Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN acts as default Gateway. Why?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abadonna
      last edited by

      Hi all. This is my first post, so I wanted to say hello to all of you.

      I am a newbie in pfsense world, so please be gentle with me.

      I use SecurityKISS VPN provider and I have created a little tutorial on how to setup SecurityKISS on my pfsense. Please verify if you want: http://wiki.abadonna.info/doku.php?id=pfsense:kiss (any suggestion on how to make it better are highly appreciated).

      Anyway, when I performed steps I have put into my tutorial, everything works like a charm, but… As soon as VPN tunnel is established, all traffic is routed through it. Why? I expected to see only some traffic (let's say from one dedicated IP on my LAN) would be sent through VPN tunnel. Why pfsense route all traffic through VPN by default? Is there a way to change this behavior?
      At the moment I am forced to deactivate tunnel if I do not need to use it. I would rather prefer to keep it opened all the time, and only change my local IP if I need to go through tunnel.

      I hope this make sense and you can help me.

      A.

      D 1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The setup procedure looks good. I guess that the KISS VPN server pushes a "redirect-gateway def1" to the client. That would cause pfSense to effectively switch its default route to the KISS VPN. After that all your internet traffic from all LAN systems goes over KISS VPN. Look at Diagnostics->Routes - it will probably have something like a route to "0.0.0.0" via the KISS tunnel link.
        You should be able to override that by adding "policy-routing" rules on LAN that select particular traffic, and in the advanced rule sections, Gateway, pick a gateway to send that traffic over. This lets you pick what IPs/ports/whatever you want to route via which internet connection.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          And I see that you have also seen this post: http://forum.pfsense.org/index.php/topic,64480.0.html
          So, you can use route-nopull to stop the default behaviour, then add policy-routing rules on LAN do direct traffic you select into the KISS VPN.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • D
            datzhim @abadonna
            last edited by

            @abadonna your link is down can you send me your tutorial. I'm trying to setup Secuirtykiss

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.