.2.0/24 in the remote networks field?
    If that is done, establish a vpn connection from home and check the routes on the office router.