• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN Client uses OpenVPN Server address half the time

Scheduled Pinned Locked Moved OpenVPN
5 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    snamellit
    last edited by Nov 14, 2017, 9:33 AM Nov 13, 2017, 4:51 PM

    Hi,

    I want to have an OpenVPN server to connect to my home network and I want my home network connected to the company network using OpenVPN client.

    The OpenVPN server works fine. It runs on the 192.168.16.0 network.

    The OpenVPN client connects and works half the time. Exactly half the connections time out and half the connections connect just fine.

    Some packet tracing testing a web service at 10.32.241..81 shows:

    60 20.352497 192.168.16.1 10.32.241.81 TCP 68 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371729889 TSecr=0 SACK_PERM=1
    61 21.380856 192.168.16.1 10.32.241.81 TCP 68 [TCP Retransmission] 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371730889 TSecr=0 SACK_PERM=1
    62 23.606212 10.32.170.73 10.32.241.81 TCP 68 46005 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371733112 TSecr=0 SACK_PERM=1
    63 23.625584 10.32.241.81 10.32.170.73 TCP 64 443 → 46005 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1368 SACK_PERM=1 TSval=286722947 TSecr=371733112 WS=16
    64 23.626917 10.32.170.73 10.32.241.81 TCP 56 46005 → 443 [ACK] Seq=1 Ack=1 Win=131520 Len=0 TSval=371733134 TSecr=286722947
    …

    this pattern repeats, one connection (using 192.168.16.1) fails, the next connection using 10.32.170.73 succeeds.

    If I disable the open vpn server, this does not change anything.

    When I delete the server configuration completely it works just fine.

    How can I tell pfsense not to use the openvpn server address to try to connect to the remote side, but only the vpn client assigned address?

    thanks,

    Peter

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Nov 13, 2017, 8:43 PM

      Sounds like maybe you have some conflicting routes or a problem elsewhere in your configuration (or layout/design)

      You'll need to provide more details about the OpenVPN client and server configurations, routing setup, routing table entries, OpenVPN log entries, and anything else that might be related.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • S
        snamellit
        last edited by Nov 13, 2017, 9:32 PM

        Network setup:

        Interface Network port
        WAN
        LAN         Home Office
        OPT1 WiFi Access Point
        OPT2 Multimedia
        OPT3 IoT stuff
        WLAN – internal wifi of firewall : not used

        Here is my routing table:

        IPv4 Routes
        Destination Gateway Flags Use Mtu Netif Expire
        default 192.168.0.1 UGS 663294 1500 igb0
        8.8.8.8 192.168.0.1 UGHS 6801 1500 igb0
        10.32.0.0/16 10.32.170.74 UGS 265 1500 ovpnc2
        10.32.170.1/32 10.32.170.74 UGS 0 1500 ovpnc2
        10.32.170.73 link#12 UHS 0 16384 lo0
        10.32.170.74 link#12 UH 0 1500 ovpnc2
        10.33.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
        10.35.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
        127.0.0.1 link#7 UH 5832 16384 lo0
        192.168.0.0/24 link#5 U 29474 1500 igb0
        192.168.0.179 link#5 UHS 0 16384 lo0
        192.168.1.0/24 link#2 U 3618460 1500 re1
        192.168.1.1 link#2 UHS 0 16384 lo0
        192.168.2.0/24 link#1 U 939 1500 re0
        192.168.2.1 link#1 UHS 0 16384 lo0
        192.168.3.0/24 link#3 U 58 1500 re2
        192.168.3.1 link#3 UHS 0 16384 lo0
        192.168.4.0/24 link#4 U 0 1500 re3
        192.168.4.1 link#4 UHS 0 16384 lo0
        192.168.16.0/24 192.168.16.2 UGS 0 1500 ovpns1
        192.168.16.1 link#13 UHS 0 16384 lo0
        192.168.16.2 link#13 UH 0 1500 ovpns1
        195.130.130.4 00:30:18:a1:f2:f8 UHS 391 1500 igb0
        195.130.131.4 00:30:18:a1:f2:f8 UHS 371 1500 igb0

