Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Side effect of OpenVPN

    OpenVPN
    5
    10
    873
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mig
      last edited by

      I have 2.4.4-Release (no packages/plugins) with OpenVPN client which works fine (when used). Everything works fine from all clients when OpenVPN is enabled except some multiplayer online games (I was testing with Call of Duty 4 which reports a problem contacting servers). Turning off OpenVPN fixes the problem and games start OK.

      I tried to pinpoint the reason for this interference and I can't find anything suspicious. No game traffic ever goes through OpenVPN (which is how it should be), no blocking rules trigger and packet caps show no significant difference whether OpenVPN is on or off when launching Call of Duty - the same game servers (by IP) are contacted (but obviously respond differently). I tried changing a lot of pfSense options but the only one which I found to help is shutting down OpenVPN.

      I would appreciate any ideas what to else to try or how else to debug the problem.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        @mig said in Side effect of OpenVPN:

        No game traffic ever goes through OpenVPN

        Are you absolutely positive about this statement: "No game traffic ever goes through OpenVPN" ?

        I assume you have a VPN provider in place as that seems to be all the rage these days for some reason. A number of the VPN provider configuration guides instruct you to enable a setting to pull routes from the VPN provider. If that's your case, your traffic is likely still bouncing through your VPN provider's network instead of that of your ISP. And I bet that VPN provider's IP space is on a blacklist used by the gaming site you are trying to visit.

        M 1 Reply Last reply Reply Quote 0
        • A
          akuma1x
          last edited by

          @mig

          Why don't you put your game system (I'm assuming it's a PS4 or XBox console) on a separate network or physical/virtual interface that doesn't touch the OpenVPN connection? Seems to me that would fix the problem right there...

          You don't really need to VPN your game traffic, right?

          Jeff

          M 1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Post your client1.conf

            Post your LAN rules

            M 1 Reply Last reply Reply Quote 0
            • M
              mig @akuma1x
              last edited by

              @akuma1x Could you explain what you mean by "put your game system on a separate network or physical/virtual interface". My entire LAN is connected to the Internet though pfSense and gaming systems (PC and Xbox) should communicate without using OpenVPN. OpenVPN is only occasionally used by several other client computers and there are very specific rules for them to go via OpenVPN (based on fixed IPs).

              1 Reply Last reply Reply Quote 0
              • M
                mig @marvosa
                last edited by

                @marvosa
                OK, the output of (cat /var/etc/openvpn/client1.conf) is below:
                dev ovpnc1
                verb 1
                dev-type tun
                dev-node /dev/tun1
                writepid /var/run/openvpn_client1.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp4
                cipher AES-256-CBC
                auth SHA256
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 82.22.94.219
                tls-client
                client
                lport 0
                management /var/etc/openvpn/client1.sock unix
                remote 1-ie.cg-dialup.net 443
                auth-user-pass /var/etc/openvpn/client1.up
                auth-retry nointeract
                ca /var/etc/openvpn/client1.ca
                cert /var/etc/openvpn/client1.cert
                key /var/etc/openvpn/client1.key
                ncp-disable
                comp-lzo adaptive
                resolv-retry infinite
                resolv-retry infinite
                redirect-gateway def1
                persist-key
                persist-tun
                script-security 2
                remote-cert-tls server
                route-delay 5
                tun-mtu 1500
                fragment 1300
                mssfix 1300
                verb 4

                As far as I can see it's mostly VPN configuration (which works fine when it's used) and doesn't shed much light on why OpenVPN may be interfering with communications to gaming servers...

                1 Reply Last reply Reply Quote 0
                • C
                  Chris78
                  last edited by

                  @mig

                  Am I right that you didn't tick the checkbox Don't pull routes in your openVPN client config. At least I don't see the option in your client1.conf output (route-nopull).

                  Without it, I believe all traffic is routed over your VPN instead the WAN, meaning your Xbox probably will have strict or double NAT now in the network setting.

                  Can you post a screenshot of your NAT en Firewall rules? Did you follow any VPN provider guide to setup your VPN client?

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.

                    If your goal is to exclude certain traffic (i.e. gaming, etc) traffic from the VPN, you'll want to remove "redirect-gateway def1", add "route-nopull", and add explicit rules on your LAN tab to policy route only the traffic you want traversing the tunnel.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mig @bmeeks
                      last edited by

                      @bmeeks I dug more into "No game traffic ever goes through OpenVPN" and discovered that while packet captures on pfSense do not show any activity on VPN/OpenVPN interfaces, the traceroute on the client indicates that traffic directed at game servers (e.g. 185.34.104.231 for CoD) does go through OpenVPN. I should therefore re-state my question and add one more:

                      1. Why could it be that OpenVPN gateway may used in preference to the default WAN gateway? (There are no rules to select VPN gateway.)
                      2. Why would pfSense' packet capture on VPN/OpenVPN interface show no packets if really there are some? (Could it be that the source "Host address" IP is not recognized for VPN packets? Or do VPN packet captures require something special?)
                      1 Reply Last reply Reply Quote 0
                      • M
                        mig @marvosa
                        last edited by

                        @marvosa said in Side effect of OpenVPN:

                        Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.

                        It appears that you are right, many thanks! After replacing "redirect-gateway def1" with "route-nopull" the games stopped misbehaving while VPN-enabling rules (based on IP) still work. I'll do a bit more testing but it looks like your advice was spot on. Thanks a million!

                        It appears that IRC "redirect-gateway def1" option changes the default gateway to VPN while pfSense still reports non-VPN gateway as default - this is quite confusing.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.