OpenVPN as Default Gateway

  • This isnt really a question, more a small bit of documentation in case someone like me comes across these issues when they look to set up an OpenVPN connection as a default gateway on pfsense:

    Configuration of OpenVPN as a client on pfsense interacting with a remote Debian OpenVPN server was successful.

    pfsense correctly exposed the OpenVPN interface as OPT1. I then, out of common sense, set the interface type (Interfaces -> OPT1) as DHCP, since thats how OpenVPN pushes the details out. This is wrong - you must set this to None, as OpenVPN already manages the interface configuration in the background, from the perspective of pfsense (my understanding at least).

    I then added the interface's gateway to the System Gateways (System -> Routing), I think it immediately appeared after I pressed the Add button. I then edited the gateway and set it as the default.

    Pinging and tracerouting google worked perfectly with this on pfsense itself, but any other machines using pfsense as the default gateway received no response from the pings. I tracked this down to OpenVPN on the server complaining about invalid source IP addresses - pfsense was sending the packets straight through without mangling the source to be the interface's IP address.

    On the previous Ubuntu Server setup, I had iptables SNAT these packets:

    iptables -t nat -A POSTROUTING -o tun0 -j SNAT –to-source

    So I assumed this was therefore not done by pfsense automatically and was therefore needed. I looked for NAT stuff and found it in Firewall -> NAT -> Outbound. For some reason I was under the impression that 'Automatic outbound NAT rule generation' should have done this for me, but I dont remember why now.

    I changed this to 'Manual Outbound NAT rule generation' (looking forward to see what assumed behaviour I just broke in the future), and created one rule for the 'OpenVPN' interface (in reality 'OPT1' worked as well) - setting source to any, and adding a useful description. The key thing was the 'Interface address' translation that was selected by default - this is what I wanted.

    After enabling all this, I was finally able to ping google etc through other machines on my network.

    If this isnt obvious, I am a pfsense n00b, and in general I only have OpenVPN experience for what I use it for - which is default gateway stuff (why not mangling the packets makes no sense to me). I understand you can also use it to bridge networks. Now, time to get my head into some real traffic shaping work for the first time!

  • Rebel Alliance Developer Netgate

    The NAT is not automatic in that way because most VPN traffic is supposed to pass untouched. In this case wanted need NAT, so the default automatic rules were not correct for your case.

    At one point we had (accidentally) added those networks to automatic outbound NAT and had a number of problems/complaints from people who didn't want their VPN traffic to have NAT applied.

Log in to reply