OpenVPN interfaces cannot be set as usable gateways

Guest · Jan 7, 2013, 7:33 PM

The actual interface does not have an IP set (set to "none"). The OpenVPN instance does negotiate an IP address (See attached). The OpenVPN client is configured as a "Peer to Peer (SSL/TLS)" in tunnel mode, so it is a /30 as well. In the openVPN logs I see the gateway as 10.9.1.1. ifconfig -a shows
ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
nd6 options=1 <performnud>Opened by PID 88995

Something I just noticed, under "Diagnostics: Routing tables", I do not see any entries for the ovpnc2 interface.

![pfSense OpenVPN Status.PNG](/public/imported_attachments/1/pfSense OpenVPN Status.PNG)
![pfSense OpenVPN Status.PNG_thumb](/public/imported_attachments/1/pfSense OpenVPN Status.PNG_thumb)</performnud></linkstate></up,pointopoint,running,multicast>

jimp · Jan 7, 2013, 8:09 PM

edit/save that VPN and let it reconnect, see if the interface gets an IP then.

There is no IP in ifconfig, so the function the gateway uses to determine the interface IP doesn't find it.

If you edit/save/apply the interface (even if it's set to none) it will stomp on the IP settings and the VPN needs a kick.

xbipin · Jan 8, 2013, 6:40 AM

same issue for me, when i create a fresh rule, i see the openvpn gateway in list, when i try to edit it doesnt show, this is since long, i also mentioned my findings in redmine but its still same

phil.davis · Jan 8, 2013, 10:56 AM

I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

and nothing is actually routed out that gateway

Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

xbipin · Jan 8, 2013, 11:39 AM

for me, when i create the rule and add the openvpn gateway and save, packets do route through it, no issues there, only thing was while editing the gateway disappeared

xbipin · Jan 8, 2013, 11:44 AM

@phil.davis:

I just put a fix in: https://github.com/bsdperimeter/pfsense/commit/d9ce908f28c849b5cfffea5f1512bdd486c27d79
It makes the OpenVPN interface gateways that match the IP protocol of the rule, appear in the dropdown when the rule is being edited.
In the next snapshot (or do GitSync or whatever to get this little change), please try it out.
It is only a GUI code change, doesn't effect whether the subsequent routing actually gets implemented correctly. If there are other issues with the policy-based routing rule actually being actioned correctly under-the-hood, then let us know about that also. The OP had mentioned:

and nothing is actually routed out that gateway

Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

i tried the patch manually and it does now show the openvpn gateway in list while editing and routes also fine

Guest · Jan 8, 2013, 11:21 PM

@phil.davis:

The OP had mentioned:

and nothing is actually routed out that gateway

Which makes me think there might also be an issue with the under-the-hood implementation of the rule?

What I meant was the OpenVPN server instance only serves client PCs, and doesn't connect to any networks. It works as it is supposed to. The OpenVPN client instance is the one that doesn't show up in the firewall rules. I don't know if there are any routing issues since I haven't been able to use it as a gateway yet :) . I will try the latest snapshot tomorrow and report if it works or not.

Guest · Jan 9, 2013, 7:19 PM

I upgraded to the snapshot Built On: Wed Jan 9 07:10:11 EST 2013. The gateway now shows up in the firewall rules, though it still shows up as "Dynamic".

The interface does show up in the routing table, and ifconfig -a shows
ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::4e02:89ff:fe0a:a548%ovpnc2 prefixlen 64 scopeid 0x13
inet 10.9.1.90 –> 10.9.1.89 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 9794</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

However, I cannot route anything through that gateway. I can ping through it just fine using the pfsense ping tool, but none of the PCs using it as a gateway can ping outside the network. I am not seeing anything unusual in the logs.

fragged · Jan 9, 2013, 7:27 PM

Outbound NAT rule missing?

Guest · Jan 9, 2013, 8:23 PM

Yep, that was it. Its all working now. Thank-you all for for your help, this had been a big issue for me for a long time!