[OpenVPN] Traffic not flowing when tunneling specific subnets only

CaptainPistache

Hello everyone,

I'm having a hard time debugging this one.

I have set up a OpenVPN Server on my pfSense instance. The authentication works and the VPN tunnel is correctly created (no error on the OpenVPN server logs, verbose level 6).

I would like to tunnel only specific LAN subnets. However, the traffic correctly flows inside the tunnel only when "Redirect IPv4 Gateway" is checked. If I specify subnets in the "IPv4 Local network(s)" option, no traffic pass through the tunnel. Same behavior if I specify the whole private range ("192.168.0.0/16").

When I say no traffic pass through the tunnel, I mean there's really not any packet coming through the OpenVPN interface on the server. No, it's not a firewall issue because everything on every interface is wide opened and no dropped packet are logged on the "System logs > Firewall" tab.

Ok, now comes the really weird part. Two scenarios :

Scenario A :

• I enable "Redirect IPv4 Gateway" on the WebGUI. When I try to ping an IP address inside the LAN from the client, it works.

Scenario B :

• I disable the "Redirect IPv4 Gateway" on the WebGUI and manually add the following options on the "Custom options" box :

push "route 0.0.0.0 128.0.0.0 192.168.40.1";push "route 128.0.0.0 128.0.0.0 192.168.40.1"

thus creating the exact same routes on the client. When I try to ping the same IP address inside the LAN, no echo reply. Packet capture on the destination IP address shows no ICMP packets coming.

On the client (Windows 10), the behavior is exactly the same in the two scenarios :

The ICMP packets are leaving the right interface, the destination MAC address on the Ethernet layer is exactly the same in both case (the virtual IP of the OpenVPN server) but in Scenario B, no echo reply.

I have manually checked the OpenVPN server conf file on pfSense and between the scenarios, the diff is only the following which appears correct :

34a35
> push "redirect-gateway def1"
44,45d44
< push "route 0.0.0.0 128.0.0.0 192.168.40.1"
< push "route 128.0.0.0 128.0.0.0 192.168.40.1"

On the OpenVPN client, the configuration is exactly the same in both scenarios.
I have also tested with the latest OpenVPN client (2.5-rc3 insteand of 2.4.9) and on a Windows 8.1 client, no more success.

This is a tough one. Any idea ?

Thanks a lot for your help.

Kind regards,
Captain

viragomann

The servers IP is not to be stated in the route command.

What does the clients routing table show?

Rico

Work through https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn.html

-Rico

CaptainPistache

Thanks for your answers.

@viragomann said in [OpenVPN] Traffic not flowing when tunneling specific subnets only:

The servers IP is not to be stated in the route command.

What does the clients routing table show?

The routing table is exactly the same on both scenarios.

@Rico said in [OpenVPN] Traffic not flowing when tunneling specific subnets only:

Work through https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn.html

-Rico

Already done before posting here. It didn't help me finding the culprit.

viragomann

@CaptainPistache
With that Info there is sadly no way to help.

CaptainPistache

OMG I've found it.

For testing purpose, the "WAN" interface on which the OpenVPN client connects to was in a LAN subnet. And this very specific LAN subnet was also included on the subnets I was trying to tunnel...

That issue was driving me crazy and the solution was right in front of me

Thanks anyway for your quick replies !