        firewall rules:

        scrub on igb0 all fragment reassemble
        scrub on re1 all fragment reassemble
        scrub on re0 all fragment reassemble
        scrub on re2 all fragment reassemble
        scrub on re3 all fragment reassemble
        anchor "relayd/" all
        anchor "openvpn/
        " all
        anchor "ipsec/" all
        pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
        block drop in log quick inet6 all label "Block all IPv6"
        block drop out log quick inet6 all label "Block all IPv6"
        block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
        block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
        block drop in log inet all label "Default deny rule IPv4"
        block drop out log inet all label "Default deny rule IPv4"
        block drop in log inet6 all label "Default deny rule IPv6"
        block drop out log inet6 all label "Default deny rule IPv6"
        block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
        block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
        block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
        block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
        block drop log quick from <snort2c>to any label "Block snort2c hosts"
        block drop log quick from any to <snort2c>label "Block snort2c hosts"
        block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
        block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
        block drop in log quick from <virusprot>to any label "virusprot overload table"
        pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8003 flags S/SA keep state (sloppy)
        pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8002 flags S/SA keep state (sloppy)
        pass out quick on re0 proto tcp all flags any keep state (sloppy)
        block drop in log quick on igb0 from <bogons>to any label "block bogon IPv4 networks from WAN"
        block drop in log on ! igb0 inet from 192.168.0.0/24 to any
        block drop in log inet from 192.168.0.179 to any
        block drop in log on igb0 inet6 from fe80::230:18ff:fea1:f2f8 to any
        block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
        block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
        block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
        block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
        block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
        pass in on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
        pass out on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
        block drop in log on ! re1 inet from 192.168.1.0/24 to any
        block drop in log inet from 192.168.1.1 to any
        block drop in log on re1 inet6 from fe80::230:18ff:fea7:9d93 to any
        pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on re1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
        pass out quick on re1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
        block drop in log on ! re0 inet from 192.168.2.0/24 to any
        block drop in log inet from 192.168.2.1 to any
        block drop in log on re0 inet6 from fe80::230:18ff:fea7:9d92 to any
        pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on re0 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server"
        pass out quick on re0 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
        block drop in log on ! re2 inet from 192.168.3.0/24 to any
        block drop in log inet from 192.168.3.1 to any
        block drop in log on re2 inet6 from fe80::230:18ff:fea7:9d94 to any
        pass in quick on re2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on re2 inet proto udp from any port = bootpc to 192.168.3.1 port = bootps keep state label "allow access to DHCP server"
        pass out quick on re2 inet proto udp from 192.168.3.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
        block drop in log on ! re3 inet from 192.168.4.0/24 to any
        block drop in log inet from 192.168.4.1 to any
        block drop in log on re3 inet6 from fe80::230:18ff:fea7:9d95 to any
        pass in quick on re3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on re3 inet proto udp from any port = bootpc to 192.168.4.1 port = bootps keep state label "allow access to DHCP server"
        pass out quick on re3 inet proto udp from 192.168.4.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
        pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
        pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
        pass out route-to (igb0 192.168.0.1) inet from 192.168.0.179 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
        pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
        pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
        pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
        anchor "userrules/
        " all
        pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
        pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.2 port = 32400 flags S/SA keep state label "USER_RULE"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.10 port = 6881 flags S/SA keep state label "USER_RULE"
        pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: playstation tcp"
        pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: playstation udp"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: NAT playstation tcp"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: NAT playstation udp"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.1.27 port = 3074 keep state label "USER_RULE: NAT Anno 2070 for Hendrik"
        pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
        pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
        pass in quick on re1 inet proto tcp from <homework_sites>to 192.168.1.0/24 flags S/SA keep state label "USER_RULE"
        pass in quick on re1 inet proto tcp from 192.168.1.0/24 to <homework_sites>flags S/SA keep state label "USER_RULE"
        pass in quick on re1 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
        pass in quick on re0 inet from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE"
        pass in quick on re0 inet proto tcp from 192.168.2.57 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
        pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 1900 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
        pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff05::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
        pass in quick on re0 inet proto tcp from 192.168.2.37 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
        pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
        pass in quick on re2 inet from 192.168.3.0/24 to any flags S/SA keep state label "USER_RULE"
        pass in quick on re3 inet from 192.168.4.0/24 to any flags S/SA keep state label "USER_RULE"
        pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
        anchor "tftp-proxy/*" all
        anchor "miniupnpd" all

