OpenVPN Server Gateway Redirect



  • I want to redirect my OpenVPN client thru my WAN IP address, That's my config.

    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-ciphers AES-128-GCM
    auth SHA256
    tls-client
    client
    remote vpn.******.net 1191 udp
    auth-user-pass
    remote-cert-tls server
    redirect-gateway def1



  • Fine, should work. Is that all you want to tell us?



  • It's not working 😔, public ip doesn't change, when connect to open VPN server with these settings.



  • So you're managing the OpenVPN server yourself?
    The connection seems to be established?
    Can you access remote devices?
    Have you access to the internet on the client while the connection is up?



  • @viragomann

    So you're managing the OpenVPN server yourself? Yes, on Pfsense
    The connection seems to be established? Yes, it does and works, but Public IP doesn't change on client side
    Can you access remote devices? some yes some no
    Have you access to the internet on the client while the connection is up? Yes



  • @manjotsc said in OpenVPN Server Gateway Redirect:

    Can you access remote devices? some yes some no

    These one you can't maybe block access themselves by the OS firewalls.

    What's your server config? Possibly it overrides the client settings.
    Some clues in the client log? Probably it doesn't set the default route correctly.

    What is the client? A phone, Windows, Linux?



  • @viragomann The config https://drive.google.com/file/d/1DYdh8ikZ2x9JFrvlfViJlUBMwmvxxKJD/preview

    I tried on Android Device using openvpn app.



  • So remove the "IPv4 Local Networks" and check "redirect gateway" in the server settings.

    Consider that you also have to add a outbound NAT rule for the OpenVPN tunnel network for internet access from VPN clients.



  • @viragomann What that rule would be?



  • When packets from private sources are sent out to the internet, the router has to translate the source addresses into its WAN address.
    pfSense does this automatically for internal subnets, but not for OpenVPN clients.

    To configure this, go to Firewall > NAT > Outbound
    Assuming it is still working in automatic mode, switch to hybrid mode and save it at first.
    Then add a new rule:
    interface: WAN
    source: <OpenVPN tunnel network>
    destination: any
    translation: interface address



  • @viragomann Now I when connected can't visit any website

    Annotation 2019-11-30 195145.png



  • Try to reboot pfSense.

    If that doesn't resolve, check the firewall rule on the OpenVPN tab.





  • Can't see, what's the rule for the OpenVPN tunnel, since I don't know the network.

    You must not allow access from any to any, since you're obviously running VPN services. This way you open your network to the VPN service networks.
    You have to restrict the access to your acess server clients.



  • @viragomann Annotation 2019-11-30 202100.png UDPVPNSERVER is the interface I created for The VPN Server,



  • But PUREVPNCA may be a VPN service you're connecting to.



  • If you disable the rule on the OpenVPN interface you have to add a rule to the UDPVPNSERVER to allow access to your DNS server. The existing rule only allow access to the WAN gateway.



  • @viragomann What Should go in Source and Destination, for dns

    Annotation 2019-11-30 203515.png



  • The source should be the access server tunnel network.
    The destination is the DNS servers you provide to the clients. Taking a look at your server settings, these are 192.168.40.4 and 192.168.40.1.



  • @viragomann Still not working , DNS_Server is alias for DNS ip address,

    Annotation 2019-11-30 204921.png



  • For troubleshooting only provide public DNS servers on the OpenVPN server settings. The firewall rule you've set on UDPVPNSERVER actually allows access to any, so that should work.
    If it doesn't determine if it's an DNS issue by accessing an Internet site by its IP.



  • @viragomann Even by ip I cannot access....



  • Everything looks correctly.

    To investigate use the Packet Capture feature from the pfSense Diagnostic menu.
    Start a capture on the UDPVPNSERVER interface while you try to connect to a public site on the vpn client device and check what you get.
    Take an additional capture from WAN, in the IP box put the destination IP you try to access for filtering. Here you should see the packets as well, but with your WAN address as source.



