No traffic through client vpn once interface is attached

dotOne

Hello,

I have a client VPN setup on the firewall to Celo VPN provider.
The VPN is up and I can ping the remote gateway.
Then I created an interface in pfSense and assigned the VPN to it, no IP adresses defined.
Finally I added an outbound NAT rule for this interface.

As long as there is no interface connected to the VPN I can ping the remote gateway

ifconfig ovpnc5

ovpnc5: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::20e:c4ff:fed1:f685%ovpnc5 prefixlen 64 scopeid 0x12
inet6 fd4a:e7ae:b84b:9c2::aa28 prefixlen 116
inet 172.27.234.66 –> 172.27.234.1  netmask 0xffffff00
nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
Opened by PID 29826

ping -S 172.27.234.66 172.27.234.1
PING 172.27.234.1 (172.27.234.1) from 172.27.234.66: 56 data bytes
64 bytes from 172.27.234.1: icmp_seq=0 ttl=64 time=7.051 ms
64 bytes from 172.27.234.1: icmp_seq=1 ttl=64 time=6.922 ms
64 bytes from 172.27.234.1: icmp_seq=2 ttl=64 time=6.904 ms</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

As soon as I attach the firewall interface the gateway pinger complaints that it cannot ping the remote side.
I changed the pinger destination IP and it seems no traffic is flowing through the VPN anymore.
dpinger recognizes the interface IP address, shown on the web interface and telling the remote side is unreachable
Then the log starts showing VPN resets because no traffic is getting through

Log, reverse ordering

Nov 5 14:37:05 openvpn 62867 Initialization Sequence Completed
Nov 5 14:37:00 openvpn 62867 /usr/local/sbin/ovpn-linkup ovpnc5 1500 1558 172.27.233.47 255.255.255.0 init
Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 inet6 fd4a:e7ae:b84b:9c2::9c74/116
Nov 5 14:37:00 openvpn 62867 /sbin/route add -net 172.27.233.0 172.27.233.1 255.255.255.0
Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 172.27.233.47 172.27.233.1 mtu 1500 netmask 255.255.255.0 up
Nov 5 14:37:00 openvpn 62867 do_ifconfig, tt->did_ifconfig_ipv6_setup=1

Nov 5 14:37:00 openvpn 62867 TUN/TAP device /dev/tun5 opened
Nov 5 14:37:54 openvpn 62867 TCP/UDP: Preserving recently used remote address: [AF_INET]185.66.140.43:1194
Nov 5 14:37:54 openvpn 62867 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 5 14:37:54 openvpn 62867 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 5 14:37:49 openvpn 62867 Restart pause, 5 second(s)
Nov 5 14:37:49 openvpn 62867 SIGUSR1[soft,ping-restart] received, process restarting
Nov 5 14:37:49 openvpn 62867 [OpenVPN Server] Inactivity timeout (–ping-restart), restarting

This is on 2.4.0 and 2.4.2beta

marvosa

The gotcha I've read over the years is that after you assign a VPN to an interface, you then need to bounce the tunnel.  Was this done?

dotOne

Yes, I bounced the tunnel.
Didn’t help at all.

Then I manually restarted the vpn client. The changed IP was reflected on the web interface.
But the result still the same, no traffic is flowing.

For now, no clue at all