Routing over VPN not working
-
I’m trying to configure a client to server openvpn tunnel between pfsense (client) and unifi dream machine (server). I get a successful connection between the two networks, but cannot route traffic through the tunnel unless I configure it using system routing. I have a firewall rule that should route my cell phone’s (192.168.100.158) traffic through the tunnel, but that is not happening. I know the tunnel works because if I add a static route for 1.1.1.1, I can see it traversing the tunnel in States. How can I get all of my cell phone’s traffic to traverse the tunnel?
config images here:
https://imgur.com/a/GxsQ2oU
-
Wonder if I have the same issue:
On the VPN client, I can ping the gateway, but not anything else on the LAN side.
And I can ping the VPN client from the LAN side devices.To get internet working on the VPN device I had to add a NAT outbound rule for the OpenVPN IP range. Which is weird as it's already in the automatic created rules.
If I add an "any any" rule on the WAN, I can access everything on the LAN from VPN.
If I add an "any any" rule on LAN, it doesn't change anything. There is already a "any any" rule on the OPENVPN interface. -
If you want to route specific traffic over a vpn, you need to use policy routing
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html
Other options is use the vpn for default route
Or
Setup specific routes that would go out the vpn.
Keep in mind if you setup a policy route for client xyz on your network, and you want them to talk to other network segments, you need to setup policy route bypass
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
edit: example
See my currently disable rule sending my 192.168.9.100 device out the wireguard vpn. If I enable that rule traffic from 192.168.9.100 would be routed out that vpn.. But since client is also wanting to talk to other devices on my other network segments I have the bypass policy rule above this rule that sends it out the wg vpn.. Say its wanting to talk to 192.168.3.10 (my pihole dns).. If it was just sent out the vpn it wouldn't be able to. So need a rule above the policy that allows it to talk to other local networks.. That yes are all rfc1918 address space.
-
@johnpoz I did set up policy routing.
I have proof the traffic is hitting the tunnel interface. My states shows traffic being correctly NATed to the WireGuard interface IP (192.168.6.3) and assigned to the WG_MOMDAD interface. I can also see traffic on the interface via a packet capture.
You can see the states table results here:
https://imgur.com/a/2nhoDwd
Seems like all is well, but I can't ping 8.8.8.8 or load any webpages on my IOT device... any idea how to fix that?
-
@testing123 as to loading websites - what is this client behind pfsense using for dns?
As to pinging an IP through the vpn, maybe the vpn doesn't allow it, maybe where your pinging blocks the vpn from pinging it.
If pfsense sent the traffic down the tunnel, and its natting to the vpn interface IP - its job is done, if you do not get an answer then the issue is upstream off pfsense.
-
Yes, agreed, but I can't figure out what needs to change.
I’m trying to send traffic from pfSense over a WireGuard tunnel to a UniFi Dream Machine (UDM) and have it exit to the internet using the UDM’s public IP. The pfSense side uses 192.168.105.0/24, and the WireGuard tunnel IP on the UDM is 192.168.6.3. The UDM already has an outbound NAT rule, allows pings, and allows traffic from VPN to anywhere. Here are some images of the relevant firewall/NAT rules on the UDM side.
The WireGuard tunnel itself is up and working — I can see traffic (like DNS) being NATed and exiting the far end. The issue is with pfSense policy routing. When I ping something like 8.8.8.8, the traffic matches the WireGuard policy rule (confirmed in the firewall logs), so I would expect to see it on the WG_MOMDAD interface. Instead, packet captures show those ICMP packets only on the IoT interface and never on WireGuard or WAN interfaces.
-
@testing123 no idea what you are trying to do with those rules - those are not pfsense rules.
Any traffic that comes back would come back down the tunnel.. And would be allowed by the state.
Does pfsense send the traffic down the tunnel? If so then get with unifi support/community on what you need to do on its end. So this UDM is local - why would you want/need to setup a vpn to it - if its local?
If your pfsense and udm are local - I would guess you got some sort of asymmetrical traffic flow..
If you want to route traffic out to your udm from pfsense - then there should be a transit network between the udm and the pfsense - why would you need/want to encrypt this traffic if its all local..
Please draw up this network..
-
@johnpoz it’s not local - UDM is at a different site than my pfsense. I manage both networks, but they are external to each other.
pfsense —> tunnel —> UDM —> internet
-
@testing123 said in Routing over VPN not working:
nstead, packet captures show those ICMP packets only on the IoT interface and never on WireGuard or WAN interfaces.
What side - have no clue why rules on the udm would have anything to do with pfsense sending the traffic down the tunnel? What is the point of showing the udm side rules if your saying icmp is not going down the tunnel on pfsense?
