OpenVPN - full vs split tunneling (vs Untangle 9.3)



  • With all of the buzz around latest release of Untangle 9.3 w/ full tunneling – how do you achieve this same functionality with pfsense 2.0.1's openvpn?  I currently have openVPN setup on pfsense and functioning although I'm not quite sure how to confirm whether it's doing full tunneling.

    For example, when connected to my office LAN, if I do a tracert (when connected remotely to my pfsense router with OpenVPN), the first hop is my pfsense IP (i.e. 10.0.8.1) and then it shows the traffic going through my home ISP.  Which is a good sign.

    Should I still be able to access all local LAN resources?  or should it also be trying to route any LAN request thru the VPN as well?

    Have been debating rebuilding my pfsense 2.0.1 box as an untangle 9.3 appliance but it's taken me too long to fine tune my pF router with QoS, forwarding rules, etc.

    Thanks.


  • Rebel Alliance Developer Netgate

    The only difference is whether or not your Internet traffic goes to the tunnel or not.

    Full Tunnel = Everything goes - just check the box on the OpenVPN server for "Redirect Gateway - Force all client generated traffic through the tunnel. "
    Split Tunnel = Only traffic specified in routes goes into the tunnel - So only thing you push routes for, or specify on the client, will go across the tunnel.

    Your OpenVPN firewall rules and outbound NAT may need adjusting to allow full tunneling, but it does work quite well, I do it all the time (especially when I'm on an untrusted network like one at a hotel)



  • Jimp, was hoping you might be able to clarify.  Currently, I have:

    1.) REDIRECT GATEWAY option disabled within the pfsense OpenVPN server settings.  And
    2.) In my ADVANCED CONFIGURATION, I have the following entry:

    push "route 192.168.0.0 255.255.255.0";

    Then, I've created (2) separate OpenVPN configurations on my client PC with the goal of having one config with split tunneling and another with full tunneling.  If you wouldn't mind validating these are accurate, I'd appreciate it:

    CLIENT CONFIG A - SPLIT TUNNEL:

    float
    port 1194
    dev tun
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote myserver.domain.com 1194
    tls-remote Roadwarrior Server Certificate
    pkcs12 pfsense-udp-1194-Jason_Laptop.p12
    tls-auth pfsense-udp-1194-Jason_Laptop.key 1
    comp-lzo
    pull
    verb 4

    CLIENT CONFIG B - FULL TUNNEL

    float
    port 1194
    dev tun
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote myserver.domain.com 1194
    tls-remote Roadwarrior Server Certificate
    pkcs12 pfsense-udp-1194-Jason_Laptop.p12
    tls-auth pfsense-udp-1194-Jason_Laptop.key 1
    comp-lzo
    redirect-gateway def1
    dhcp-option DNS 192.168.0.1
    verb 4


  • Rebel Alliance Developer Netgate

    You can still use pull in the second one, but it looks right enough.

    Generally I leave the config the same and just add the "redirect-gateway def1"



  • Appreciate the feedback.  So in the FULL TUNNEL client config (option B), I should still keep this line?

    dhcp-option DNS 192.168.0.1

    Also, is it OK that I have the following entry in my OpenVPN server ADVANCED section?

    push "route 192.168.0.0 255.255.255.0";

    Thanks again!


  • Rebel Alliance Developer Netgate

    If you redirect the gateway, pushed routes don't really matter, it's all going to the same place.

    not sure on the syntax for the dhcp option, but if you're pushing the DNS server from the openvpn server, there's no need for it.



  • @jimp:

    not sure on the syntax for the dhcp option, but if you're pushing the DNS server from the openvpn server, there's no need for it.

    I noticed as soon as I removed the following line from the client config file, I could no longer browse the internet thru the tunnel:

    dhcp-option DNS 192.168.0.1

    As soon as I added it back, I could once again browse the internet via the tunnel and http://www.whatsmyip.com returned my home ISP's internet IP address (good).



  • The fact they're marketing "full tunneling" as some big deal feature, something you've been able to do with pfSense since day 1 OpenVPN was implemented ~7 years ago, really shows how desperate they are for marketing material. Welcome to last decade, Untangle!


Locked