OpenVPN Client uses OpenVPN Server address half the time



  • Hi,

    I want to have an OpenVPN server to connect to my home network and I want my home network connected to the company network using OpenVPN client.

    The OpenVPN server works fine. It runs on the 192.168.16.0 network.

    The OpenVPN client connects and works half the time. Exactly half the connections time out and half the connections connect just fine.

    Some packet tracing testing a web service at 10.32.241..81 shows:

    60 20.352497 192.168.16.1 10.32.241.81 TCP 68 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371729889 TSecr=0 SACK_PERM=1
    61 21.380856 192.168.16.1 10.32.241.81 TCP 68 [TCP Retransmission] 28829 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371730889 TSecr=0 SACK_PERM=1
    62 23.606212 10.32.170.73 10.32.241.81 TCP 68 46005 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=371733112 TSecr=0 SACK_PERM=1
    63 23.625584 10.32.241.81 10.32.170.73 TCP 64 443 → 46005 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1368 SACK_PERM=1 TSval=286722947 TSecr=371733112 WS=16
    64 23.626917 10.32.170.73 10.32.241.81 TCP 56 46005 → 443 [ACK] Seq=1 Ack=1 Win=131520 Len=0 TSval=371733134 TSecr=286722947

    this pattern repeats, one connection (using 192.168.16.1) fails, the next connection using 10.32.170.73 succeeds.

    If I disable the open vpn server, this does not change anything.

    When I delete the server configuration completely it works just fine.

    How can I tell pfsense not to use the openvpn server address to try to connect to the remote side, but only the vpn client assigned address?

    thanks,

    Peter


  • Rebel Alliance Developer Netgate

    Sounds like maybe you have some conflicting routes or a problem elsewhere in your configuration (or layout/design)

    You'll need to provide more details about the OpenVPN client and server configurations, routing setup, routing table entries, OpenVPN log entries, and anything else that might be related.



  • Network setup:

    Interface Network port
    WAN
    LAN         Home Office
    OPT1 WiFi Access Point
    OPT2 Multimedia
    OPT3 IoT stuff
    WLAN – internal wifi of firewall : not used

    Here is my routing table:

    IPv4 Routes
    Destination Gateway Flags Use Mtu Netif Expire
    default 192.168.0.1 UGS 663294 1500 igb0
    8.8.8.8 192.168.0.1 UGHS 6801 1500 igb0
    10.32.0.0/16 10.32.170.74 UGS 265 1500 ovpnc2
    10.32.170.1/32 10.32.170.74 UGS 0 1500 ovpnc2
    10.32.170.73 link#12 UHS 0 16384 lo0
    10.32.170.74 link#12 UH 0 1500 ovpnc2
    10.33.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
    10.35.0.0/16 10.32.170.74 UGS 0 1500 ovpnc2
    127.0.0.1 link#7 UH 5832 16384 lo0
    192.168.0.0/24 link#5 U 29474 1500 igb0
    192.168.0.179 link#5 UHS 0 16384 lo0
    192.168.1.0/24 link#2 U 3618460 1500 re1
    192.168.1.1 link#2 UHS 0 16384 lo0
    192.168.2.0/24 link#1 U 939 1500 re0
    192.168.2.1 link#1 UHS 0 16384 lo0
    192.168.3.0/24 link#3 U 58 1500 re2
    192.168.3.1 link#3 UHS 0 16384 lo0
    192.168.4.0/24 link#4 U 0 1500 re3
    192.168.4.1 link#4 UHS 0 16384 lo0
    192.168.16.0/24 192.168.16.2 UGS 0 1500 ovpns1
    192.168.16.1 link#13 UHS 0 16384 lo0
    192.168.16.2 link#13 UH 0 1500 ovpns1
    195.130.130.4 00:30:18:a1:f2:f8 UHS 391 1500 igb0
    195.130.131.4 00:30:18:a1:f2:f8 UHS 371 1500 igb0

    firewall rules:

