[Solved] Can't route LAN through OpenVPN



  • Hi everyone,
    I have a problem with OpenVPN. I want my LAN to use my OpenVPN connection. OpenVPN status is oky and connected.
    I assigned the interface and created the gateway with no issue. I created a firewall rule in LAN tab above every other that allow everything from LAN to go through OpenVPN gateway.
    I setup NAT on manual and duplicate every rule replacing WAN with OpenVPN.

    Anything I'm trying fails miserably as hosts on my LAN are always using my ISP interface....

    Can you help me somehow ?

    Thanks



  • Are you the guy that posted this same problem on Reddit? Post screens of your LAN rules. If you're that guy, you had your rule below the Allow All rule and you didn't clear your states before testing again.



  • @KOM said in Can't route LAN through OpenVPN:

    Are you the guy that posted this same problem on Reddit?

    Nope

    Post screens of your LAN rules.

    Capture du 2019-05-23 19-02-09.png



  • Ah right, he was looking to redirect one specific LAN IP...

    Well, established states aren't affected by rule changes. Did you clear your states before trying your test again?

    I setup NAT on manual and duplicate every rule replacing WAN with OpenVPN.

    I'm not sure you have to do anything with outbound NAT just to redirect to your VPN via policy routing.



  • @KOM said in Can't route LAN through OpenVPN:

    Did you clear your states before trying your test again?

    .... That was it....😭



  • I can connect to VPN Servers just fine but I'm not able to use the VPN connection to access the Net...

    Here are my LAN FW rules:
    Sélection_002.png
    Here are my NAT Rules:
    Sélection_003.png

    The problem is when a host on my LAN tries to access the Web, webpages load and end up on a timeout, I can't access anything. I thought that was DNS related but even with an IP address I have the same problem.

    Do you have an idea ?



  • https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Firewall rules are evaluated top-down first-match wins and all other rules are ignored after a match.

    Look at your LAN rules. Your third rule says that all traffic from LAN net goes out the default gateway WAN_DHCP. Now do you have an idea as to why no traffic is going out the VPN?



  • Sorry I forgot to mention the third rule is concerning LAN traffic going to a specific (blurred) destination.



  • Yeah, and I still had my head around your old problem.

    If it's dying and timing out then it sounds like the routing is working, but there is an issue with your VPN provider. Perhaps you are getting connected at a basic level, but you aren't getting the route updated or something. I'm not a VPN expert so I could only guess here.

    Anything in System Log - OpenVPN? Increase the client verbosity and then see if there is something in the logs.



  • That's the twist : I tested several servers with two differents providers so my guess is it's PFSense conf that is the problem ?



  • Possibly. If you give it an incorrect configuration then it's possible that something won't work as expected.



  • Well, nobody seems to have a clue of what's causing this ?



  • @notarobot
    ping 8.8.8.8
    perform a traceroute to 8.8.8.8

    the traceroute may fail depending on your vpn provider's settings. Confirm connectivity to the vpn provider in the logs (VPN connection stays up, no errors etc..)

    Are you running squid or proxying anything?



  • @notarobot said in Can't route LAN through OpenVPN:

    Well, nobody seems to have a clue of what's causing this ?

    sure do

    if you are not using protonvpn DNS servers. you wo'nt be able to view webpages

    services > dhcp server. Add the addresses you want to go out that tunnel with static addresses. then under DNS servers put protonvpn servers



  • I've reset my conf and started all over again and now it seems ok....
    Don't know what was wrong though.

    Thanks you all for you help


Log in to reply