OpenVPN interfaces cannot be set as usable gateways



  • I am trying to set a pfSense OpenVPN client instance as a gateway that LAN clients can use. I created an pfsense interface and assigned the OpenVPN instance (ovpnc2) to it (setting the IPv4/6 addresses to none). The gateway works and the other side is reachable, however it does not show up as a gateway option in the advanced firewall rules. If I create a new firewall rule it does show up (as "interface name" - dynamic), but as soon as I edit that rule or try to edit an existing rule it no longer shows up, and nothing is actually routed out that gateway. How do I fix this so that I can set firewall rules to use it as a gateway?

    Current version: 2.1-BETA1
      NanoBSD Size : 4g
          Built On: Mon Dec 31 12:20:48 EST 2012



  • There have been a number of posts on this issue, none of which particularly pointed at a resolution. I ran into this problem configuring a device recently, and searched around with no success.

    For reasons I'm not able to explain, it started working in my case. I wish I could tell you what I did differently, but I can't. I just know that one time through rebuilding the box trying to get it to work, it did.



  • Hello,

    I ran into similar problem. Steps so far:

    1. create a working OpenVPN connection based on a tap interface /30 netmask, both ends are reachable
    2. create a pfSense interface assignment, with IPv4 Configuration Type set to "none"
    3. create a firewall rule where advanced set up contains that interface as gateway

    last step yields into a possible bug in pfSense. If rule is created, that OpenVPN interface is offered as gateway. When editing that rule, OpenVPN interface is no longer offered. Routing on this interface does not work in each case.

    regards
    Christian



  • This has been a issue since at least the August snapshots, and I have upgraded at least 10 times since then, all of them having the same issue. I also have rebuilt the configs as least once. It seems have something to do with the fact that the gateway shows up as "Dynamic", as if PfSense doesn't know ovpn instance is getting an IP address/gateway, and it just relying on what the interface is configured as (none). Also, giving the actual interface an IP address allows the gateway to be set and gateway IP to no longer show up as "Dynamic", even though this obviously won't work since it is the opvn instance that needs to negotiate that.


  • Rebel Alliance Developer Netgate

    Might be the IPv4/IPv6 type detection.

    When you first create a rule, that detection hasn't kicked in yet. When you edit an existing rule, it only shows gateways of the type the rule it set to be.


  • Rebel Alliance Developer Netgate

    …that said, I just checked, and on my 2.1 VM, I see my OpenVPN gateway in the drop-down for an IPv4 rule, but not an IPv6 rule.



  • Was the OpenVPN instance you tested a server or client? I have both on the pfsense box, and the server instance actually shows up with an actual IP address in the firewall rules (though its not set up as a valid gateway). However, the client instance does not show up in the firewall rules, and shows up as "Dynamic" under "Status: Gateways". It is the client instance that I am trying to make a gateway.



  • @jimp:

    Might be the IPv4/IPv6 type detection.

    When you first create a rule, that detection hasn't kicked in yet. When you edit an existing rule, it only shows gateways of the type the rule it set to be.

    All the openVPN instance on my box are IPv4 only. I see under "Status: Interfaces" that the OpenVPN client interface gets a valid IPv4 address, mask, and default gateway. The system gateway that has the client interface is set as IPv4. However, when I create a new rule, it does show up as "interface name - dynamic". Maybe its the "dynamic" part that is not allowing it to be set as a IPv4 gateway? If so, how do I get it to stop showing up as dynamic in all the status pages?  See attached images.

    ![pfSense dynamic gateway 1.PNG](/public/imported_attachments/1/pfSense dynamic gateway 1.PNG)
    ![pfSense dynamic gateway 1.PNG_thumb](/public/imported_attachments/1/pfSense dynamic gateway 1.PNG_thumb)
    ![pfSense System-Gateways.PNG](/public/imported_attachments/1/pfSense System-Gateways.PNG)
    ![pfSense System-Gateways.PNG_thumb](/public/imported_attachments/1/pfSense System-Gateways.PNG_thumb)


  • Rebel Alliance Developer Netgate

    Does that ovpnc interface actually have an IP on it?

    What does "ifconfig -a" show?

    It works for me on a client and a server, though these are both SSL/TLS with a /30 mask.




  • The actual interface does not have an IP set (set to "none"). The OpenVPN instance does negotiate an IP address (See attached). The OpenVPN client is configured as a "Peer to Peer (SSL/TLS)" in tunnel mode, so it is a /30 as well. In the openVPN logs I see the gateway as 10.9.1.1.  ifconfig -a shows
    ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
    nd6 options=1 <performnud>Opened by PID 88995

    Something I just noticed, under "Diagnostics: Routing tables", I do not see any entries for the ovpnc2 interface.

    ![pfSense OpenVPN Status.PNG](/public/imported_attachments/1/pfSense OpenVPN Status.PNG)
    ![pfSense OpenVPN Status.PNG_thumb](/public/imported_attachments/1/pfSense OpenVPN Status.PNG_thumb)</performnud></linkstate></up,pointopoint,running,multicast>


  • Rebel Alliance Developer Netgate

    edit/save that VPN and let it reconnect, see if the interface gets an IP then.

    There is no IP in ifconfig, so the function the gateway uses to determine the interface IP doesn't find it.

    If you edit/save/apply the interface (even if it's set to none) it will stomp on the IP settings and the VPN needs a kick.



  • same issue for me, when i create a fresh rule, i see the openvpn gateway in list, when i try to edit it doesnt show, this is since long, i also mentioned my findings in redmine but its still same






  • I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
    It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
    In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
    It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

    and nothing is actually routed out that gateway

    Which makes me think there might also be an issue with the under-the-hood implementation of the rule?



  • for me, when i create the rule and add the openvpn gateway and save, packets do route through it, no issues there, only thing was while editing the gateway disappeared



  • @phil.davis:

    I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
    It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
    In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
    It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

    and nothing is actually routed out that gateway

    Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

    i tried the patch manually and it does now show the openvpn gateway in list while editing and routes also fine



  • @phil.davis:

    The OP had mentioned:

    and nothing is actually routed out that gateway

    Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

    What I meant was the OpenVPN server instance only serves client PCs, and doesn't connect to any networks. It works as it is supposed to. The OpenVPN client instance is the one that doesn't show up in the firewall rules. I don't know if there are any routing issues since I haven't been able to use it as a gateway yet  :) . I will try the latest snapshot tomorrow and report if it works or not.



  • I upgraded to the snapshot Built On: Wed Jan  9 07:10:11 EST 2013. The gateway now shows up in the firewall rules, though it still shows up as "Dynamic".

    The interface does show up in the routing table, and ifconfig -a shows
    ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
    inet 10.9.1.90 –> 10.9.1.89 netmask 0xffffffff
    nd6 options=3 <performnud,accept_rtadv>Opened by PID 9794</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

    However, I cannot route anything through that gateway. I can ping through it just fine using the pfsense ping tool, but none of the PCs using it as a gateway can ping outside the network. I am not seeing anything unusual in the logs.



  • Outbound NAT rule missing?



  • Yep, that was it. Its all working now. Thank-you all for for your help, this had been a big issue for me for a long time!


Locked