Cannot Route through OpenVPN Client



  • Hi folks

    I've migrated from my old, working hardware, to my new, semi-working hardware. I say semi-working because well most things work but this particular aspect.

    I also happened to go from a flat network to a VLAN'd network. Super easy with pfSense by the way.

    The problem I am having is that I cannot get traffic flowing via my OpenVPN client interface.

    I have configured it exactly the same as the old one in a direct copy and paste, so settings wise it should be identical. The only major change is of course going from flat to VLAN.

    I've attached some screenshots below to see if anyone can help me as well as config files from both systems.

    I've also attached the error I get on trying to visit a website I host externally that will tell me my IP address via CURL - perhaps that might give some clues?

    Lastly, firewall rules for the Client interface and all my vlans is currently the super "secure" pass any any as attached.

    Thanks!

    Old Config

    dev ovpnc2
    verb 3
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    engine rdrand
    tls-client
    client
    nobind
    management /var/etc/openvpn/client2.sock unix
    remote syd-a15.ipvanish.com 1194
    auth-user-pass /var/etc/openvpn/client2.up
    auth-retry nointeract
    ca /var/etc/openvpn/client2.ca 
    cert /var/etc/openvpn/client2.cert 
    key /var/etc/openvpn/client2.key 
    ncp-disable
    compress lzo
    resolv-retry infinite
    fast-io
    fast-io
    route-delay 2
    route-nopull
    tun-mtu 1500
    persist-key
    persist-tun
    persist-remote-ip
    verb 3
    auth SHA256
    keysize 256
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
    
    

    New Config

    dev ovpnc1
    verb 3
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.1.1.2
    engine cryptodev
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote syd-a15.ipvanish.com 1194
    auth-user-pass /var/etc/openvpn/client1.up
    auth-retry nointeract
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    ncp-disable
    resolv-retry infinite
    fast-io
    fast-io
    route-delay 2
    route-nopull
    tun-mtu 1500
    persist-key
    persist-tun
    persist-remote-ip
    verb 3
    auth SHA256
    keysize 256
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
    
    ```![old_interface assignment.PNG](/public/_imported_attachments_/1/old_interface assignment.PNG)
    ![old_interface assignment.PNG_thumb](/public/_imported_attachments_/1/old_interface assignment.PNG_thumb)
    ![new_interface assignment.PNG](/public/_imported_attachments_/1/new_interface assignment.PNG)
    ![new_interface assignment.PNG_thumb](/public/_imported_attachments_/1/new_interface assignment.PNG_thumb)
    ![old_nat.PNG](/public/_imported_attachments_/1/old_nat.PNG)
    ![old_nat.PNG_thumb](/public/_imported_attachments_/1/old_nat.PNG_thumb)
    ![new_nat.PNG](/public/_imported_attachments_/1/new_nat.PNG)
    ![new_nat.PNG_thumb](/public/_imported_attachments_/1/new_nat.PNG_thumb)
    ![no traffic flow.PNG](/public/_imported_attachments_/1/no traffic flow.PNG)
    ![no traffic flow.PNG_thumb](/public/_imported_attachments_/1/no traffic flow.PNG_thumb)
    ![firewall rules.PNG](/public/_imported_attachments_/1/firewall rules.PNG)
    ![firewall rules.PNG_thumb](/public/_imported_attachments_/1/firewall rules.PNG_thumb)


  • The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.
    You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway.



  • @viragomann:

    The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.

    Which ones in particular? The ones from the LAN or the ones on the WAN side?

    You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway.

    I've had a look at my settings and I can't seem to find that but it makes sense - I feel like I've missed a step.



  • So I don't know how or why, but recreating the client seems to have fixed this.

    Not sure why I didn't try this earlier.

    For some context though, the raw interface socket changed. The original interface was being labeled as OPT9 but when I recreated the client it now is branded as OPT1.

    At a guess I was creating the client before I had finished something else VLAN related and the OPT interface was mislabelled or misassigned somehow and that is why traffic flow and routing was broken.

    Thanks for the tip viragomman!


Log in to reply