OpenVPN only for certain network?
-
@viragomann
Thanks! That sounds good.But: I just tried and checking "Don't pull routes" (in the OpenVPN settings) doesn't seem to make a difference: Once I start the VPN service, the 0.0.0.0 route shows up again in the routing table.
Do I need to do anything else to make this work?
-
@sensewolf
No, when "don't pull is checked" in the OpenVPN client settings, OpenVPN should not add routes. If it does anyway, there might be something wrong. -
Thanks for confirming.
But whether "Don't pull routes" is checked or not, once I start the service, a 0.0.0.0 route is added to my routing table.
So what could be wrong for this to happen?
I had hoped that maybe rebooting would help. But it doesn't.
I am on pfSense 2.5 - could this be the problem? I see other posts about issues with OpenVPN under 2.5 (not this particular issue, but issues with OpenVPN). Can anyone confirm whether "Don't pull routes" actually works on 2.5?
-
Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.
I did follow these steps for the setup, so yours could be different.
https://everythingsmarthome.co.uk/howto/setup-a-pia-vpn-with-pfsense-2-4-5/I'm on pfSense 2.5.0 as well.
My setup is to have a single OPT port / interface tunneled through the VPN, then I wanted all the other interfaces non-VPN. I had the same problem before where once OpenVPN started up, all the interfaces EXCEPT the VPN interface would have Internet access terminated. Stopping the VPN client would magically restore access instantly to all interfaces. Works now so thanks for the advice.
-
@sensewolf
I'm not experienced in 2.5, but never read about such routing issues.
However, some people got it work on 2.5 they torn it down and rebuild again.So what could be wrong for this to happen?
Can you provide more details? OpenVPN client config, OpenVPN log of connection establishing, routing table.
-
@viragomann said in OpenVPN only for certain network?:
@sensewolf
If you want to pass traffic only from certain interfaces over the vpn, you should prohibit adding routes by OpenVPN. To do so, check "Don't pull routes" in the client settings.Then add a policy routing rule to the desired interface.
But consider that a policy routing rule directs the whole matching traffic to the stated gateway. So with such rule you are not able to access neither other internal subnets nor pfSense itself (possibly for DNS resolution). That might be the reason for your trouble with the floating rule, you've added.So if you need as well connections from this interface to other internal network segments or pfSense, you have to add an additional rule for that with default gateway option, matching only the needed internal network destinations and put this rule to the top of the rule set.
Getting closer:
I found the culprit. The VPN config of my VPN provider contained "redirect-gateway" which, I understand, does exactly what I described above.
Once I removed this line from the config, the 0.0.0.0 stopped appearing in my routing table. So that's that.Now I am working on the rest of your advice: I have added a firewall rule for the interface the traffic from which I want to go through the VPN but for some reason, that doesn't work yet. Keeping trying...
-
@fearnight said in OpenVPN only for certain network?:
Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.
Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?
-
@sensewolf
You didn't mention that you used a pre-built config from the provider before.
Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless. -
@viragomann said in OpenVPN only for certain network?:
@sensewolf
You didn't mention that you used a pre-built config from the provider before.Yes, that's right. Because I have no clue how this stuff works or what I am doing
Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless.
-
@sensewolf said in OpenVPN only for certain network?:
@fearnight said in OpenVPN only for certain network?:
Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.
Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?
Right, I typed this wrong. Sorry. I went in and "checked" the box in the OpenVPN client config. It was unchecked by default.