• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN not routing all traffic despite Redirect Gateway checked

Scheduled Pinned Locked Moved OpenVPN
19 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wmcneil
    last edited by Jul 27, 2020, 10:43 PM

    I have an OpenVPN server configured on my SG-1100. I am able to connect and authenticate with my Android phone as a client, and access local IP on the LAN. The phone is not able to access the internet, despite having checked the box for "Force all client-generated IPv4 traffic through the tunnel." under Redirect IPv4 Gateway in the Tunnel settings. The Firewall rules for LAN and OpenVPN are attached, and look correct to me, but I am a new user and still learning. Help is much appreciated.temp1.jpg temp2.jpg

    1 Reply Last reply Reply Quote 0
    • N
      netblues
      last edited by Jul 28, 2020, 4:58 AM

      This is expected.
      Pushing all your traffic through vpn won't get you internet!
      For this to happen, pf needs to also nat your vpn ip ip to the Internet.
      Check your outbound nat rules.

      W 1 Reply Last reply Jul 28, 2020, 3:15 PM Reply Quote 0
      • W
        wmcneil @netblues
        last edited by Jul 28, 2020, 3:15 PM

        @netblues thanks for your response

        I checked the outbound NAT (shown below), and it does have the OpenVPN tunnel subnet (10.55.201.0/24) in the automatically generated rule:
        temp1.jpg

        N 1 Reply Last reply Jul 28, 2020, 3:23 PM Reply Quote 0
        • N
          netblues @wmcneil
          last edited by Jul 28, 2020, 3:23 PM

          @wmcneil Can you possibly ping some internet ip from vpn?
          e.g 1.1.1.1 or 8.8.8.8
          If nat is ok, and internal resources are reachable, then it could be dns
          Check advanced client settings on openvpn server config page.

          W 1 Reply Last reply Jul 28, 2020, 3:37 PM Reply Quote 0
          • W
            wmcneil @netblues
            last edited by Jul 28, 2020, 3:37 PM

            @netblues Running ping on the VPN Client, I am able to reach 8.8.8.8, as well as a DNS server (209.18.47.62) that has been assigned by DHCP on the WAN. When I try and ping www.intel.com, I am getting Unknown Host

            N 1 Reply Last reply Jul 28, 2020, 3:40 PM Reply Quote 0
            • N
              netblues @wmcneil
              last edited by Jul 28, 2020, 3:40 PM

              @wmcneil Post client dns settings from openvpn server.
              Seems like your vpn clients don't have a dns.
              Are you using dns resolver (unbound) on pf?

              W 1 Reply Last reply Jul 28, 2020, 3:53 PM Reply Quote 0
              • W
                wmcneil @netblues
                last edited by Jul 28, 2020, 3:53 PM

                @netblues VPN DNS and DNS Resolver(it is enabled) Settings below.
                temp1.jpg temp2.jpg

                N 1 Reply Last reply Jul 28, 2020, 4:00 PM Reply Quote 0
                • N
                  netblues @wmcneil
                  last edited by Jul 28, 2020, 4:00 PM

                  @wmcneil So what is on 10.55.83.10? Can you ping it?
                  Can you use it via nslookup?

                  W 1 Reply Last reply Jul 28, 2020, 4:06 PM Reply Quote 0
                  • W
                    wmcneil @netblues
                    last edited by Jul 28, 2020, 4:06 PM

                    @netblues 10.55.83.10 is the LAN address of my pfSense box (SG-1100). Should I be using something else here?

                    I can successfully ping that IP from my vpn client. I don't have a nslookup on my vpn client (it is my android phone), but I do have traceroute, and that failed to receive any response.

                    W 1 Reply Last reply Jul 28, 2020, 4:16 PM Reply Quote 0
                    • W
                      wmcneil @wmcneil
                      last edited by Jul 28, 2020, 4:16 PM

                      @netblues I removed 10.55.83.10, and passed no DNS servers to the VPN. Things are now working....Looks like DNS resolver is working for the VPN clients by default, so no list has to be passed.....thank you very much for your help.