  • @viragomann FROM UDPVPNERVER

    00:32:29.439062 IP 192.168.43.2.60730 > 192.168.40.4.53: UDP, length 45
    00:32:29.442286 IP 192.168.43.2.45976 > 192.168.40.4.53: UDP, length 39
    00:32:29.551224 IP 192.168.40.4.53 > 192.168.43.2.60730: UDP, length 61
    00:32:29.566385 IP 192.168.40.4.53 > 192.168.43.2.45976: UDP, length 90
    00:32:29.719377 IP 192.168.43.2.42234 > 108.128.165.138.5223: tcp 0
    00:32:29.731783 IP 192.168.43.2.49548 > 173.194.202.188.5228: tcp 0
    00:32:30.549329 IP 192.168.43.2.42234 > 108.128.165.138.5223: tcp 0
    00:32:30.729830 IP 192.168.43.2.49548 > 173.194.202.188.5228: tcp 0
    00:32:32.548850 IP 192.168.43.2.42234 > 108.128.165.138.5223: tcp 0
    00:32:32.737575 IP 192.168.43.2.49548 > 173.194.202.188.5228: tcp 0
    00:32:36.560154 IP 192.168.43.2.42234 > 108.128.165.138.5223: tcp 0
    00:32:36.740280 IP 192.168.43.2.49548 > 173.194.202.188.5228: tcp 0
    00:32:38.888502 IP 192.168.43.2.1699 > 192.168.40.4.53: UDP, length 33
    00:32:38.980506 IP 192.168.43.2.29475 > 192.168.40.4.53: UDP, length 32
    00:32:39.006726 IP 192.168.40.4.53 > 192.168.43.2.1699: UDP, length 49
    00:32:39.011566 IP 192.168.43.2.35915 > 192.168.40.4.53: UDP, length 37
    00:32:39.042072 IP 192.168.43.2.55278 > 172.217.13.195.443: tcp 0
    00:32:39.042388 IP 192.168.43.2.55280 > 172.217.13.195.443: tcp 0
    00:32:39.046913 IP 192.168.40.4.53 > 192.168.43.2.35915: UDP, length 53
    00:32:39.064722 IP 192.168.43.2.37576 > 192.168.40.4.53: UDP, length 37
    00:32:39.065159 IP 192.168.40.4.53 > 192.168.43.2.37576: UDP, length 53
    00:32:39.079351 IP 192.168.43.2 > 192.168.40.4: ICMP 192.168.43.2 udp port 35915 unreachable, length 89
    00:32:39.101370 IP 192.168.40.4.53 > 192.168.43.2.29475: UDP, length 111
    00:32:39.321619 IP 192.168.43.2.33004 > 192.168.40.4.53: UDP, length 37
    00:32:39.322114 IP 192.168.40.4.53 > 192.168.43.2.33004: UDP, length 53
    00:32:39.326088 IP 192.168.43.2 > 192.168.40.4: ICMP 192.168.43.2 udp port 37576 unreachable, length 89
    00:32:39.326112 IP 192.168.43.2 > 192.168.40.4: ICMP 192.168.43.2 udp port 29475 unreachable, length 147
    00:32:39.356992 IP 192.168.43.2.47762 > 172.217.13.173.443: UDP, length 1350
    00:32:39.379553 IP 192.168.43.2.56989 > 192.168.40.4.53: UDP, length 35
    00:32:39.380290 IP 192.168.40.4.53 > 192.168.43.2.56989: UDP, length 51
    00:32:39.416312 IP 192.168.43.2.45712 > 172.16.1.1.443: tcp 0
    00:32:39.422976 IP 192.168.43.2.47762 > 172.217.13.173.443: UDP, length 1350
    00:32:39.423049 IP 192.168.43.2.54192 > 172.217.13.173.443: tcp 0
    00:32:39.423092 IP 192.168.43.2.10136 > 192.168.40.4.53: UDP, length 35
    00:32:39.499082 IP 192.168.40.4.53 > 192.168.43.2.10136: UDP, length 87
    00:32:39.563255 IP 192.168.43.2.40236 > 172.217.13.131.443: UDP, length 1350
    00:32:39.565727 IP 192.168.43.2.47762 > 172.217.13.173.443: UDP, length 1350
    00:32:39.580383 IP 192.168.43.2.20303 > 192.168.40.4.53: UDP, length 31
    00:32:39.581121 IP 192.168.40.4.53 > 192.168.43.2.20303: UDP, length 47
    00:32:39.612426 IP 192.168.43.2.40236 > 172.217.13.131.443: UDP, length 1350
    00:32:39.613464 IP 192.168.43.2.45716 > 172.16.1.1.443: tcp 0
    00:32:39.635817 IP 192.168.43.2.45718 > 172.16.1.1.443: tcp 0
    00:32:39.674561 IP 192.168.43.2.54198 > 172.217.13.173.443: tcp 0
    00:32:39.708538 IP 192.168.43.2.40236 > 172.217.13.131.443: UDP, length 1350
    00:32:39.821403 IP 192.168.43.2.47762 > 172.217.13.173.443: UDP, length 1350
    00:32:39.840581 IP 192.168.43.2.45722 > 172.16.1.1.443: tcp 0
    00:32:39.893650 IP 192.168.43.2.40236 > 172.217.13.131.443: UDP, length 1350
    00:32:39.914130 IP 192.168.43.2.30101 > 192.168.40.4.53: UDP, length 33
    00:32:39.952079 IP 192.168.40.4.53 > 192.168.43.2.30101: UDP, length 49
