Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass all traffic through OpenVPN tunnel

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 4 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yamahabest
      last edited by

      I've used the OpenVPN on pfSense - Installation guide for (Windows) Dummies guide to create an OpenVPN tunnel.
      This is working correctly. I can access devices on the remote network.

      Now I want to pass all traffic through the OpenVPN tunnel, so I added the push "redirect-gateway def1" option to the OpenVPN config.
      Now as soon as I connect, I'm unable to connect to any website anymore. So, it seems something is not working/setup correctly.

      My pfsense setup is very basic, it don't use any advanced functionalities. I followed all steps of the OpenVPN on pfSense - Installation guide for (Windows) Dummies guide, except step 32, because there is already a rule: ***   LAN net   *   *   *   *       Default LAN -> any**.

      I don't know what information is needed to solve this problem, but I will gladly provide any information requested.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        @http://forum.pfsense.org/index.php/topic:

        Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
        For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

        Are you on 1.2.3?
        If not: upgrade.

        Did you assign the OpenVPN interface as OPTx?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • Y
          yamahabest
          last edited by

          Yes, I'm on 1.2.3.

          I didn't assign the OpenVPN interface as OPTx, do I need to do this, and if so, how do I do this?

          1 Reply Last reply Reply Quote 0
          • Y
            yamahabest
            last edited by

            GruensFroeschli or anyone, could you tell me how to solve my problem?

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              Follow the instructions here to assign the interface: http://blog.pfsense.org/?p=531

              After this automatic NAT should work.
              Otherwise, create an AoN rule with this interface.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • Y
                yamahabest
                last edited by

                Sorry, it can be my fault, but I can't find anything on that link about "assign interface".
                It seems to only contain the change list for 1.2.3.

                Are you sure it should be on that link?

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yamahabest
                    last edited by

                    Ah, that's the only thing I have to do?
                    Because you were talking about assigning the OpenVPN interface as OPTx?

                    But your quote seems fairly easy, only a checkbox needs to be changed, I will test it this evening.

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Well no, this only enables you to create rules for an assigned interface.
                      To assign interfaces, you do the same as if you assign a real interface ( firewall -> assign )

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yamahabest
                        last edited by

                        Things I've done:

                        • I have added tun0 as OPT1 interface.
                        • I have added a firewall rule on the OPT1 interface: ***  OPT1 net  *  *  *  *      Default OPT1 -> any**

                        I am still unable to connect to any webpage.

                        I haven't set any parameters on the OPT1 interface (Interface > OPT1 page). Do I need to do this?

                        Or do I need to do some other settings?

                        1 Reply Last reply Reply Quote 0
                        • AhnHELA
                          AhnHEL
                          last edited by

                          You need an Advanced Outbound NAT rule in place with the virtual Tunnel network as the Source address.

                          Firewall/NAT/Outbound

                          ![Screen shot 2010-01-10 at 2.42.18 PM.png](/public/imported_attachments/1/Screen shot 2010-01-10 at 2.42.18 PM.png)
                          ![Screen shot 2010-01-10 at 2.42.18 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-01-10 at 2.42.18 PM.png_thumb)

                          AhnHEL (Angel)

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            Hmmm.
                            It appears the sentence

                            Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP.

                            is no longer valid.
                            I never run into this issue, since i almost always write my outbound rules manually.

                            You can simply enable AoN under "firewall –> nat --> outbound" and copy the autocreated rule.
                            Change in the copy the subnet to the IP range you use for your OpenVPN connections.

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • Y
                              yamahabest
                              last edited by

                              I've enabled AoN and copied the autocreated rule.

                              The autocreated rule was: WAN    192.168.2.0/24  *  *  *  *  *  NO  Auto created rule for LAN
                              The rule I've added: WAN    192.168.200.0/24  *  *  *  *  *  NO  OpenVPN

                              The 192.168.200.0 address is copied from the OpenVPN page.

                              However I'm still unable to connect to the internet after doing this.

                              Do I need to undo the steps below?

                              • I have added tun0 as OPT1 interface.
                              • I have added a firewall rule on the OPT1 interface: *      OPT1 net      *      *      *      *            Default OPT1 -> any

                              Or do I have to do other steps?

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yamahabest
                                last edited by

                                GruensFroeschli, onhel or anyone, do you have any ideas?

                                1 Reply Last reply Reply Quote 0
                                • AhnHELA
                                  AhnHEL
                                  last edited by

                                  Since you are using AON, undo the OPT1 tun0 interface.

                                  Post your OpenVPN logs on your pfsense box and also your connection logs on your OpenVPN client so we can see whats going.

                                  From what I've read, you followed the tutorial to the letter including using the exact IP networks?

                                  AhnHEL (Angel)

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yamahabest
                                    last edited by

                                    Things I've done:

                                    • I have deleted a firewall rule on the OPT1 interface: *      OPT1 net      *      *      *      *            Default OPT1 -> any.
                                    • I have deleted tun0 as OPT1 interface.
                                    • I have disabled the Disable auto-added VPN rules option.

                                    Internet is now working! If I go to http://whatismyipaddress.com/ I see the correct IP Address, so the connection is correctly routed through the tunnel.
                                    Many thanks for helping!

                                    I have just one question left. I have now enabled Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), does this has any disadvantages as regards to Automatic outbound NAT rule generation (IPsec passthrough)?

                                    1 Reply Last reply Reply Quote 0
                                    • AhnHELA
                                      AhnHEL
                                      last edited by

                                      Looks like what fixed it was unchecking the 'Disable Auto Added VPN rules' AND setting up the AON.

                                      AON is required when using the redirect-gateway option so there is no advantage/disadvantage.

                                      AhnHEL (Angel)

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        mayesjc
                                        last edited by

                                        Following this thread did not solve everything until I added the addresses of DNS servers in the OpenVPN server configuration page under the "DHCP-Opt.: DNS-Server" option.  In may case I added the addresses for OpenDNS, although I doubt that matters.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.