Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway)

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 591 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swarm
      last edited by

      Hey guys,

      I've got a really weird problem setting up pfSense as a client. I have it configured so that it works as an OpenVPN client to a server I have online to create a site-to-site VPN connection. I used iroute to expose some subnets behind the pfSense box to the VPN clients. The problem is that whenever OpenVPN is running, random websites that I try to go to are consistently routed through the VPN gateway even though nothing should be going through OpenVPN except for the VPN subnet.

      For example, I ran a traceroute on wiki.vyos.net and it just didn't get past the VPN gateway 5be79d03-4c9b-40cb-93f1-f17e750feedd-image.png

      However, at the same time, wiki.archlinux.org works fine. I'm not gonna show the traceroute here for privacy reasons but I can access the site without a problem and it gives me a full, proper traceroute to the endpoint.

      My NAT rules are all default and this problem goes away when I turn off OpenVPN on the pfSense. Anyone know what the problem could be?

      Additionally I have this really weird string of characters after the second entry in my routing table for the OpenVPN routes.
      a630fa06-57d6-497d-8269-4904e277b3d2-image.png

      Anyone know what could be going on?

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Sounds like you need to turn off the "Pull Routes" setting in the VPN Client setup on pfSense. The default setup instructions for most VPN companies tell you to enable that feature, but it causes VPN routes to become your "default" routes in most cases. That is not what you want. You want to use policy-based routing on pfSense instead. So uncheck that box and then set up your own routing so only your VPN subnet/VLAN is routed to the VPN gateway.

        1 Reply Last reply Reply Quote 2
        • S
          swarm
          last edited by swarm

          Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @swarm
            last edited by

            @swarm said in pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway):

            Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be.

            You may need to flush the routing table. If the firewall is not a business-critical item (meaning it's just your home network or similar), I would just reboot pfSense to be sure everything "cached" is flushed.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.