        nat rules:

        no nat proto carp all
        nat-anchor "natearly/" all
        nat-anchor "natrules/
        " all
        nat on openvpn inet from 192.168.0.0/21 to 10.32.0.0/16 -> (openvpn) port 1024:65535 round-robin
        nat on igb0 inet from 192.168.2.2 to any -> 192.168.0.179 static-port
        nat on igb0 inet from <tonatsubnets>to any port = isakmp -> 192.168.0.179 static-port
        nat on igb0 inet from <tonatsubnets>to any -> 192.168.0.179 port 1024:65535
        no rdr proto carp all
        rdr-anchor "relayd/" all
        rdr-anchor "tftp-proxy/
        " all
        rdr on igb0 inet proto tcp from any to 192.168.0.179 port = 9295 -> 192.168.2.2
        rdr on igb0 inet proto udp from any to 192.168.0.179 port 9296:9297 -> 192.168.2.2
        rdr on igb0 inet proto udp from any to 192.168.0.179 port = 3074 -> 192.168.1.27
        rdr-anchor "miniupnpd" all

        OpenVPN Log Entries:

        Time Process PID Message
        Nov 13 22:00:26 openvpn 7449 setsockopt(IPV6_V6ONLY=0)
        Nov 13 22:00:26 openvpn 7449 UDPv6 link local (bound): [AF_INET6][undef]:1194
        Nov 13 22:00:26 openvpn 7449 UDPv6 link remote: [AF_UNSPEC]
        Nov 13 22:00:26 openvpn 7449 Initialization Sequence Completed
        Nov 13 22:02:28 openvpn 17007 TLS: soft reset sec=0 bytes=30023237/67108864 pkts=241043/0
        Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=1, C=BE, ST=BE, L=Diegem, …bleep...
        Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=0, C=BE, ST=BE, L=Diegem, ...bleep...
        Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
        Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
        Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
        Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
        Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
        Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
        Nov 13 22:02:28 openvpn 17007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
        Nov 13 22:12:07 openvpn 7449 event_wait : Interrupted system call (code=4)
        Nov 13 22:12:07 openvpn 7449 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
        Nov 13 22:12:07 openvpn 7449 SIGTERM[hard,] received, process exiting
        Nov 13 22:12:07 openvpn 24914 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
        Nov 13 22:12:07 openvpn 24914 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
        Nov 13 22:12:07 openvpn 24946 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
        Nov 13 22:12:07 openvpn 24946 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Nov 13 22:12:07 openvpn 24946 WARNING: Your certificate has expired!
        Nov 13 22:12:07 openvpn 24946 TUN/TAP device ovpns1 exists previously, keep at program end
        Nov 13 22:12:07 openvpn 24946 TUN/TAP device /dev/tun1 opened
        Nov 13 22:12:07 openvpn 24946 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
        Nov 13 22:12:07 openvpn 24946 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
        Nov 13 22:12:07 openvpn 24946 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
        Nov 13 22:12:07 openvpn 24946 Could not determine IPv4/IPv6 protocol. Using AF_INET6
        Nov 13 22:12:07 openvpn 24946 setsockopt(IPV6_V6ONLY=0)
        Nov 13 22:12:07 openvpn 24946 UDPv6 link local (bound): [AF_INET6][undef]:1194
        Nov 13 22:12:07 openvpn 24946 UDPv6 link remote: [AF_UNSPEC]
        Nov 13 22:12:07 openvpn 24946 Initialization Sequence Completed
        Nov 13 22:12:28 openvpn 24946 event_wait : Interrupted system call (code=4)
        Nov 13 22:12:28 openvpn 24946 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
        Nov 13 22:12:28 openvpn 24946 SIGTERM[hard,] received, process exiting
        Nov 13 22:12:29 openvpn 56081 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
        Nov 13 22:12:29 openvpn 56081 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
        Nov 13 22:12:29 openvpn 56416 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
        Nov 13 22:12:29 openvpn 56416 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Nov 13 22:12:29 openvpn 56416 WARNING: Your certificate has expired!
        Nov 13 22:12:29 openvpn 56416 TUN/TAP device ovpns1 exists previously, keep at program end
        Nov 13 22:12:29 openvpn 56416 TUN/TAP device /dev/tun1 opened
        Nov 13 22:12:29 openvpn 56416 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
        Nov 13 22:12:29 openvpn 56416 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
        Nov 13 22:12:29 openvpn 56416 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
        Nov 13 22:12:29 openvpn 56416 Could not determine IPv4/IPv6 protocol. Using AF_INET6
        Nov 13 22:12:29 openvpn 56416 setsockopt(IPV6_V6ONLY=0)
        Nov 13 22:12:29 openvpn 56416 UDPv6 link local (bound): [AF_INET6][undef]:1194
        Nov 13 22:12:29 openvpn 56416 UDPv6 link remote: [AF_UNSPEC]
        Nov 13 22:12:29 openvpn 56416 Initialization Sequence Completed

