Pass all traffic through OpenVPN tunnel



  • I've used the OpenVPN on pfSense - Installation guide for (Windows) Dummies guide to create an OpenVPN tunnel.
    This is working correctly. I can access devices on the remote network.

    Now I want to pass all traffic through the OpenVPN tunnel, so I added the push "redirect-gateway def1" option to the OpenVPN config.
    Now as soon as I connect, I'm unable to connect to any website anymore. So, it seems something is not working/setup correctly.

    My pfsense setup is very basic, it don't use any advanced functionalities. I followed all steps of the OpenVPN on pfSense - Installation guide for (Windows) Dummies guide, except step 32, because there is already a rule: ***   LAN net   *   *   *   *       Default LAN -> any**.

    I don't know what information is needed to solve this problem, but I will gladly provide any information requested.



  • @http://forum.pfsense.org/index.php/topic:

    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
    For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

    Are you on 1.2.3?
    If not: upgrade.

    Did you assign the OpenVPN interface as OPTx?



  • Yes, I'm on 1.2.3.

    I didn't assign the OpenVPN interface as OPTx, do I need to do this, and if so, how do I do this?



  • GruensFroeschli or anyone, could you tell me how to solve my problem?



  • Follow the instructions here to assign the interface: http://blog.pfsense.org/?p=531

    After this automatic NAT should work.
    Otherwise, create an AoN rule with this interface.



  • Sorry, it can be my fault, but I can't find anything on that link about "assign interface".
    It seems to only contain the change list for 1.2.3.

    Are you sure it should be on that link?



  • Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.



  • Ah, that's the only thing I have to do?
    Because you were talking about assigning the OpenVPN interface as OPTx?

    But your quote seems fairly easy, only a checkbox needs to be changed, I will test it this evening.



  • Well no, this only enables you to create rules for an assigned interface.
    To assign interfaces, you do the same as if you assign a real interface ( firewall -> assign )



  • Things I've done:

    • I have added tun0 as OPT1 interface.
    • I have added a firewall rule on the OPT1 interface: ***  OPT1 net  *  *  *  *      Default OPT1 -> any**

    I am still unable to connect to any webpage.

    I haven't set any parameters on the OPT1 interface (Interface > OPT1 page). Do I need to do this?

    Or do I need to do some other settings?



  • You need an Advanced Outbound NAT rule in place with the virtual Tunnel network as the Source address.

    Firewall/NAT/Outbound

    ![Screen shot 2010-01-10 at 2.42.18 PM.png](/public/imported_attachments/1/Screen shot 2010-01-10 at 2.42.18 PM.png)
    ![Screen shot 2010-01-10 at 2.42.18 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-01-10 at 2.42.18 PM.png_thumb)



  • Hmmm.
    It appears the sentence

    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP.

    is no longer valid.
    I never run into this issue, since i almost always write my outbound rules manually.

    You can simply enable AoN under "firewall –> nat --> outbound" and copy the autocreated rule.
    Change in the copy the subnet to the IP range you use for your OpenVPN connections.



  • I've enabled AoN and copied the autocreated rule.

    The autocreated rule was: WAN    192.168.2.0/24  *  *  *  *  *  NO  Auto created rule for LAN
    The rule I've added: WAN    192.168.200.0/24  *  *  *  *  *  NO  OpenVPN

    The 192.168.200.0 address is copied from the OpenVPN page.

    However I'm still unable to connect to the internet after doing this.

    Do I need to undo the steps below?

    • I have added tun0 as OPT1 interface.
    • I have added a firewall rule on the OPT1 interface: *      OPT1 net      *      *      *      *            Default OPT1 -> any

    Or do I have to do other steps?



  • GruensFroeschli, onhel or anyone, do you have any ideas?



  • Since you are using AON, undo the OPT1 tun0 interface.

    Post your OpenVPN logs on your pfsense box and also your connection logs on your OpenVPN client so we can see whats going.

    From what I've read, you followed the tutorial to the letter including using the exact IP networks?



  • Things I've done:

    • I have deleted a firewall rule on the OPT1 interface: *      OPT1 net      *      *      *      *            Default OPT1 -> any.
    • I have deleted tun0 as OPT1 interface.
    • I have disabled the Disable auto-added VPN rules option.

    Internet is now working! If I go to http://whatismyipaddress.com/ I see the correct IP Address, so the connection is correctly routed through the tunnel.
    Many thanks for helping!

    I have just one question left. I have now enabled Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), does this has any disadvantages as regards to Automatic outbound NAT rule generation (IPsec passthrough)?



  • Looks like what fixed it was unchecking the 'Disable Auto Added VPN rules' AND setting up the AON.

    AON is required when using the redirect-gateway option so there is no advantage/disadvantage.



  • Following this thread did not solve everything until I added the addresses of DNS servers in the OpenVPN server configuration page under the "DHCP-Opt.: DNS-Server" option.  In may case I added the addresses for OpenDNS, although I doubt that matters.


Locked