No web traffic passing through OpenVPN interface



  • Hi Support,

    Please help me with this matter.

    I've been trying to setup pfSense (v. 2.4.2-RELEASE-p1 (amd64) ) as OpenVPN client for private internet connection to one of VyprVPN servers (hk1.vyprvpn.com) and send it out to our China office. I couldn't find any specific technical guide on pfSense OpenVPN setup for VyprVPN but managed to get OpenVPN client instance to hk1.vyprvpn.com up and running following VyprVPN guide for VyprVPN OpenVPN Setup for DD-WRT router. The problem now is no traffic is going through new pfSense VyprVPN interface despite that interface shows up as online (please see an attached file with screenshot).
    Here is the DNS and ping test results taken from pfSense and LAN connected Win 10 laptop to pfSense's LAN:

    • ping to hk1.vyprvpn.com and other websites successful from pfSesne's WAN interface
      -  ping to hk1.vyprvpn.com and other websites successful from pfSesne's LAN interface
    • ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's VyprVPN interface
    • no ping or dns to hk1.vyprvpn.com or Internet from laptop LAN interface

    I still cannot figure out why ping or dns is working on pfSesne's LAN interface but not on internally LAN connected clients to pfSesne's LAN interface and also why no traffic is passing through newly assigned VyprVPN interface on pfSense v 2.4.2.

    Could you please help me on figuring this out.

    Please have a look a screenshots with current pfSense's NAT and Rules for more info.

    Your help will be really appreciated.

    ![pfSense OpenVPN client status.PNG](/public/imported_attachments/1/pfSense OpenVPN client status.PNG)
    ![pfSense OpenVPN client status.PNG_thumb](/public/imported_attachments/1/pfSense OpenVPN client status.PNG_thumb)
    ![pfSense NAT.PNG](/public/imported_attachments/1/pfSense NAT.PNG)
    ![pfSense NAT.PNG_thumb](/public/imported_attachments/1/pfSense NAT.PNG_thumb)
    ![pfSense Firewall LAN Rules.PNG](/public/imported_attachments/1/pfSense Firewall LAN Rules.PNG)
    ![pfSense Firewall LAN Rules.PNG_thumb](/public/imported_attachments/1/pfSense Firewall LAN Rules.PNG_thumb)



  • I would try disabling the third bottom NAT rule and modifying the bottom NAT rule to use the VyprVPN interface instead of the WAN interface.



  • hi jusjay,

    thank you for your quick response.

    I did follow your suggestion and as result it didn't work out. I forgot to mention I did it before as I was playing a bit with NAT rules.
    here is the result after disabling third bottom NAT rule and modifying the bottom NAT rule to use the VyprVPN interface as per your suggestion:

    • ping to hk1.vyprvpn.com and other websites successful from pfSesne's WAN interface
      -  ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's LAN interface
    • ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's VyprVPN interface

    I was wondering whether the newly assigned VyprVPN interface or newly created VyprVPN Gateway in that case are working at all.

    Thank you once again for your help.



  • Copy your bottom NAT rule and change WAN to VYPRVPN.
    I also like to reboot.

    https://www.youtube.com/watch?v=ov-xddVpxhc&t=90s



  • hi mtarbox,

    I did try it and as result it didn't work out either.

    here is the result after duplicating my bottom NAT rule and changing WAN to VYPRVPN:

    -ping to hk1.vyprvpn.com and other websites successful from pfSesne's WAN interface
    -  ping to hk1.vyprvpn.com and other websites successful from pfSesne's LAN interface

    • ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's VyprVPN interface

    here is the result after disabling my bottom NAT rule and leaving the duplicated one on (please see attach file):

    -ping to hk1.vyprvpn.com and other websites successful from pfSesne's WAN interface
    -  ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's LAN interface

    • ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's VyprVPN interface

    I came to decision that my newly assigned VyprVPN interface or newly created VyprVPN Gateway are not working at all, and I don't know what the reason for this is.

    Thank you for your help.

    ![pfSense Firewall LAN Rules new.PNG](/public/imported_attachments/1/pfSense Firewall LAN Rules new.PNG)
    ![pfSense Firewall LAN Rules new.PNG_thumb](/public/imported_attachments/1/pfSense Firewall LAN Rules new.PNG_thumb)



  • hi guys,

    hope you are doing well.

    I did a bit more testing and let me give you a test results.

    • ping to hk1.vyprvpn.com and other websites successful from pfSesne's WAN interface
      -  ping to hk1.vyprvpn.com and other websites successful from pfSesne's LAN interface
    • ping to hk1.vyprvpn.com and other websites unsuccessful from pfSesne's VyprVPN interface but the web traffic goes out through pfSesne's VyprVPN interface (checked pfSesne's traffic graphs on VyprVPN interface while I was doing pings from pfSesne's VyprVPN interface)
    • no ping or dns to hk1.vyprvpn.com or Internet from laptop directly connected to pfSesne's LAN interface

    As both gateways are online (in my case GW_WAN and  VYPRVPN_VPNV4), openvpn client instance to hk1.vyprvpn.com server is also up and traffic goes out through pfSesne's VyprVPN interface means that all firewall NAT rules and both VYPRVPN_VPNV4 and  VyprVPN interface are working properly apart from dns resolution. Please correct if I'm wrong.

    I don't understand why dns is working from pfSesne's LAN interface but not on laptop that is directly connected to pfSesne's LAN interface.

    Do I need to look into DNS Resolver settings?

    Please advise me on what else to look into.

    Thank you in advance.



  • The other day I was running into massive issues.
    I found it easier to restore my install from a pre-openvpn configuration, and start all over again, following one of the DIY's listed here in this forum. https://forum.pfsense.org/index.php?topic=142335.0 and here https://forum.pfsense.org/index.php?topic=76015.0
    I already had dns resolver running as I was using pfblockerng, with an extensive list of settings.
    There is also a really good video tutorial done by Lawrence Systems on youtube that explained a lot. https://youtu.be/ov-xddVpxhc
    Keep us posted.



  • Hi All,

    let me give you an update on this.

    I finally got it resolved last week but just wanted to see how long it's going to last before giving you any update.

    I deleted all my previous OpenVPN configurations, CA's, client certificates and interfaces, and defaulted firewall NAT Outbound rules and some how I got and assigned the correct vyprvpn interface (I was previously prompted to always assign ovpnc2 interface that is not working properly instead of ovpnc1, and finally I got ovpnc1 interface assigned which might resolved that issue with web traffic).

    I did start following the guide from the link https://forum.goldenfrog.com/t/opnsense-firewall-openvpn-client-working/3630 (mainly OpenVPN client setup) which help me to get vyprvpn connection to vyprvpn server hk1.vpn.goldenfrog.com up and running but  setting NAT –> Outbound --> to Hybrid and adding a rule manually didn't work for me so I just set NAT --> Outbound --> to Manuall and added new mapping rules based on existing ones, and changed the interface to vyprvpn in my case on all mirrored rules, and then I finally set a Gateway from GW_WAN  to VYPRVPN_VPNV4 in my case in Firewall-Rules-LAN.

    I'm happy to say that my vyprvpn connection to vyprvpn server has been up and running for more than a week. That test was done in Europe so I'll help my team mate who is located in China to set pfSesne as VyprVPN OpenVPN client at our China's office and test the connection. Hope it will end up ok.

    If someone needs more info regarding to that case I can provide a screenshots with my full pfSense VyprVPN OpenVPN client and firewall rules configuration.

    Thank you all for your help once again.