Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade to 2.7.1 - OpenVPN Outbound connection stopped working

    OpenVPN
    openvpn routing openvpn problem
    1
    2
    364
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grillp
      last edited by

      Morning folks,

      I have a setup using an outbound OpenVPN VPN, with selective routing through the VPN using an alias and a LAN Firewall rule. This has been working since before I installed 2.7.

      All was working well until I upgrade from 2.7 to to 2.7.1 this morning.

      OpenVPN is connecting to the remote VPN Host.. But from the clients configured to go through the VPN I get no responses. It seems like they are connecting through the VPN, but responses may not be getting back?

      If I try to wget from one of the clients it hangs:

      root@nas2:~# wget www.google.com
--2023-11-19 09:28:50--  http://www.google.com/
Resolving www.google.com... 142.250.70.132, 2404:6800:4015:801::2004
Connecting to www.google.com|142.250.70.132|:80...

      If I disconnect the VPN, the behavior changes on the client:

      root@nas2:~# wget www.google.com
--2023-11-19 09:29:54--  http://www.google.com/
Resolving www.google.com... 142.250.70.132, 2404:6800:4015:800::2004
Connecting to www.google.com|142.250.70.132|:80... failed: Connection refused.
Connecting to www.google.com|2404:6800:4015:800::2004|:80... failed: Network is unreachable.

      This makes sense as I also add a packet tag on that rule that stops those hosts that are destined for the VPN to not be allowed to connect directly to the internet.

      The rule has State Details accumulating so it appears to be trying to route the requests:

      States details
Tracking ID: 1618222021
evaluations: 4.09K 
packets: 429 
bytes: 37 KiB 
states: 17 
state creations: 100

      Here is my routing table when the VPN link is up:

      Destination        Gateway            Flags   Nhop#    Mtu      Netif Expire
default            <ISP IP>.          UGS        10   1492     pppoe1
10.58.0.21         link#10            UH         11   1500     ovpnc2
10.58.0.22         link#5             UHS        12  16384        lo0
<ISP IP>           link#9             UH          8   1492     pppoe1
127.0.0.1          link#5             UH          2  16384        lo0
192.168.0.0/23     link#2             U           4   1500       vmx1
192.168.0.1        link#5             UHS         5  16384        lo0
192.168.100.0/24   link#8             U           6   1500   vmx2.100
192.168.100.1      link#5             UHS         3  16384        lo0
<MY IP>.           link#5             UHS         9  16384        lo0
      • The VPN addresses are: 10.58.0.21 locally and 10.58.0.22 remotely
      • vmx1 is my lan interface
      • pppoe1 is my WAN interface
      • ovpnc2 is my VPN interface

      There is something weird in that the Gateway link on my rule shows that correct VPN gateway, including a red status when I hover over it, but when I click the link it opens to the WAN_PPPOE Gateway definition, not the VPN one.

      Which leads me to believe there may be something that happened during the upgrade? I even recreated the rule from scratch, with the VPN gateway selected, but it still clicks through to the WAN_PPPOE gateway?

      From the command line I can ping the Local VPN address (10.58.0.21) but not the remote one (10.58.0.22).

      Remember that this all worked in 2.7. I have the Don't pull routes option tuned on so that it does use the pushed routes, and Don't add/remove routes is not turned off.

      Any ideas?

      G 1 Reply Last reply Reply Quote 0
      • G
        grillp @grillp
        last edited by

        Some more info...

        I am trying now to reconfigure my system by getting rid of all the VPN configuration and redoing it..

        However as one last thing, I was going to try was removing my VPN Gateway and recreating it and subsequently assigning a VPN interface to it.

        However when I did that, my Internet access stopped working. i.e. the WAN_PPPeO gateway was removed under the covers!

        I wonder if this is the problem I am experiencing above:

        There is something weird in that the Gateway link on my rule shows that correct VPN gateway, including a red status when I hover over it, but when I click the link it opens to the WAN_PPPOE Gateway definition, not the VPN one.

        Which leads me to believe there may be something that happened during the upgrade? I even recreated the rule from scratch, with the VPN gateway selected, but it still clicks through to the WAN_PPPOE gateway?

        For clarity, on the Rules/LAN page where I have my rule to direct certain hosts to the VPN Gateway. it shows that I have my VPNgateway selected for the traffic. If I hover over the VPN link for the rule, It shows the VPN gateway state.

        But when I click on the VPN gateway link, it opens to the WAN_PPPoE gatweway definition, not the VPN gateway definition? if I inspect the link, the URL points to the actually WAN_PPPeE gateway with id=3 whereas the VPN gateway is actually id=2?

        I wonder if the backup/restore of my configuration is just screwed and I need to start over?

        Any ideas here?

        1 Reply Last reply Reply Quote 0
        • G grillp referenced this topic on
        • First post
          Last post