        Hope this helps, I am stumped….

        FYI: I deleted the server after posting my original message to get some work done. I upgraded to latest pfsense in the mean time,  recreated the server from scratch. Exact the same effect : half connections time out, half work just fine. I copied the info, deleted the openvpn server again and everything is working all the time again.</tonatsubnets></tonatsubnets></homework_sites></homework_sites></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

        1 Reply Last reply Reply Quote 0
        • P
          petergrace
          last edited by petergrace Oct 17, 2018, 2:17 PM Oct 17, 2018, 2:16 PM

          Sorry to necro an old thread, but I appear to be having a similar issue.

          In my case, I'm running pfsense 2.4.4-RELEASE and I currently have two openvpn client tunnels setup. Every 3rd attempt at a connection over the vpn succeeds.

          When I tweaked up the openvpn server debug on the remote side, I saw several of these messages:

          Wed Oct 17 13:56:05 2018 us=137297 5b844094fed8c70d3dce21de/71.red.act.ed2 MULTI: bad source address from client [192.168.202.253], packet dropped

          In my scenario, the staging vpn gives me ip's on 192.168.102.0/24, and the production vpn gives me ip addresses on 192.168.202.0/24. I'm trying to contact a host on the staging vpn, so I should be using an 192.168.102.0/24 outbound address but instead it is trying to use the other openvpn connection's address.

          I have NAT rules defined for the vpn subnets, and looking at the output of pf -sn I'm wondering whether there needs to be the ability in the nat configuration rules to specify which openvpn connection should be the outbound target:

          nat on openvpn inet from 10.65.0.0/16 to 172.18.0.0/16 -> (openvpn) port 1024:65535 round-robin
          nat on openvpn inet from 10.65.0.0/16 to 172.17.0.0/16 -> (openvpn) port 1024:65535 round-robin
          nat on openvpn inet from 10.65.0.0/16 to 172.27.0.0/16 -> (openvpn) port 1024:65535 round-robin
          nat on openvpn inet from 10.65.0.0/16 to 192.168.202.0/24 -> (openvpn) port 1024:65535 round-robin
          nat on openvpn inet from 10.65.0.0/16 to 192.168.102.0/24 -> (openvpn) port 1024:65535 round-robin
          

          As you can see above, it's left to pf and freebsd to divine which openvpn tunnel to use as part of the nat statement, and I think there's where the issue might be?

          I'd love any input others can share on this issue.

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Oct 17, 2018, 2:31 PM

            Assign your VPN instances and use more specific NAT rules.

            The "openvpn" macro there applies to all interfaces that are a member of the openvpn group, which is every OpenVPN client and server. That's probably not at all what you want.

            If that doesn't help, start a new thread rather than continuing on this old one.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received