    00:32:40.142092 IP 192.168.43.2.55299 > 192.168.40.4.53: UDP, length 32
    00:32:40.142138 IP 192.168.43.2.5063 > 192.168.40.4.53: UDP, length 39
    00:32:40.144286 IP 192.168.43.2.54270 > 192.168.40.4.53: UDP, length 38
    00:32:40.144552 IP 192.168.43.2.1647 > 192.168.40.4.53: UDP, length 45
    00:32:40.145112 IP 192.168.40.4.53 > 192.168.43.2.1647: UDP, length 61
    00:32:40.156936 IP 192.168.43.2.60590 > 172.217.13.142.443: UDP, length 1350
    00:32:40.156988 IP 192.168.43.2.60182 > 172.217.13.142.443: tcp 0
    00:32:40.157013 IP 192.168.43.2.31543 > 192.168.40.4.53: UDP, length 40
    00:32:40.165080 IP 192.168.40.4.53 > 192.168.43.2.5063: UDP, length 103
    00:32:40.178922 IP 192.168.43.2.21722 > 192.168.40.4.53: UDP, length 35
    00:32:40.179791 IP 192.168.40.4.53 > 192.168.43.2.21722: UDP, length 51
    00:32:40.183803 IP 192.168.43.2.45726 > 172.16.1.1.443: tcp 0
    00:32:40.198438 IP 192.168.43.2.2401 > 192.168.40.4.53: UDP, length 36
    00:32:40.212076 IP 192.168.40.4.53 > 192.168.43.2.31543: UDP, length 139
    00:32:40.221308 IP 192.168.43.2.45728 > 172.16.1.1.443: tcp 0
    00:32:40.223297 IP 192.168.43.2.49760 > 52.204.139.6.443: tcp 0
    00:32:40.250374 IP 192.168.43.2.44220 > 23.38.214.238.443: tcp 0
    00:32:40.262503 IP 192.168.43.2.40236 > 172.217.13.131.443: UDP, length 1350
    00:32:40.301141 IP 192.168.43.2.60590 > 172.217.13.142.443: UDP, length 1350
    00:32:40.334125 IP 192.168.43.2.47762 > 172.217.13.173.443: UDP, length 1350
    00:32:40.338010 IP 192.168.40.4.53 > 192.168.43.2.2401: UDP, length 73
    00:32:40.348026 IP 192.168.40.4.53 > 192.168.43.2.54270: UDP, length 86
    00:32:40.372123 IP 192.168.43.2.59850 > 172.217.13.166.443: UDP, length 1350
    00:32:40.372171 IP 192.168.43.2.43614 > 172.217.13.166.443: tcp 0
    00:32:40.381106 IP 192.168.43.2.56098 > 69.171.250.25.443: tcp 0
    00:32:40.404616 IP 192.168.43.2.60196 > 172.217.13.142.443: tcp 0
    00:32:40.407604 IP 192.168.43.2.45712 > 172.16.1.1.443: tcp 0
    00:32:40.411368 IP 192.168.43.2.44228 > 23.38.214.238.443: tcp 0
    00:32:40.422809 IP 192.168.43.2.54192 > 172.217.13.173.443: tcp 0
    00:32:40.434559 IP 192.168.43.2.11017 > 192.168.40.4.53: UDP, length 37
    00:32:40.435122 IP 192.168.43.2.45742 > 172.16.1.1.443: tcp 0
    00:32:40.441913 IP 192.168.43.2.59850 > 172.217.13.166.443: UDP, length 1350
    00:32:40.491041 IP 192.168.40.4.53 > 192.168.43.2.11017: UDP, length 173
    00:32:40.525823 IP 192.168.43.2.57612 > 35.174.149.52.443: tcp 0
    00:32:40.564655 IP 192.168.43.2.43404 > 192.168.40.4.53: UDP, length 40
    00:32:40.576487 IP 192.168.43.2.59850 > 172.217.13.166.443: UDP, length 1350
    00:32:40.583033 IP 192.168.40.4.53 > 192.168.43.2.43404: UDP, length 132
    00:32:40.602218 IP 192.168.43.2.60590 > 172.217.13.142.443: UDP, length 1350
    00:32:40.605290 IP 192.168.43.2.59697 > 192.168.40.4.53: UDP, length 33
    00:32:40.607493 IP 192.168.43.2.45716 > 172.16.1.1.443: tcp 0
    00:32:40.621301 IP 192.168.43.2.40778 > 45.33.3.7.443: tcp 0
    00:32:40.631047 IP 192.168.43.2.43628 > 172.217.13.166.443: tcp 0
    00:32:40.631094 IP 192.168.43.2.45718 > 172.16.1.1.443: tcp 0
    00:32:40.657380 IP 192.168.40.4.53 > 192.168.43.2.59697: UDP, length 113
    00:32:40.667389 IP 192.168.43.2.54198 > 172.217.13.173.443: tcp 0
    00:32:40.682317 IP 192.168.43.2.57618 > 35.174.149.52.443: tcp 0
    00:32:40.686557 IP 192.168.43.2.10717 > 192.168.40.4.53: UDP, length 34
    00:32:40.693562 IP 192.168.43.2.59072 > 104.16.114.39.443: tcp 0
    00:32:40.737336 IP 192.168.40.4.53 > 192.168.43.2.10717: UDP, length 79
    00:32:40.923604 IP 192.168.43.2.40786 > 45.33.3.7.443: tcp 0
    00:32:40.923646 IP 192.168.43.2.45722 > 172.16.1.1.443: tcp 0