    scrub on igb0 all fragment reassemble
    scrub on re1 all fragment reassemble
    scrub on re0 all fragment reassemble
    scrub on re2 all fragment reassemble
    scrub on re3 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    anchor "ipsec/" all
    pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick from <snort2c>to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
    block drop in log quick from <virusprot>to any label "virusprot overload table"
    pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8003 flags S/SA keep state (sloppy)
    pass in quick on re0 inet proto tcp from any to 192.168.2.1 port = 8002 flags S/SA keep state (sloppy)
    pass out quick on re0 proto tcp all flags any keep state (sloppy)
    block drop in log quick on igb0 from <bogons>to any label "block bogon IPv4 networks from WAN"
    block drop in log on ! igb0 inet from 192.168.0.0/24 to any
    block drop in log inet from 192.168.0.179 to any
    block drop in log on igb0 inet6 from fe80::230:18ff:fea1:f2f8 to any
    block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    pass in on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
    pass out on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
    block drop in log on ! re1 inet from 192.168.1.0/24 to any
    block drop in log inet from 192.168.1.1 to any
    block drop in log on re1 inet6 from fe80::230:18ff:fea7:9d93 to any
    pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in log on ! re0 inet from 192.168.2.0/24 to any
    block drop in log inet from 192.168.2.1 to any
    block drop in log on re0 inet6 from fe80::230:18ff:fea7:9d92 to any
    pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re0 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re0 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in log on ! re2 inet from 192.168.3.0/24 to any
    block drop in log inet from 192.168.3.1 to any
    block drop in log on re2 inet6 from fe80::230:18ff:fea7:9d94 to any
    pass in quick on re2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re2 inet proto udp from any port = bootpc to 192.168.3.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re2 inet proto udp from 192.168.3.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in log on ! re3 inet from 192.168.4.0/24 to any
    block drop in log inet from 192.168.4.1 to any
    block drop in log on re3 inet6 from fe80::230:18ff:fea7:9d95 to any
    pass in quick on re3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re3 inet proto udp from any port = bootpc to 192.168.4.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re3 inet proto udp from 192.168.4.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out route-to (igb0 192.168.0.1) inet from 192.168.0.179 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/
    " all
    pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
    pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN  wizard"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.2 port = 32400 flags S/SA keep state label "USER_RULE"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.1.10 port = 6881 flags S/SA keep state label "USER_RULE"
    pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: playstation tcp"
    pass in log quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: playstation udp"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto tcp from any to 192.168.2.2 port = 9295 flags S/SA keep state label "USER_RULE: NAT playstation tcp"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.2.2 port 9295 >< 9298 keep state label "USER_RULE: NAT playstation udp"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.1.27 port = 3074 keep state label "USER_RULE: NAT Anno 2070 for Hendrik"
    pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
    pass in quick on re1 inet proto tcp from 192.168.1.0/24 to (self) port 7999 >< 8005 flags S/SA keep state label "USER_RULE: access to captive portal"
    pass in quick on re1 inet proto tcp from <homework_sites>to 192.168.1.0/24 flags S/SA keep state label "USER_RULE"
    pass in quick on re1 inet proto tcp from 192.168.1.0/24 to <homework_sites>flags S/SA keep state label "USER_RULE"
    pass in quick on re1 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on re0 inet from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in quick on re0 inet proto tcp from 192.168.2.57 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 1900 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff05::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on re0 inet proto tcp from 192.168.2.37 to 64.15.124.219 port = https flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on re0 inet6 proto udp from fe80::e938:eba0:b37c:7e62 to ff02::c port = 3702 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on re2 inet from 192.168.3.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in quick on re3 inet from 192.168.4.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in quick on igb0 reply-to (igb0 192.168.0.1) inet proto udp from any to 192.168.0.179 port = openvpn keep state label "USER_RULE: OpenVPN  wizard"
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all

    nat rules:

    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on openvpn inet from 192.168.0.0/21 to 10.32.0.0/16 -> (openvpn) port 1024:65535 round-robin
    nat on igb0 inet from 192.168.2.2 to any -> 192.168.0.179 static-port
    nat on igb0 inet from <tonatsubnets>to any port = isakmp -> 192.168.0.179 static-port
    nat on igb0 inet from <tonatsubnets>to any -> 192.168.0.179 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr on igb0 inet proto tcp from any to 192.168.0.179 port = 9295 -> 192.168.2.2
    rdr on igb0 inet proto udp from any to 192.168.0.179 port 9296:9297 -> 192.168.2.2
    rdr on igb0 inet proto udp from any to 192.168.0.179 port = 3074 -> 192.168.1.27
    rdr-anchor "miniupnpd" all

    OpenVPN Log Entries:

