Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN interfaces cannot be set as usable gateways

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    19 Posts 7 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I am trying to set a pfSense OpenVPN client instance as a gateway that LAN clients can use. I created an pfsense interface and assigned the OpenVPN instance (ovpnc2) to it (setting the IPv4/6 addresses to none). The gateway works and the other side is reachable, however it does not show up as a gateway option in the advanced firewall rules. If I create a new firewall rule it does show up (as "interface name" - dynamic), but as soon as I edit that rule or try to edit an existing rule it no longer shows up, and nothing is actually routed out that gateway. How do I fix this so that I can set firewall rules to use it as a gateway?

      Current version: 2.1-BETA1
        NanoBSD Size : 4g
            Built On: Mon Dec 31 12:20:48 EST 2012

      1 Reply Last reply Reply Quote 0
      • Z
        zandr
        last edited by

        There have been a number of posts on this issue, none of which particularly pointed at a resolution. I ran into this problem configuring a device recently, and searched around with no success.

        For reasons I'm not able to explain, it started working in my case. I wish I could tell you what I did differently, but I can't. I just know that one time through rebuilding the box trying to get it to work, it did.

        1 Reply Last reply Reply Quote 0
        • T
          taunusstein.net
          last edited by

          Hello,

          I ran into similar problem. Steps so far:

          1. create a working OpenVPN connection based on a tap interface /30 netmask, both ends are reachable
          2. create a pfSense interface assignment, with IPv4 Configuration Type set to "none"
          3. create a firewall rule where advanced set up contains that interface as gateway

          last step yields into a possible bug in pfSense. If rule is created, that OpenVPN interface is offered as gateway. When editing that rule, OpenVPN interface is no longer offered. Routing on this interface does not work in each case.

          regards
          Christian

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            This has been a issue since at least the August snapshots, and I have upgraded at least 10 times since then, all of them having the same issue. I also have rebuilt the configs as least once. It seems have something to do with the fact that the gateway shows up as "Dynamic", as if PfSense doesn't know ovpn instance is getting an IP address/gateway, and it just relying on what the interface is configured as (none). Also, giving the actual interface an IP address allows the gateway to be set and gateway IP to no longer show up as "Dynamic", even though this obviously won't work since it is the opvn instance that needs to negotiate that.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Might be the IPv4/IPv6 type detection.

              When you first create a rule, that detection hasn't kicked in yet. When you edit an existing rule, it only shows gateways of the type the rule it set to be.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                …that said, I just checked, and on my 2.1 VM, I see my OpenVPN gateway in the drop-down for an IPv4 rule, but not an IPv6 rule.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  Was the OpenVPN instance you tested a server or client? I have both on the pfsense box, and the server instance actually shows up with an actual IP address in the firewall rules (though its not set up as a valid gateway). However, the client instance does not show up in the firewall rules, and shows up as "Dynamic" under "Status: Gateways". It is the client instance that I am trying to make a gateway.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    @jimp:

                    Might be the IPv4/IPv6 type detection.

                    When you first create a rule, that detection hasn't kicked in yet. When you edit an existing rule, it only shows gateways of the type the rule it set to be.

                    All the openVPN instance on my box are IPv4 only. I see under "Status: Interfaces" that the OpenVPN client interface gets a valid IPv4 address, mask, and default gateway. The system gateway that has the client interface is set as IPv4. However, when I create a new rule, it does show up as "interface name - dynamic". Maybe its the "dynamic" part that is not allowing it to be set as a IPv4 gateway? If so, how do I get it to stop showing up as dynamic in all the status pages?  See attached images.

                    ![pfSense dynamic gateway 1.PNG](/public/imported_attachments/1/pfSense dynamic gateway 1.PNG)
                    ![pfSense dynamic gateway 1.PNG_thumb](/public/imported_attachments/1/pfSense dynamic gateway 1.PNG_thumb)
                    ![pfSense System-Gateways.PNG](/public/imported_attachments/1/pfSense System-Gateways.PNG)
                    ![pfSense System-Gateways.PNG_thumb](/public/imported_attachments/1/pfSense System-Gateways.PNG_thumb)

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Does that ovpnc interface actually have an IP on it?

