Network connectivity issue from OpenVPN client

CoffeeOrTea · Mar 11, 2024, 3:07 PM

Upstream, meaning the WAN access?

I did create that, yes. I don't have a screenshot handy, but essentially the rule is:

Outbound Rule
Interface: WAN
Source: 192.168.50.0/24 (Tunnel subnet)
Destination: *
Translation Address: WAN Address

However, it wasn't just WAN access that was failing, it was everything. I couldn't ping/communicate with pfsense gateway/dns on the same tunnel network or servers on other subnets despite having wide-open allow rules.

Gertjan · Mar 11, 2024, 3:09 PM

@CoffeeOrTea

My :

never had to create anything.
192.168.3.0/24 is my OpenVPN tunnel IP network.
I don't recall adding what so ever manually.

Btw : 192.168.1.0/24, 192.168.2.0/24 and 192.168.100.0/24 are all my LANs

CoffeeOrTea · Mar 11, 2024, 3:16 PM

@Gertjan said in Network connectivity issue from OpenVPN client:

never had to create anything.

I've got my outbound NAT set to 'manual rule generation' rather than automatic. Odd though because I have the manual equivalent of the rule that you have. Still, that should only be for WAN access over the VPN whereas I can't even communicate with the gateway/other subnets [with 'force all traffic through tunnel' enabled].

That said, everything is working flawlessly right now due to disabling the 'force all traffic through tunnel' option and manually specifying accessible subnets. I just don't understand why the 'force all traffic through tunnel' breaks everything.

Gertjan · Mar 11, 2024, 3:28 PM

@CoffeeOrTea

I've "force all" set ...
( because : when I fire up my OpenVPN from my laptop phone etc, that is because I want to use one of devices on the pfSense LAN. I connect to these devices using their host names, known to unbound on pfSense. So, my phone will ask unbound what IP the device has, and I can connect.
I don't need to use my company's VPN access as a VPN to visit other, Internet based sites. )

CoffeeOrTea · Mar 11, 2024, 3:37 PM

@Gertjan

That's the configuration that I want to use, but it's the one that breaks everything for me. In order to get it to work, I have to uncheck that box, then manually specify the IPv4 Local networks.

Curious - do you have your OpenVPN server assigned to an interface?

The reason I ask is because enabling "Redirect IPv4 Gateway" works for me UNTIL I assign it to an interface, then everything breaks.

viragomann · Mar 11, 2024, 3:39 PM

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

That said, everything is working flawlessly right now due to disabling the 'force all traffic through tunnel' option and manually specifying accessible subnets. I just don't understand why the 'force all traffic through tunnel' breaks everything.

With "redirect gateway" checked, I expect, that you at least can access the remote LANs.
If that's not the case, I'd suspect, that there is an issue with your client. Maybe you can try another one.

CoffeeOrTea · Mar 11, 2024, 3:51 PM

@viragomann said in Network connectivity issue from OpenVPN client:

With "redirect gateway" checked, I expect, that you at least can access the remote LANs.
If that's not the case, I'd suspect, that there is an issue with your client. Maybe you can try another one.

I would expect that too, but that's the issue that I'm having. Client is Android phone with OpenVPN app. Are you saying to try another device, or app?

The only way that I've been able to get it to work is by configuring it this way. I would much rather get the "Redirect Gateway" option working, though.

Edit for clarification: The only way that I've been able to get it to work after assigning OpenVPN to an interface is to configure it as the picture below. If I don't assign OpenVPN to an interface, then "Redirect Gateway" works.

viragomann · Mar 11, 2024, 3:53 PM

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

Edit for clarification: The only way that I've been able to get it to work after assigning OpenVPN to an interface is to configure it as the picture below. If I don't assign OpenVPN to an interface, then "Redirect Gateway" works.

Not clear at the moment, why this happens, but there is no benefit of assigning an interface to an access server anyway.
This is only useful if you need to route traffic to the client site.

CoffeeOrTea · Mar 11, 2024, 3:54 PM

Follow up thought...

Because assigning my OpenVPN server to an interface automatically creates a new gateway, would I need edit this setting in the OpenVPN server config?

viragomann · Mar 11, 2024, 4:08 PM

@CoffeeOrTea
No, there is nothing to change after assigning the interface.