    Time Process PID Message
    Nov 13 22:00:26 openvpn 7449 setsockopt(IPV6_V6ONLY=0)
    Nov 13 22:00:26 openvpn 7449 UDPv6 link local (bound): [AF_INET6][undef]:1194
    Nov 13 22:00:26 openvpn 7449 UDPv6 link remote: [AF_UNSPEC]
    Nov 13 22:00:26 openvpn 7449 Initialization Sequence Completed
    Nov 13 22:02:28 openvpn 17007 TLS: soft reset sec=0 bytes=30023237/67108864 pkts=241043/0
    Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=1, C=BE, ST=BE, L=Diegem, …bleep...
    Nov 13 22:02:28 openvpn 17007 VERIFY OK: depth=0, C=BE, ST=BE, L=Diegem, ...bleep...
    Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Nov 13 22:02:28 openvpn 17007 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 13 22:02:28 openvpn 17007 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Nov 13 22:02:28 openvpn 17007 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 13 22:02:28 openvpn 17007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Nov 13 22:12:07 openvpn 7449 event_wait : Interrupted system call (code=4)
    Nov 13 22:12:07 openvpn 7449 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
    Nov 13 22:12:07 openvpn 7449 SIGTERM[hard,] received, process exiting
    Nov 13 22:12:07 openvpn 24914 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
    Nov 13 22:12:07 openvpn 24914 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
    Nov 13 22:12:07 openvpn 24946 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    Nov 13 22:12:07 openvpn 24946 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 13 22:12:07 openvpn 24946 WARNING: Your certificate has expired!
    Nov 13 22:12:07 openvpn 24946 TUN/TAP device ovpns1 exists previously, keep at program end
    Nov 13 22:12:07 openvpn 24946 TUN/TAP device /dev/tun1 opened
    Nov 13 22:12:07 openvpn 24946 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Nov 13 22:12:07 openvpn 24946 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
    Nov 13 22:12:07 openvpn 24946 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
    Nov 13 22:12:07 openvpn 24946 Could not determine IPv4/IPv6 protocol. Using AF_INET6
    Nov 13 22:12:07 openvpn 24946 setsockopt(IPV6_V6ONLY=0)
    Nov 13 22:12:07 openvpn 24946 UDPv6 link local (bound): [AF_INET6][undef]:1194
    Nov 13 22:12:07 openvpn 24946 UDPv6 link remote: [AF_UNSPEC]
    Nov 13 22:12:07 openvpn 24946 Initialization Sequence Completed
    Nov 13 22:12:28 openvpn 24946 event_wait : Interrupted system call (code=4)
    Nov 13 22:12:28 openvpn 24946 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
    Nov 13 22:12:28 openvpn 24946 SIGTERM[hard,] received, process exiting
    Nov 13 22:12:29 openvpn 56081 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
    Nov 13 22:12:29 openvpn 56081 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
    Nov 13 22:12:29 openvpn 56416 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    Nov 13 22:12:29 openvpn 56416 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 13 22:12:29 openvpn 56416 WARNING: Your certificate has expired!
    Nov 13 22:12:29 openvpn 56416 TUN/TAP device ovpns1 exists previously, keep at program end
    Nov 13 22:12:29 openvpn 56416 TUN/TAP device /dev/tun1 opened
    Nov 13 22:12:29 openvpn 56416 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Nov 13 22:12:29 openvpn 56416 /sbin/ifconfig ovpns1 192.168.16.1 192.168.16.2 mtu 1500 netmask 255.255.255.0 up
    Nov 13 22:12:29 openvpn 56416 /usr/local/sbin/ovpn-linkup ovpns1 1500 1622 192.168.16.1 255.255.255.0 init
    Nov 13 22:12:29 openvpn 56416 Could not determine IPv4/IPv6 protocol. Using AF_INET6
    Nov 13 22:12:29 openvpn 56416 setsockopt(IPV6_V6ONLY=0)
    Nov 13 22:12:29 openvpn 56416 UDPv6 link local (bound): [AF_INET6][undef]:1194
    Nov 13 22:12:29 openvpn 56416 UDPv6 link remote: [AF_UNSPEC]
    Nov 13 22:12:29 openvpn 56416 Initialization Sequence Completed

    Hope this helps, I am stumped….

    FYI: I deleted the server after posting my original message to get some work done. I upgraded to latest pfsense in the mean time,  recreated the server from scratch. Exact the same effect : half connections time out, half work just fine. I copied the info, deleted the openvpn server again and everything is working all the time again.</tonatsubnets></tonatsubnets></homework_sites></homework_sites></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>



  • Sorry to necro an old thread, but I appear to be having a similar issue.

    In my case, I'm running pfsense 2.4.4-RELEASE and I currently have two openvpn client tunnels setup. Every 3rd attempt at a connection over the vpn succeeds.

    When I tweaked up the openvpn server debug on the remote side, I saw several of these messages:

    Wed Oct 17 13:56:05 2018 us=137297 5b844094fed8c70d3dce21de/71.red.act.ed2 MULTI: bad source address from client [192.168.202.253], packet dropped

    In my scenario, the staging vpn gives me ip's on 192.168.102.0/24, and the production vpn gives me ip addresses on 192.168.202.0/24. I'm trying to contact a host on the staging vpn, so I should be using an 192.168.102.0/24 outbound address but instead it is trying to use the other openvpn connection's address.

    I have NAT rules defined for the vpn subnets, and looking at the output of pf -sn I'm wondering whether there needs to be the ability in the nat configuration rules to specify which openvpn connection should be the outbound target:

    nat on openvpn inet from 10.65.0.0/16 to 172.18.0.0/16 -> (openvpn) port 1024:65535 round-robin
    nat on openvpn inet from 10.65.0.0/16 to 172.17.0.0/16 -> (openvpn) port 1024:65535 round-robin
    nat on openvpn inet from 10.65.0.0/16 to 172.27.0.0/16 -> (openvpn) port 1024:65535 round-robin
    nat on openvpn inet from 10.65.0.0/16 to 192.168.202.0/24 -> (openvpn) port 1024:65535 round-robin
    nat on openvpn inet from 10.65.0.0/16 to 192.168.102.0/24 -> (openvpn) port 1024:65535 round-robin
    

    As you can see above, it's left to pf and freebsd to divine which openvpn tunnel to use as part of the nat statement, and I think there's where the issue might be?

    I'd love any input others can share on this issue.


  • Rebel Alliance Developer Netgate

    Assign your VPN instances and use more specific NAT rules.

    The "openvpn" macro there applies to all interfaces that are a member of the openvpn group, which is every OpenVPN client and server. That's probably not at all what you want.

    If that doesn't help, start a new thread rather than continuing on this old one.


Locked