No traffic through client vpn once interface is attached



  • Hello,

    I have a client VPN setup on the firewall to Celo VPN provider.
    The VPN is up and I can ping the remote gateway.
    Then I created an interface in pfSense and assigned the VPN to it, no IP adresses defined.
    Finally I added an outbound NAT rule for this interface.

    As long as there is no interface connected to the VPN I can ping the remote gateway

    ifconfig ovpnc5

    ovpnc5: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::20e:c4ff:fed1:f685%ovpnc5 prefixlen 64 scopeid 0x12
    inet6 fd4a:e7ae:b84b:9c2::aa28 prefixlen 116
    inet 172.27.234.66 –> 172.27.234.1  netmask 0xffffff00
    nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
    Opened by PID 29826

    ping -S 172.27.234.66 172.27.234.1
    PING 172.27.234.1 (172.27.234.1) from 172.27.234.66: 56 data bytes
    64 bytes from 172.27.234.1: icmp_seq=0 ttl=64 time=7.051 ms
    64 bytes from 172.27.234.1: icmp_seq=1 ttl=64 time=6.922 ms
    64 bytes from 172.27.234.1: icmp_seq=2 ttl=64 time=6.904 ms</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

    As soon as I attach the firewall interface the gateway pinger complaints that it cannot ping the remote side.
    I changed the pinger destination IP and it seems no traffic is flowing through the VPN anymore.
    dpinger recognizes the interface IP address, shown on the web interface and telling the remote side is unreachable
    Then the log starts showing VPN resets because no traffic is getting through

    Log, reverse ordering

    Nov 5 14:37:05 openvpn 62867 Initialization Sequence Completed
    Nov 5 14:37:00 openvpn 62867 /usr/local/sbin/ovpn-linkup ovpnc5 1500 1558 172.27.233.47 255.255.255.0 init
    Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 inet6 fd4a:e7ae:b84b:9c2::9c74/116
    Nov 5 14:37:00 openvpn 62867 /sbin/route add -net 172.27.233.0 172.27.233.1 255.255.255.0
    Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 172.27.233.47 172.27.233.1 mtu 1500 netmask 255.255.255.0 up
    Nov 5 14:37:00 openvpn 62867 do_ifconfig, tt->did_ifconfig_ipv6_setup=1

    Nov 5 14:37:00 openvpn 62867 TUN/TAP device /dev/tun5 opened
    Nov 5 14:37:54 openvpn 62867 TCP/UDP: Preserving recently used remote address: [AF_INET]185.66.140.43:1194
    Nov 5 14:37:54 openvpn 62867 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 5 14:37:54 openvpn 62867 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Nov 5 14:37:49 openvpn 62867 Restart pause, 5 second(s)
    Nov 5 14:37:49 openvpn 62867 SIGUSR1[soft,ping-restart] received, process restarting
    Nov 5 14:37:49 openvpn 62867 [OpenVPN Server] Inactivity timeout (–ping-restart), restarting

    This is on 2.4.0 and 2.4.2beta



  • The gotcha I've read over the years is that after you assign a VPN to an interface, you then need to bounce the tunnel.  Was this done?



  • Yes, I bounced the tunnel.
    Didn’t help at all.

    Then I manually restarted the vpn client. The changed IP was reflected on the web interface.
    But the result still the same, no traffic is flowing.

    For now, no clue at all


Log in to reply