Site-to-Site vpn - Client side weird routing decision
-
I have an OpenVPN Site-to-site that is up and running, and firewalls rules are minimals (allow any acces out on the LAN, and allow any on the OpenVPN tunnel). Both sites (server and client) can access each others without issues.
My problem is on the client side of the vpn, either on the pfsense firewall itself or the workstations behind.
For a reason I can't understand, if I traceroute or ping (or mtr) an IP address like the one from netgate.com (208.123.73.73), or amd.com (54.224.70.54), the traffic takes the default gateway of the client-side firewall and reaches its destination.
But as soon as I use an IP like 8.8.8.8 or 1.1.1.1 (or their respectives FQDN google.dns or one.one.one.one), the traffic goes into the tunnel instead of taking the default route and of course doesn't reach its destination.
I have no static routes defined on the client-side OpenVPN pfsense firewall.
Why this behavior is happening for those IPs only?
On the server-side of the OpenVPN, that issue is inexistant.
Thank for any information that could shed light on this.
Thx!
-
We finally found the problem!
It was a previously misconfigured remote network subnet mask (/4 instead of /24 - probably a typo because this was done rapidly during a night) on the pfsense client that remained in the routing table. Somebody corrected the client's configuration afterward but probably forgot to restart the tunnel to update the routes.
And it explains very well why some destinations were treated differently than others.