Why does starting a OpenVPN service break my AP?

SteelCityColt

Absolutely strange one. I setup a VPN server on my pfSense box for RA and as soon as I set it live I started getting weird behaviour from my Ubiquiti AP. Pretty much lost it's internet connection (although it intermittently will break out). Can ping it from router, from desktop fine. I could just get about get into the AP's CLI and it could ping the router, and 8.8.8.8 but name not found when pinging google.com.

Didn't think to tie it to openVPN at first so spent a few hours tearing network apart trying to work it out, and its only after doing a config restore on pfSense and things worked again that I realised it's the openVPN sever causing the issue.

Any ideas why? It's like it's causing a conflict with the AP stopping it communicating with the rest of the network. It's intermittent but mostly not working more than working, and gets progressively worse to the point I couldn't access it via console.

openVPN server has been setup using the wizard with tunnel being set to 10.0.8.0/24 and LAN to 192.168.0.1/24. As I had to open a port on my outgoing VPN, and it's limited to above 2048 I used 3389 to test.

NollipfSense

@SteelCityColt It's going to be difficult to understand your issue without screen shots and logs.

SteelCityColt

@NollipfSense apologises, novice here, what would should I post up?

NollipfSense

@SteelCityColt No problem...I would start with Status>System Logs>SystemGeneral when you enable openVPN, and also openVPN.

SteelCityColt

No VPN.txt With VPN.txt

Ran packet trace on the LAN with and without the VPN as per the attached. pinged AP from router, pinged router from AP, and then pinged and nslookup of google as well as a speed test from a wi-fi device. With VPN on, I can only ping the AP from the router.

Nothing seems amiss in the openVPN log. In system log I can see these when I start the VPN:

Feb 23 15:21:03 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to b0:5a:da:87:7d:68 on igb1
Feb 23 15:27:13 kernel arp: 192.168.0.136 moved from 00:26:55:df:f3:c1 to b0:5a:da:87:7d:69 on igb1
Feb 23 15:41:17 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to 00:26:55:df:f3:c1 on igb1
Feb 23 16:00:58 kernel arp: 192.168.0.21 moved from 00:26:55:df:f3:c0 to b0:5a:da:87:7d:68 on igb1

.21 is an unRaid server (which is also playing silly buggers right now on the networking side, will on work on auto DHCP, setting the same static network settings and it can't break out either), .136 is another NIC on the same server. the MACs are physical NICs on that machine.

NollipfSense

@SteelCityColt Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight. For the VPN, any reason why you didn't use the default port 1194UDP especially since you used the wizard?

SteelCityColt

@NollipfSense as per the original post, the VPN provider I use for my WAN interface will only open ports above 2048.

JKnott

@NollipfSense said in Why does starting a OpenVPN service break my AP?:

Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight.

If those devices are on the same LAN as where he's testing from, it has nothing to do with routing. Also, you never see the original MAC on a routed packet. You only see the MAC of the nearest interface.

SteelCityColt

So trying to think this through logically there's only 3 variables I set when using the wizard:

1. The port used (currently 3389)
2. The tunnel network (10.0.8.0/24)
3. The LAN network (192.168.0.0/24)

I might play around with changing these in case it's causing a conflict with the Ubiquiti AP.

From the tcpdumps the line that sticks out to me "Null Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 46" but I have no idea what it means.

NollipfSense

@JKnott said in Why does starting a OpenVPN service break my AP?:

those devices are on the same LAN

Just realize...must have been seeing doubles yesterday...thanks!

NollipfSense

@SteelCityColt Have you checked with Uniquite on whether there is any known issue?

SteelCityColt

@NollipfSense said in Why does starting a OpenVPN service break my AP?:

@SteelCityColt Have you checked with Uniquite on whether there is any known issue?

Raised same question on their forums too.

SteelCityColt

Sorry to bump, but I have made some progress.

Although it's still only the wireless AP that seems to be affected which I can't quite my head around, it may well be a routing issue.

I found if I turn off my OpenVPN client on the pfsense box, then the OpenVPN server doesn't break net access for the wireless AP. Reading up on people having similar issues trying to run a client/server at same time, it seems the key is to check "don't pull routes". The issue then is how do I set up the routing manually to push out everything on the LAN via the VPN client. I'm guessing a combo of firewall and NAT?