Tunneling all WAN Traffic Over OpenVPN that Connects from WAN?



  • OK…  This may very well be a dumb question.

    I have OpenVPN setup and it's working superbly.  Originally I just routed my local network (10.100.0.0/24) over the tunnel so I could get at my home network.  Great.

    BUT -- now I'm in a predicament wherein I'd like to tunnel all my Internet requests over the tunnel and then back out the WAN interface of the pfSense box.  Why?  Because I frequently have to use insecure wireless networks and use things like IM and would rather not have everyone and their brother able to sniff my traffic in plain sight.

    Is this possible?  I tried adding the redirect-gateway and redirect-gateway def1 to my client config and that seemed to work, but I could only get at things on the pfSense LAN.  I couldn't get out to the Internet through the tunnel.

    Any ideas?

    TIA!!! :)



  • do you use advanced outbound NAT?

    if you use the redirect gateway def1 you also need to push a DNS option to you client because after the redirect is in place your client wont be able to connect to his "normal" DNS-Server.



  • Im in the very exact same situation. I can connect to my pfsense openvpn from work ( i dont think my boss spies on the employes but im taking precautions), everything works very nice, i can browse my lan computers at home etc but i cant reach internet via the vpn

    i have this in my pfsense ovpn config:

    push "redirect-gateway"; push "dhcp-option DNS 192.168.0.1";

    i have confirmed the routes worked with "route get" on my computer but it seems like there is some filtering in the firewall or something. any ideas on how to solve this?



  • You also need to check your client settings - what client OS are you using?

    For my Windows boxes I've also had to add the following to the client config to get the routes working:

    route-method exe
    route-delay 2

    Worth then checking what the default route is after you connect (usually netstat -r -n)



  • Thanks for the answer. Im on a macbook, adding those extra route options to the client didnt do any difference from what i can see.

    output from the netstat command:

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.134.5      UGSc        2        9  tun0

    which does seems to be correct.



  • I also have the same problem (i can reach the lan but not the internet). I've read that adding the below commands is suposed to make it work. But for med it doesen't  :(

    push "dhcp-option DNS 192.168.110.1";
    push "redirect-gateway local def1";



  • Is 192.168.110.x your subnet?

    Did you read http://openvpn.net/index.php/documentation/howto.html#redirect

    (you could generally provide a bit more infos…. crystal ball is broken atm)



  • For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

    1. Add the following lines of configuration to the OpenVPN "Custom Options":
      push "dhcp-option DNS 192.168.110.1";
      push "redirect-gateway local def1";

    2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).



  • @johbra:

    For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

    1. Add the following lines of configuration to the OpenVPN "Custom Options":
      push "dhcp-option DNS 192.168.110.1";
      push "redirect-gateway local def1";

    2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).

    Hello there!

    I'm having the same problem as you had.. I'm trying to get it to work with you settings.. but I believe I've missed something.

    I've got a Pfsense box running the OpenVPN server.
    The LAN inside the Pfsense is 192.168.0.0/24
    The VPN subnet is 192.168.100.0/24

    I've set up the OVPN-server so that I can connect and access the LAN, but to tunnel all traffic trough the VPN I added the options you posted. It seems to work and I get a default gateway on the client, the DNS-lookups works (using push "dhcp-option DNS 192.168.100.1") but the traffic just wont get out/back. Changed Outbound NAT to Advanced Outbound NAT and added the post:
    WAN    192.168.100.0/24  *  *  *  *  *  NO

    Is that correct?
    One more thing.. the default gateway I'm getting from the OpenVPN server is 192.168.100.5, is that correct? The client get the IP 192.168.100.6.

    Any help is appreciated!

    EDIT: I've also noticed that my client gets a 255.255.255.252 netmask. What's up with that? In the OVPN-config the subnet is 192.168.100.0/24.

    EDIT: Whats wrong with the above setup?



  • Thats the way openVPN in routing PKI mode behaves.
    rtm on http://openVPN.net


Locked