Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN, with vyprvpn

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tango
      last edited by

      Ok I am new to OpenVPN but I have been using pfsense for sometime, so forgive me if this is dead obvious.

      My end goal is to have lan traffic on specific ports or to specific hosts route via OpenVPN.

      So I read http://forum.pfsense.org/index.php?topic=35292.0 and the links in the forum

      This has taken me to a point, according to the OpenVPN client screen

      Name                     Status Connected Since                 Virtual Addr     Remote Host   Bytes Sent Bytes Received
      vypr_vpn UDP:50011 up Tue May 10 21:06:23 2011 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 597746 480295

      The last log entries show
      May 11 11:58:52 openvpn[14307]: MANAGEMENT: Client disconnected
      May 11 11:58:52 openvpn[14307]: MANAGEMENT: CMD 'status 2'
      May 11 11:58:52 openvpn[14307]: MANAGEMENT: CMD 'state 1'
      May 11 11:58:52 openvpn[14307]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock

      Nothing I seem to do in the firewall rules will make traffic route via OpenVPN, but I am not sure if it is just me not getting the rule correct or is related to those messages in the logs.

      TIA

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Could you show a screenshot of the firewall rules you use to redirect traffic to the OpenVPN tunnel?

        Did you assign the OpenVPN interface?
        Did you create outbound NAT rules for the assigned OpenVPN interface?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          Tango
          last edited by

          Ok here is what I have so far.

          http://www.tangerine-army.co.uk/vpn_int.jpg
          http://www.tangerine-army.co.uk/gateway.jpg
          http://www.tangerine-army.co.uk/pf_rules.jpg
          http://www.tangerine-army.co.uk/int_sum.jpg

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I suppose you don't control the other side of the tunnel?
            If you do, you have to add routes on the other side for the subnet on your local side.

            If you don't:
            You need to enable outbound NAT (firewall –> NAT --> outbound --> manual rule generation)
            and create a rule with as interface the OpenVPN interface, source: wherever you're connecting from, destination: where you're connecting to (216.196.109.144).

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • T
              Tango
              last edited by

              I tried the your suggestion, initially nothing seemed to change, a restart of the OpenVPN service and boom there is now a IP address on the VPN Interface, something that it had never done before. However everything seems to be going via the VPN. Here is what I have set so far
              http://www.tangerine-army.co.uk/aon.jpg

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                This refers to "redirecting" traffic.
                You are just NATing from interface to another.
                The new rule looks right.

                How do you determine that traffic is leaving via WAN?
                Is the tunnel actually comming up correctly?
                Can you ping from the pfSense itself the other side of the tunnel?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • T
                  Tango
                  last edited by

                  If I try to access www.bbc.co.uk it gives me the International version of the page, and not the localised version to the UK, also newsgroups run at full speed, which they would not do as my ISP throttles that traffic from 5pm onwards. So I can be fairly sure the tunnel is up and routing traffic ok.

                  Traceroute output:

                  1  10.9.0.1 (10.9.0.1)  70.076 ms  28.298 ms  27.524 ms
                  2  192.168.32.1 (192.168.32.1)  37.156 ms  29.530 ms  28.034 ms
                  3  vl307.gw1.ams.giganews.com (216.196.108.242)  28.278 ms  61.420 ms  45.326 ms
                  4  rt-amsix.tcams.bbc.co.uk (195.69.144.169)  29.823 ms  49.721 ms  29.445 ms
                  5  rt1.thdo.bbc.co.uk (212.58.239.45)  40.390 ms  36.354 ms  57.183 ms
                  6  212.58.238.38 (212.58.238.38)  54.758 ms  36.759 ms  69.710 ms
                  7  212.58.239.62 (212.58.239.62)  36.860 ms  42.856 ms  37.561 ms
                  8  212.58.251.44 (212.58.251.44)  63.978 ms  36.006 ms  56.095 ms
                  9  bbc-vip116.telhc.bbc.co.uk (212.58.244.71)  43.593 ms  40.037 ms  36.375 ms

                  As for the traffic leaving via the WAN, the install of pfsense was just out of the box, I had not done anything aside from a few port forwards.

                  1 Reply Last reply Reply Quote 0
                  • T
                    Tango
                    last edited by

                    Still not much further forward, I am guessing I need rules to send traffic to the WAN rather than the VPN but as to the specifics of such rules I am not quite sure.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.