pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway)

swarm

Hey guys,

I've got a really weird problem setting up pfSense as a client. I have it configured so that it works as an OpenVPN client to a server I have online to create a site-to-site VPN connection. I used iroute to expose some subnets behind the pfSense box to the VPN clients. The problem is that whenever OpenVPN is running, random websites that I try to go to are consistently routed through the VPN gateway even though nothing should be going through OpenVPN except for the VPN subnet.

For example, I ran a traceroute on wiki.vyos.net and it just didn't get past the VPN gateway

However, at the same time, wiki.archlinux.org works fine. I'm not gonna show the traceroute here for privacy reasons but I can access the site without a problem and it gives me a full, proper traceroute to the endpoint.

My NAT rules are all default and this problem goes away when I turn off OpenVPN on the pfSense. Anyone know what the problem could be?

Additionally I have this really weird string of characters after the second entry in my routing table for the OpenVPN routes.

Anyone know what could be going on?

Thanks

bmeeks

Sounds like you need to turn off the "Pull Routes" setting in the VPN Client setup on pfSense. The default setup instructions for most VPN companies tell you to enable that feature, but it causes VPN routes to become your "default" routes in most cases. That is not what you want. You want to use policy-based routing on pfSense instead. So uncheck that box and then set up your own routing so only your VPN subnet/VLAN is routed to the VPN gateway.

swarm

Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be.

bmeeks

@swarm said in pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway):

Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be.

You may need to flush the routing table. If the firewall is not a business-critical item (meaning it's just your home network or similar), I would just reboot pfSense to be sure everything "cached" is flushed.