Multi-Wan OpenVPN client routing
-
I have somewhat created an elaborate set up, but can't seem to figure out a few remaining aspects.
I have one WAN link to my ISP, a VPN provider which offers OpenVPN files and seemingly unlimited connections under one account. So I have multiple VPN clients, and gateway grouped them by end point country. I have set up Outbound NAT to each of me 5 VLANS in a Hybrid Outbound NAT setup. I have assigned rules which allows me to direct IPs, or specific services to the various gateways which is all working as expected.
The issues:
- The second a OpenVPN client connects, with the default * gateway rule, all connects appear to route out via that country and the only way to mitigate this is to change the default rule from * to my WAN gateway. This however has a weird effect that on other VLANs even though also set to use my WAN gateway, can no long cross talk. Example, a Wifi device on VLAN 10 can no longer access my NAS on my LAN connection.
I have even attempted to set the default gateway under System Rounting Gateways to the WAN interface, with no change.
- The second a OpenVPN client connects, I have two port forwards, which also stop working.
Clients will only connect via the WAN IP which is provided by DDNS set up on the pfsense box.
How do I still have my forwards working when the OpenVPN client is connected?
Happy to clarify any questions as I haven't been able to fine any guilds specifically for this kind of setup.
-
@freak4915
Go into the client settings and check "Don't pull routes" to avoid that the clients sets the default route, which might be pushed by the server. -
Hey Viragomann, thanks for that I did some more googling and can across someone who was doing something similar but for a different purpose, and they had they setting ticked which wasn't in the original documentation provided by my VPN. It seems like there was a pull request as ticking this stopped the hijacking of my WAN routes. So one problem fixed. I think I have fixed problem two. But now have another issue. I don't use the default DNS servers provided by my ISP but when I tell my computers IP to route out over the VPN gateway, loading a ipleak.net still shows my DNS is still Cloudflare in my home location and not the location of the end point of that gateway.
The VPN provider only offers one IP for the VPN DNS server, so I can't assign it across all the gateways under System -> General setup -> dns server settings. Is there a particular reason you can't have the same DNS across different gateways?
-
@freak4915
To avoid DNS leaks when using the VPN you have to route the DNS traffic over the VPN. There are two possibilities to to that:
Either forward the DNS requests of the respective devices you route over the VPN to a public DNS server, which you route over the VPN as well, or use the DNS resolver on pfSense and direct its whole DNS requests over the VPN.
However, the firest one will not work with DoT and none of them works with DoH.For the first method, simply add a port forwarding for DNS traffic to a public server and add a policy routing rule to direct DNS requests to the destination server over the VPN.
For the second, restrict the DNS Resolvers outbound interfaces to the VPN gateway group and care that all your devices use pfSense for DNS.