Cannot Route through OpenVPN Client
-
Hi folks
I've migrated from my old, working hardware, to my new, semi-working hardware. I say semi-working because well most things work but this particular aspect.
I also happened to go from a flat network to a VLAN'd network. Super easy with pfSense by the way.
The problem I am having is that I cannot get traffic flowing via my OpenVPN client interface.
I have configured it exactly the same as the old one in a direct copy and paste, so settings wise it should be identical. The only major change is of course going from flat to VLAN.
I've attached some screenshots below to see if anyone can help me as well as config files from both systems.
I've also attached the error I get on trying to visit a website I host externally that will tell me my IP address via CURL - perhaps that might give some clues?
Lastly, firewall rules for the Client interface and all my vlans is currently the super "secure" pass any any as attached.
Thanks!
Old Config
dev ovpnc2 verb 3 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown engine rdrand tls-client client nobind management /var/etc/openvpn/client2.sock unix remote syd-a15.ipvanish.com 1194 auth-user-pass /var/etc/openvpn/client2.up auth-retry nointeract ca /var/etc/openvpn/client2.ca cert /var/etc/openvpn/client2.cert key /var/etc/openvpn/client2.key ncp-disable compress lzo resolv-retry infinite fast-io fast-io route-delay 2 route-nopull tun-mtu 1500 persist-key persist-tun persist-remote-ip verb 3 auth SHA256 keysize 256 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
New Config
dev ovpnc1 verb 3 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.1.1.2 engine cryptodev tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote syd-a15.ipvanish.com 1194 auth-user-pass /var/etc/openvpn/client1.up auth-retry nointeract ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key ncp-disable resolv-retry infinite fast-io fast-io route-delay 2 route-nopull tun-mtu 1500 persist-key persist-tun persist-remote-ip verb 3 auth SHA256 keysize 256 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA ```![old_interface assignment.PNG](/public/_imported_attachments_/1/old_interface assignment.PNG) ![old_interface assignment.PNG_thumb](/public/_imported_attachments_/1/old_interface assignment.PNG_thumb) ![new_interface assignment.PNG](/public/_imported_attachments_/1/new_interface assignment.PNG) ![new_interface assignment.PNG_thumb](/public/_imported_attachments_/1/new_interface assignment.PNG_thumb) ![old_nat.PNG](/public/_imported_attachments_/1/old_nat.PNG) ![old_nat.PNG_thumb](/public/_imported_attachments_/1/old_nat.PNG_thumb) ![new_nat.PNG](/public/_imported_attachments_/1/new_nat.PNG) ![new_nat.PNG_thumb](/public/_imported_attachments_/1/new_nat.PNG_thumb) ![no traffic flow.PNG](/public/_imported_attachments_/1/no traffic flow.PNG) ![no traffic flow.PNG_thumb](/public/_imported_attachments_/1/no traffic flow.PNG_thumb) ![firewall rules.PNG](/public/_imported_attachments_/1/firewall rules.PNG) ![firewall rules.PNG_thumb](/public/_imported_attachments_/1/firewall rules.PNG_thumb)
-
The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.
You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway. -
The firewall rules on the other interface are crucial here, where the traffic from your devices comes into pfSense.
Which ones in particular? The ones from the LAN or the ones on the WAN side?
You have to set the vpn gateway here to direct traffic to the vpn server instead of WAN gateway.
I've had a look at my settings and I can't seem to find that but it makes sense - I feel like I've missed a step.
-
So I don't know how or why, but recreating the client seems to have fixed this.
Not sure why I didn't try this earlier.
For some context though, the raw interface socket changed. The original interface was being labeled as OPT9 but when I recreated the client it now is branded as OPT1.
At a guess I was creating the client before I had finished something else VLAN related and the OPT interface was mislabelled or misassigned somehow and that is why traffic flow and routing was broken.
Thanks for the tip viragomman!