Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No traffic through client vpn once interface is attached

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 565 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dotOneD Offline
      dotOne
      last edited by

      Hello,

      I have a client VPN setup on the firewall to Celo VPN provider.
      The VPN is up and I can ping the remote gateway.
      Then I created an interface in pfSense and assigned the VPN to it, no IP adresses defined.
      Finally I added an outbound NAT rule for this interface.

      As long as there is no interface connected to the VPN I can ping the remote gateway

      ifconfig ovpnc5

      ovpnc5: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
      options=80000 <linkstate>inet6 fe80::20e:c4ff:fed1:f685%ovpnc5 prefixlen 64 scopeid 0x12
      inet6 fd4a:e7ae:b84b:9c2::aa28 prefixlen 116
      inet 172.27.234.66 –> 172.27.234.1  netmask 0xffffff00
      nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
      Opened by PID 29826

      ping -S 172.27.234.66 172.27.234.1
      PING 172.27.234.1 (172.27.234.1) from 172.27.234.66: 56 data bytes
      64 bytes from 172.27.234.1: icmp_seq=0 ttl=64 time=7.051 ms
      64 bytes from 172.27.234.1: icmp_seq=1 ttl=64 time=6.922 ms
      64 bytes from 172.27.234.1: icmp_seq=2 ttl=64 time=6.904 ms</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast>

      As soon as I attach the firewall interface the gateway pinger complaints that it cannot ping the remote side.
      I changed the pinger destination IP and it seems no traffic is flowing through the VPN anymore.
      dpinger recognizes the interface IP address, shown on the web interface and telling the remote side is unreachable
      Then the log starts showing VPN resets because no traffic is getting through

      Log, reverse ordering

      Nov 5 14:37:05 openvpn 62867 Initialization Sequence Completed
      Nov 5 14:37:00 openvpn 62867 /usr/local/sbin/ovpn-linkup ovpnc5 1500 1558 172.27.233.47 255.255.255.0 init
      Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 inet6 fd4a:e7ae:b84b:9c2::9c74/116
      Nov 5 14:37:00 openvpn 62867 /sbin/route add -net 172.27.233.0 172.27.233.1 255.255.255.0
      Nov 5 14:37:00 openvpn 62867 /sbin/ifconfig ovpnc5 172.27.233.47 172.27.233.1 mtu 1500 netmask 255.255.255.0 up
      Nov 5 14:37:00 openvpn 62867 do_ifconfig, tt->did_ifconfig_ipv6_setup=1

      Nov 5 14:37:00 openvpn 62867 TUN/TAP device /dev/tun5 opened
      Nov 5 14:37:54 openvpn 62867 TCP/UDP: Preserving recently used remote address: [AF_INET]185.66.140.43:1194
      Nov 5 14:37:54 openvpn 62867 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Nov 5 14:37:54 openvpn 62867 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Nov 5 14:37:49 openvpn 62867 Restart pause, 5 second(s)
      Nov 5 14:37:49 openvpn 62867 SIGUSR1[soft,ping-restart] received, process restarting
      Nov 5 14:37:49 openvpn 62867 [OpenVPN Server] Inactivity timeout (–ping-restart), restarting

      This is on 2.4.0 and 2.4.2beta

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by

        The gotcha I've read over the years is that after you assign a VPN to an interface, you then need to bounce the tunnel.  Was this done?

        1 Reply Last reply Reply Quote 0
        • dotOneD Offline
          dotOne
          last edited by

          Yes, I bounced the tunnel.
          Didn’t help at all.

          Then I manually restarted the vpn client. The changed IP was reflected on the web interface.
          But the result still the same, no traffic is flowing.

          For now, no clue at all

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.