OpenVPN, with vyprvpn

Tango

Ok I am new to OpenVPN but I have been using pfsense for sometime, so forgive me if this is dead obvious.

My end goal is to have lan traffic on specific ports or to specific hosts route via OpenVPN.

So I read http://forum.pfsense.org/index.php?topic=35292.0 and the links in the forum

This has taken me to a point, according to the OpenVPN client screen

Name                     Status Connected Since                 Virtual Addr     Remote Host   Bytes Sent Bytes Received
vypr_vpn UDP:50011 up Tue May 10 21:06:23 2011 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 597746 480295

The last log entries show
May 11 11:58:52 openvpn[14307]: MANAGEMENT: Client disconnected
May 11 11:58:52 openvpn[14307]: MANAGEMENT: CMD 'status 2'
May 11 11:58:52 openvpn[14307]: MANAGEMENT: CMD 'state 1'
May 11 11:58:52 openvpn[14307]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock

Nothing I seem to do in the firewall rules will make traffic route via OpenVPN, but I am not sure if it is just me not getting the rule correct or is related to those messages in the logs.

TIA

GruensFroeschli

Could you show a screenshot of the firewall rules you use to redirect traffic to the OpenVPN tunnel?

Did you assign the OpenVPN interface?
Did you create outbound NAT rules for the assigned OpenVPN interface?

Tango

Ok here is what I have so far.

http://www.tangerine-army.co.uk/vpn_int.jpg
http://www.tangerine-army.co.uk/gateway.jpg
http://www.tangerine-army.co.uk/pf_rules.jpg
http://www.tangerine-army.co.uk/int_sum.jpg

GruensFroeschli

I suppose you don't control the other side of the tunnel?
If you do, you have to add routes on the other side for the subnet on your local side.

If you don't:
You need to enable outbound NAT (firewall –> NAT --> outbound --> manual rule generation)
and create a rule with as interface the OpenVPN interface, source: wherever you're connecting from, destination: where you're connecting to (216.196.109.144).

Tango

I tried the your suggestion, initially nothing seemed to change, a restart of the OpenVPN service and boom there is now a IP address on the VPN Interface, something that it had never done before. However everything seems to be going via the VPN. Here is what I have set so far
http://www.tangerine-army.co.uk/aon.jpg

GruensFroeschli

This refers to "redirecting" traffic.
You are just NATing from interface to another.
The new rule looks right.

How do you determine that traffic is leaving via WAN?
Is the tunnel actually comming up correctly?
Can you ping from the pfSense itself the other side of the tunnel?

Tango

If I try to access www.bbc.co.uk it gives me the International version of the page, and not the localised version to the UK, also newsgroups run at full speed, which they would not do as my ISP throttles that traffic from 5pm onwards. So I can be fairly sure the tunnel is up and routing traffic ok.

Traceroute output:

1  10.9.0.1 (10.9.0.1)  70.076 ms  28.298 ms  27.524 ms
2  192.168.32.1 (192.168.32.1)  37.156 ms  29.530 ms  28.034 ms
3  vl307.gw1.ams.giganews.com (216.196.108.242)  28.278 ms  61.420 ms  45.326 ms
4  rt-amsix.tcams.bbc.co.uk (195.69.144.169)  29.823 ms  49.721 ms  29.445 ms
5  rt1.thdo.bbc.co.uk (212.58.239.45)  40.390 ms  36.354 ms  57.183 ms
6  212.58.238.38 (212.58.238.38)  54.758 ms  36.759 ms  69.710 ms
7  212.58.239.62 (212.58.239.62)  36.860 ms  42.856 ms  37.561 ms
8  212.58.251.44 (212.58.251.44)  63.978 ms  36.006 ms  56.095 ms
9  bbc-vip116.telhc.bbc.co.uk (212.58.244.71)  43.593 ms  40.037 ms  36.375 ms

As for the traffic leaving via the WAN, the install of pfsense was just out of the box, I had not done anything aside from a few port forwards.

Tango

Still not much further forward, I am guessing I need rules to send traffic to the WAN rather than the VPN but as to the specifics of such rules I am not quite sure.