                      N 1 Reply Last reply Jul 28, 2020, 4:58 PM Reply Quote 0
                      • N
                        netblues @wmcneil
                        last edited by Jul 28, 2020, 4:58 PM

                        @wmcneil actually vpn clients are using their internet provider dns. You might have issues accesing internal resources by name.

                        W 1 Reply Last reply Jul 28, 2020, 6:06 PM Reply Quote 0
                        • W
                          wmcneil @netblues
                          last edited by Jul 28, 2020, 6:06 PM

                          @netblues I could provide the same list of DNS servers that the WAN is using to the VPN. The only drawback is that I am allowing the WAN DHCP DNS servers to override (be placed before) the primary and secondary servers specified in System / General Setup. So I can specify the current numeric IP of those servers for the VPN, but if they change they will not be automatically updated.

                          N 1 Reply Last reply Jul 28, 2020, 7:03 PM Reply Quote 0
                          • N
                            netblues @wmcneil
                            last edited by Jul 28, 2020, 7:03 PM

                            @wmcneil The correct way is to have openvpn clients use pf sense resolver, for long term stability.
                            Perhaps specifying the openvpn server ip as dns would work for you.

                            W 1 Reply Last reply Jul 28, 2020, 7:47 PM Reply Quote 0
                            • W
                              wmcneil @netblues
                              last edited by Jul 28, 2020, 7:47 PM

                              @netblues How do I configure pfsense so that the openvpn clients use pfsense resolver?

                              N 1 Reply Last reply Jul 28, 2020, 7:56 PM Reply Quote 0
                              • N
                                netblues @wmcneil
                                last edited by Jul 28, 2020, 7:56 PM

                                @wmcneil First assign an interface to openvpn.
                                Then restart openvpn.
                                dnsresolver should be listening to this new interface too.
                                So specifying a dns of 10.55.201.1 should work.

                                W 1 Reply Last reply Jul 28, 2020, 9:04 PM Reply Quote 0
                                • W
                                  wmcneil @netblues
                                  last edited by Jul 28, 2020, 9:04 PM

                                  @netblues I created a new interface named OPT2, and assigned it to my OpenVPN server. (settings and status below). I have not assigned any DNS to the OpenVPN yet, because I'm not following why you think 10.55.201.1 will work, as that is an available IP for assignment to a tunnel client?
                                  temp1.jpg temp2.jpg

                                  N 1 Reply Last reply Jul 29, 2020, 3:57 AM Reply Quote 0
                                  • N
                                    netblues @wmcneil
                                    last edited by Jul 29, 2020, 3:57 AM

                                    @wmcneil In openvpn the first ip of openvpn tunnel network is always assigned to the server, ie pfsense

                                    W 1 Reply Last reply Jul 29, 2020, 12:08 PM Reply Quote 0
                                    • W
                                      wmcneil @netblues
                                      last edited by Jul 29, 2020, 12:08 PM

                                      @netblues Yes, I see now that a client is connected to the VPN the interface assigned to it (OPT2) has been assigned the first tunnel address (10.55.201.1). That said, it does not work to use 10.55.201.1 as the VPN DNS server. If I use the SG-1100 LAN IP (10.55.83.10) as the VPN DNS server, things are working.

                                      N 1 Reply Last reply Jul 29, 2020, 12:10 PM Reply Quote 0
                                      • N
                                        netblues @wmcneil
                                        last edited by Jul 29, 2020, 12:10 PM

                                        @wmcneil Ok then, the important thing is to have a pf working dns.
                                        Just remember not to block access to dns with rules.

                                        1 Reply Last reply Reply Quote 0
                                        19 out of 19
                                        • First post
                                          19/19
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                          This community forum collects and processes your personal information.
                                          consent.not_received