host still passing in VPN tunnel after removed from respective Alias config



  • hw: sg-2440
    pfsense ver: 2.4.4-RELEASE-p3 (amd64)

    i created 4 VPN tunnels, each from a diff vendor to test them. they all work. i pass some devices through them and some not. i noticed when i removed a device from the respective firewall->alias config that host was still being passed through that tunnel even if i rebooted pfsense. i.e., the IP of the VPN Status>OpenVPN->Client Instance Statistics->Remote Host is what shows on sites like whatsmyip*.

    only when i disabled the respective VPN tunnel through VPN->OpenVPN->Clients that the host was then passed trough pfsense default-rule to Internet.

    is this expected behaviour?



  • By default the VPN server sets the default route on the client. So any traffic passes the VPN.
    As you are saying, you have an alias including IPs that should pass the VPN, I assume you've already set a policy routing rule, which is needed to direct the traffic from these hosts over the VPN.

    However, you have to avoid that the VPN server sets the default route. To do so, go to the client settings and check "Don't pull routes".



  • @viragomann

    As you are saying, you have an alias including IPs that should pass the VPN, I assume you've already set a policy routing rule, which is needed to direct the traffic from these hosts over the VPN.

    yes, this is what i have for each VPN. using the respective vpn gateway per policy based route. what's is question is when i remove an IP from the alias for VPN1, that IP is still passing through VPN1. i had thought that once removed from the alias the IP in question would have reverted to the default route out to the Internet. but it is not. i have to tick disable in that particular client, VPN1, in VPN->OpenVPN->Clients->Edit. it's as though OpenVPN on my pfsense unit is keeping the IP routed through the VPN even though i removed it from the alias config.

    However, you have to avoid that the VPN server sets the default route. To do so, go to the client settings and check "Don't pull routes".

    yes, each VPN configured does have ticked "Don't pull routes".

    so, if i add an IP/host to an alias for VPN, then remove that IP, why is that IP still routed through that VPN?



  • If a client has an existing connection and you remove the responsible rule, the communication may still go on till the corresponding state is killed.
    However, this would not overcome a reboot as you mentioned above. So no idea what's going on here.



  • appreciate your help/replies. i need to trace back through all that i setup and find where i mis-configured these VPNs and then post back further questions then if warranted. until then ...


Log in to reply