Side effect of OpenVPN



  • I have 2.4.4-Release (no packages/plugins) with OpenVPN client which works fine (when used). Everything works fine from all clients when OpenVPN is enabled except some multiplayer online games (I was testing with Call of Duty 4 which reports a problem contacting servers). Turning off OpenVPN fixes the problem and games start OK.

    I tried to pinpoint the reason for this interference and I can't find anything suspicious. No game traffic ever goes through OpenVPN (which is how it should be), no blocking rules trigger and packet caps show no significant difference whether OpenVPN is on or off when launching Call of Duty - the same game servers (by IP) are contacted (but obviously respond differently). I tried changing a lot of pfSense options but the only one which I found to help is shutting down OpenVPN.

    I would appreciate any ideas what to else to try or how else to debug the problem.



  • @mig said in Side effect of OpenVPN:

    No game traffic ever goes through OpenVPN

    Are you absolutely positive about this statement: "No game traffic ever goes through OpenVPN" ?

    I assume you have a VPN provider in place as that seems to be all the rage these days for some reason. A number of the VPN provider configuration guides instruct you to enable a setting to pull routes from the VPN provider. If that's your case, your traffic is likely still bouncing through your VPN provider's network instead of that of your ISP. And I bet that VPN provider's IP space is on a blacklist used by the gaming site you are trying to visit.



  • @mig

    Why don't you put your game system (I'm assuming it's a PS4 or XBox console) on a separate network or physical/virtual interface that doesn't touch the OpenVPN connection? Seems to me that would fix the problem right there...

    You don't really need to VPN your game traffic, right?

    Jeff



  • Post your client1.conf

    Post your LAN rules



  • @akuma1x Could you explain what you mean by "put your game system on a separate network or physical/virtual interface". My entire LAN is connected to the Internet though pfSense and gaming systems (PC and Xbox) should communicate without using OpenVPN. OpenVPN is only occasionally used by several other client computers and there are very specific rules for them to go via OpenVPN (based on fixed IPs).



  • @marvosa
    OK, the output of (cat /var/etc/openvpn/client1.conf) is below:
    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 82.22.94.219
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 1-ie.cg-dialup.net 443
    auth-user-pass /var/etc/openvpn/client1.up
    auth-retry nointeract
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    ncp-disable
    comp-lzo adaptive
    resolv-retry infinite
    resolv-retry infinite
    redirect-gateway def1
    persist-key
    persist-tun
    script-security 2
    remote-cert-tls server
    route-delay 5
    tun-mtu 1500
    fragment 1300
    mssfix 1300
    verb 4

    As far as I can see it's mostly VPN configuration (which works fine when it's used) and doesn't shed much light on why OpenVPN may be interfering with communications to gaming servers...



  • @mig

    Am I right that you didn't tick the checkbox Don't pull routes in your openVPN client config. At least I don't see the option in your client1.conf output (route-nopull).

    Without it, I believe all traffic is routed over your VPN instead the WAN, meaning your Xbox probably will have strict or double NAT now in the network setting.

    Can you post a screenshot of your NAT en Firewall rules? Did you follow any VPN provider guide to setup your VPN client?



  • Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.

    If your goal is to exclude certain traffic (i.e. gaming, etc) traffic from the VPN, you'll want to remove "redirect-gateway def1", add "route-nopull", and add explicit rules on your LAN tab to policy route only the traffic you want traversing the tunnel.



  • @bmeeks I dug more into "No game traffic ever goes through OpenVPN" and discovered that while packet captures on pfSense do not show any activity on VPN/OpenVPN interfaces, the traceroute on the client indicates that traffic directed at game servers (e.g. 185.34.104.231 for CoD) does go through OpenVPN. I should therefore re-state my question and add one more:

    1. Why could it be that OpenVPN gateway may used in preference to the default WAN gateway? (There are no rules to select VPN gateway.)
    2. Why would pfSense' packet capture on VPN/OpenVPN interface show no packets if really there are some? (Could it be that the source "Host address" IP is not recognized for VPN packets? Or do VPN packet captures require something special?)


  • @marvosa said in Side effect of OpenVPN:

    Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.

    It appears that you are right, many thanks! After replacing "redirect-gateway def1" with "route-nopull" the games stopped misbehaving while VPN-enabling rules (based on IP) still work. I'll do a bit more testing but it looks like your advice was spot on. Thanks a million!

    It appears that IRC "redirect-gateway def1" option changes the default gateway to VPN while pfSense still reports non-VPN gateway as default - this is quite confusing.


Log in to reply