                      What does "ifconfig -a" show?

                      It works for me on a client and a server, though these are both SSL/TLS with a /30 mask.

                      ovpn_gw.png
                      ovpn_gw.png_thumb

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        The actual interface does not have an IP set (set to "none"). The OpenVPN instance does negotiate an IP address (See attached). The OpenVPN client is configured as a "Peer to Peer (SSL/TLS)" in tunnel mode, so it is a /30 as well. In the openVPN logs I see the gateway as 10.9.1.1.  ifconfig -a shows
                        ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                        options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
                        nd6 options=1 <performnud>Opened by PID 88995

                        Something I just noticed, under "Diagnostics: Routing tables", I do not see any entries for the ovpnc2 interface.

                        ![pfSense OpenVPN Status.PNG](/public/imported_attachments/1/pfSense OpenVPN Status.PNG)
                        ![pfSense OpenVPN Status.PNG_thumb](/public/imported_attachments/1/pfSense OpenVPN Status.PNG_thumb)</performnud></linkstate></up,pointopoint,running,multicast>

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          edit/save that VPN and let it reconnect, see if the interface gets an IP then.

                          There is no IP in ifconfig, so the function the gateway uses to determine the interface IP doesn't find it.

                          If you edit/save/apply the interface (even if it's set to none) it will stomp on the IP settings and the VPN needs a kick.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • X
                            xbipin
                            last edited by

                            same issue for me, when i create a fresh rule, i see the openvpn gateway in list, when i try to edit it doesnt show, this is since long, i also mentioned my findings in redmine but its still same

                            CropperCapture[1].jpg
                            CropperCapture[1].jpg_thumb
                            CropperCapture[3].jpg
                            CropperCapture[3].jpg_thumb

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
                              It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
                              In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
                              It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

                              and nothing is actually routed out that gateway

                              Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • X
                                xbipin
                                last edited by

                                for me, when i create the rule and add the openvpn gateway and save, packets do route through it, no issues there, only thing was while editing the gateway disappeared

                                1 Reply Last reply Reply Quote 0
                                • X
                                  xbipin
                                  last edited by

                                  @phil.davis:

                                  I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
                                  It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
                                  In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
                                  It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

                                  and nothing is actually routed out that gateway

                                  Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

                                  i tried the patch manually and it does now show the openvpn gateway in list while editing and routes also fine

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    @phil.davis:

                                    The OP had mentioned:

                                    and nothing is actually routed out that gateway

                                    Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

                                    What I meant was the OpenVPN server instance only serves client PCs, and doesn't connect to any networks. It works as it is supposed to. The OpenVPN client instance is the one that doesn't show up in the firewall rules. I don't know if there are any routing issues since I haven't been able to use it as a gateway yet  :) . I will try the latest snapshot tomorrow and report if it works or not.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      Guest
                                      last edited by

                                      I upgraded to the snapshot Built On: Wed Jan  9 07:10:11 EST 2013. The gateway now shows up in the firewall rules, though it still shows up as "Dynamic".

                                      The interface does show up in the routing table, and ifconfig -a shows
                                      ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                                      options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
                                      inet 10.9.1.90 –> 10.9.1.89 netmask 0xffffffff
                                      nd6 options=3 <performnud,accept_rtadv>Opened by PID 9794</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

                                      However, I cannot route anything through that gateway. I can ping through it just fine using the pfsense ping tool, but none of the PCs using it as a gateway can ping outside the network. I am not seeing anything unusual in the logs.

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fragged
                                        last edited by

                                        Outbound NAT rule missing?

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          Guest
                                          last edited by

                                          Yep, that was it. Its all working now. Thank-you all for for your help, this had been a big issue for me for a long time!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.