OpenVPN Remote Access segment traffic.



  • I tried reading through the forum, but I couldn't find anything related to my question.

    I'm trying to segment traffic using openvpn remote access, I have a couple of users that are working from their houses and I only want the traffic destined to our serves to go via the vpn. For example, if the users search for google, traffic will go via their main gateway. but if they need access to our internal servers, traffic will go via the vpn tunnel.

    Let say openvpn server has a public ip of 11.22.33.45/29, if I select the option "Force all client-generated IPv4 traffic through the tunnel", obviously I can access every server from that block of IP, but also everything else will go via de tunnel, which is not what I want. If I set the "IPv4 Local network" using for example a "public ip address" 11.22.33.44/32 (which is the server I want to access), Just the traffic intended for this specific address will go via the tunnel, everything else goes through their main gateway.

    Now here is the problem I'm having with openvpn, I need to access a couple of servers behing the openvpn, not just one server. And they are all on the same block. For example, 11.22.33.40/29 (which goes from .41 to .47, .40 being the netId and .48 the broadcast). When I use this configuration, I can't access anything from that block. Ping won't reply from any ip, traceroute shows all asterisk, and eventually it goes to a timeout. I check the routing table from windows, and I can see that the routes are there.

    I have also tried not using the "IPv4 Local network", and just add the routes myself after connecting to the vpn. And is exacly the same. If I add a specific ip to the routing table of windows for example 11.22.33.44/32 via vpn gateway, it works just fine. Routing table looks exactly like if I added this to the "IPv4 Local network" If I add a block of ip like 11.22.33.40/29 to the routing table of windows, same error. Nothing goes through the tunnel.

    The one thing I can't understand is that this problem only happens with Windows and openvpn of pfsense. I tried with Ubuntu, no problem there. Tried it with android, no problem either. Tried with windows, and openvpn from a netgear router (for this one I had to modify the routes of the machine myself, there's not too much config you can do from the router) and it worked just as I wanted to. But when I connect a Windows client to openvpn server from PFsense, using a block of IP rather than forcing all, or using just 1. Eventually, since there is no traffic through the tunnel. it goes to a timeout, and it stops working.

    In other word, Forcing all traffic, or redirect specific traffic to a single ip address works great. redirecting traffic to more than 1 ip address, openvpn is not working.

    BTW, all of this test was done with a rule of any any on the firewall, to make sure that wasn't the problem.


Log in to reply