  • @viragomann I tired connecting from inside the netowork and outside the network, doesn't work.

    Dec 6 14:28:36 openvpn 51068 MULTI_sva: pool returned IPv4=192.168.44.2, IPv6=(Not enabled)
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 [setup] Peer Connection Initiated with [AF_INET]38.---.--.49:54709
    Dec 6 14:28:36 openvpn user 'setup' authenticated
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_GUI_VER=OpenVPN_GUI_11
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_TCPNL=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_COMP_STUBv2=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_COMP_STUB=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_LZO=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_LZ4v2=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_LZ4=1
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_NCP=2
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_PROTO=2
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_PLAT=win
    Dec 6 14:28:36 openvpn 51068 38.---.--.49:54709 peer info: IV_VER=2.4.7
    Dec 6 14:27:12 openvpn 51068 setup/192.168.40.11:53775 MULTI_sva: pool returned IPv4=192.168.44.2, IPv6=(Not enabled)
    Dec 6 14:27:11 openvpn user 'setup' authenticated
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 [setup] Peer Connection Initiated with [AF_INET]192.168.40.11:53775
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_GUI_VER=OpenVPN_GUI_11
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_TCPNL=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_COMP_STUBv2=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_COMP_STUB=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_LZO=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_LZ4v2=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_LZ4=1
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_NCP=2
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_PROTO=2
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_PLAT=win
    Dec 6 14:27:11 openvpn 51068 192.168.40.11:53775 peer info: IV_VER=2.4.7



  • @manjotsc said in OpenVPN Server Gateway Redirect:

    @viragomann FROM UDPVPNERVER

    And what does it look like on WAN?

    Which destination are you trying to access?



  • @viragomann I don't know what was causing it, but I noticed that each time I would associate an interface with vpn server. It would cause that problem where vpn connects but no Internet, so all I had to is restart the OpenVPN server and create a rule under the interface, once the interface was created, and it been working for couple days.

    Annotation 2019-12-10 093446.png Annotation 2019-12-10 093415.png


Log in to reply