Incorrect routing to some public IP addresses due to OpenVPN tunnel.

  • Hi folks, I'm facing a pesky problem with pfSenses's OpenVPN service and I'm unfortunately forced to ask wiser and skilled people here. The problem is that some IP addresses do not route to WAN interface (rl0), but they goes to the a virtual one (tap0). For example google's and,, or few others. My OpenVPN configuration uses bridging method, client to client communication - the network topology is like: LAN <–> router <--> (INTERNET) <--> clients (they connects from 4 different locations). Clients acquire IP address of LAN (, using address pool and are able to comunicate with each other (and PCs in LAN) with no problem. I'm able to connect mentioned IP addresses only when I disable OpenVPN server. When I ssh to pfSense router, I can see few this:

    # arp -a ( at (incomplete) on tap0 [ethernet]
    ? ( at 00:07:e9:79:xx:xx on rl0 [ethernet]
    ? ( at 00:18:f3:ac:xx:xx on rl0 [ethernet]
    ? ( at 00:22:15:46:xx:xx on rl0 [ethernet]
    ? ( at 00:00:00:00:xx:xx on rl0 [ethernet]
    ? ( at 00:1d:60:db:xx:xx on rl0 [ethernet]
    … # there is more computers in LAN
    ? (213.194.x.y) at 00:e0:b6:12:d4:ac on xl0 [ethernet] # ISP's router
    # netstat -rn
    Routing tables
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            213.194.x.y     UGS         0 77122488    xl0 link#10            UC          0     9080   tap0      link#10            UHLW        1        0   tap0          UH          0        0    lo0    link#1             UC          0   115823    rl0       00:07:e9:79:xx:xx  UHLW        1       18    rl0    832       00:18:f3:ac:xx:xx  UHLW        1  2059216    rl0   1190      00:22:15:46:xx:xx  UHLW        1   901536    rl0   1166      00:00:00:00:xx:xx  UHLW        1    22487    rl0   1013      00:1d:60:db:xx:xx  UHLW        1    30916    rl0   1181
    213.194.x.z/29  link#2             UC          0        0    xl0 # ISP's network
    213.194.x.y    00:e0:b6:12:xx:xx  UHLW        2   193535    xl0   1198 # ISP's router
    213.194.x.x     213.194.x.x     UH          0        0  carp0 # our router (dst+gw addresses are both the same)

    There are my configuration files:


    writepid /var/run/
    #user nobody
    #group nobody
    keepalive 10 60
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    push "route"
    lport 1194
    push "dhcp-option DNS"
    push "dhcp-option WINS"
    push "dhcp-option NBT 4"
    ca /var/etc/
    cert /var/etc/openvpn_server1.cert
    key /var/etc/openvpn_server1.key
    dh /var/etc/openvpn_server1.dh
    dev tap0


    port 1194
    dev tap
    dev-node ovpn-tun0
    proto tcp-client
    remote 213.194.x.x 1194
    ping 30
    ca C:\\Program\ Files\\OpenVPN\\config\\ca.crt
    cert C:\\Program\ Files\\OpenVPN\\config\\client1.crt
    key C:\\Program\ Files\\OpenVPN\\config\\client1.key
    ns-cert-type server

    I am also attaching two files from Wireshark scan - first for working google IP address, second for not working (in both cases it's only SYN packet, because nothing more is sent in case of bad routing), but I don't know if there is something helpful in them (I thing not - but maybe I'm wrong). I beleve the problem is not in TCP connection method, coz I tried to switch TCP to UDP (despite of clients configuration stay unchanged) and it not helped at all. If you'll want to know anything else, just say me please. I'll be glad for every suggestion. Thx. ;)

Log in to reply