Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot Route through OpenVPN Client

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 534 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarrad
      last edited by

      Hi folks

      I've migrated from my old, working hardware, to my new, semi-working hardware. I say semi-working because well most things work but this particular aspect.

      I also happened to go from a flat network to a VLAN'd network. Super easy with pfSense by the way.

      The problem I am having is that I cannot get traffic flowing via my OpenVPN client interface.

      I have configured it exactly the same as the old one in a direct copy and paste, so settings wise it should be identical. The only major change is of course going from flat to VLAN.

      I've attached some screenshots below to see if anyone can help me as well as config files from both systems.

      I've also attached the error I get on trying to visit a website I host externally that will tell me my IP address via CURL - perhaps that might give some clues?

      Lastly, firewall rules for the Client interface and all my vlans is currently the super "secure" pass any any as attached.

      Thanks!

      Old Config

      dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
engine rdrand
tls-client
client
nobind
management /var/etc/openvpn/client2.sock unix
remote syd-a15.ipvanish.com 1194
auth-user-pass /var/etc/openvpn/client2.up
auth-retry nointeract
ca /var/etc/openvpn/client2.ca 
cert /var/etc/openvpn/client2.cert 
key /var/etc/openvpn/client2.key 
ncp-disable
compress lzo
resolv-retry infinite
fast-io
fast-io
route-delay 2
route-nopull
tun-mtu 1500
persist-key
persist-tun
persist-remote-ip
verb 3
auth SHA256
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

      New Config

      dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.1.2
engine cryptodev
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote syd-a15.ipvanish.com 1194
auth-user-pass /var/etc/openvpn/client1.up
auth-retry nointeract
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
ncp-disable
resolv-retry infinite
fast-io
fast-io
route-delay 2
route-nopull
tun-mtu 1500
persist-key
persist-tun
persist-remote-ip
verb 3
auth SHA256
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

```![old_interface assignment.PNG](/public/_imported_attachments_/1/old_interface assignment.PNG)
![old_interface assignment.PNG_thumb](/public/_imported_attachments_/1/old_interface assignment.PNG_thumb)
![new_interface assignment.PNG](/public/_imported_attachments_/1/new_interface assignment.PNG)
![new_interface assignment.PNG_thumb](/public/_imported_attachments_/1/new_interface assignment.PNG_thumb)
![old_nat.PNG](/public/_imported_attachments_/1/old_nat.PNG)
![old_nat.PNG_thumb](/public/_imported_attachments_/1/old_nat.PNG_thumb)
![new_nat.PNG](/public/_imported_attachments_/1/new_nat.PNG)
![new_nat.PNG_thumb](/public/_imported_attachments_/1/new_nat.PNG_thumb)
![no traffic flow.PNG](/public/_imported_attachments_/1/no traffic flow.PNG)
![no traffic flow.PNG_thumb](/public/_imported_attachments_/1/no traffic flow.PNG_thumb)
![firewall rules.PNG](/public/_imported_attachments_/1/firewall rules.PNG)
![firewall rules.PNG_thumb](/public/_imported_attachments_/1/firewall rules.PNG_thumb)
      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.
        You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway.

        1 Reply Last reply Reply Quote 0
        • J
          jarrad
          last edited by

          @viragomann:

          The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.

          Which ones in particular? The ones from the LAN or the ones on the WAN side?

          You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway.

          I've had a look at my settings and I can't seem to find that but it makes sense - I feel like I've missed a step.

          1 Reply Last reply Reply Quote 0
          • J
            jarrad
            last edited by

            So I don't know how or why, but recreating the client seems to have fixed this.

            Not sure why I didn't try this earlier.

            For some context though, the raw interface socket changed. The original interface was being labeled as OPT9 but when I recreated the client it now is branded as OPT1.

            At a guess I was creating the client before I had finished something else VLAN related and the OPT interface was mislabelled or misassigned somehow and that is why traffic flow and routing was broken.

            Thanks for the tip viragomman!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.