[SOLVED] How to force all client generated traffic through the tunnel?



  • I have setup my pfsense 2.1-RC1 home network openvpn server by watching this youtube video http://www.youtube.com/watch?v=VdAHVSTl1ys

    I then connect to it using my iphone. Everything works fine however I would like all the data to be forced through to my home network. If I click the Redirect Gateway button my iphone will connect to the server but will not send data. What other changes need to be made when selecting the redirect gateway option?


  • Rebel Alliance Developer Netgate

    That checkbox is enough, but make sure you also send the client a DNS server it can reach over the tunnel



  • hmm OK here is what I did and it didn't work.

    1. I selected redirect gateway.
    2. The "IPv4 Local Network/s" field went away.
    3. "IPv4 Tunnel Network" is set to 192.168.26.0/24. (Does it need to be set to my lan network 192.168.25.0/24?)
    4. Then I went to DNS Servers and clicked "Provide a DNS server list to clients" I tried both 8.8.8.8 and 192.168.25.1 as the DNS servers and both times the data would not send on my iPhone. (Am I doing this step correctly?)

    5. I tried that both times without and luck (Any suggestions?) (Also, would I have to export a new client ,ovpn each time I change the settings?)
    6. Do I need to change and settings in the firewall to allow the connection? I just used the VPN Wizard to setup the rules the first time.

    Thank you in advance for your help!



  • I figured it out!

    I didn't have the firewall rules setup properly.

    Thank you Jimp for your help!



  • Hi,

    Can you post your firewall rules for the tunnel please for other people with same problem

    Thanks
    Richard



  • Sure!

    Go to Firewall -> NAT -> Outbound

    What I did was delete all the rules, then i selected "Automatic outbound NAT rule generation (IPsec passthrough included)" and clicked save and then i selected "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" and clicked save. This automatically added all the rules that I needed.

    If you want to manually add a new rule i think you need one that has the following options
    Interface: WAN
    Source: (your VPN Tunnel network ex. 10.0.10.0/24)
    Source Port: Any
    Destination Port: Any
    NAT Address: WAN address
    NAT Port: Any
    Static Port: NO



  • Thanks for posting your solution. Didn't work for me, but have an open vpn client connection to strongvpn, which is confusing matters. Going to simplify my settings and try again

    Thanks

    Richard



  • archedraft has described how to go back to using Automatic Outbound NAT, which is good. The last step about selecting Manual Outbound NAT is not necessary. Automatic Outbound NAT is doing its thing underneath anyway. Selecting Manual Outbound NAT again simply puts a copy of the unseen Automatic Outbound NAT rules in the manual list, and starts using them there. The trouble is that in future when yyou change other stuff, you are using Manual Outbound NAT - so new/changed things will not have NAT adjusted automatically.
    pfSense Automatic Outbound NAT put NAT rules in place for packets coming in from remote clients to an OpenVPN server and heading out WAN(s). The sort of config described in this post should work out-of-the-box with Automatic Outbound NAT.



  • @richardkingsley:

    Thanks for posting your solution. Didn't work for me, but have an open vpn client connection to strongvpn, which is confusing matters. Going to simplify my settings and try again

    Thanks

    Richard

    Richard,

    My current setup is as follows: I have an open vpn client connection through Private Internet Access (all my data is being encrypted through PIA on my network). I have also, setup an OpenVPN server so that I can connect to my home network. Now that I have everything working, I can connect my iphone to my home network and the data is also being encrypted through PIA. It's pretty cool once it was all setup, but it did take awhile to figure it out and change the settings a bunch of times to get it working.

    I followed this guide to get my PIA client setup:
    http://www.komodosteve.com/archives/232

    The I used this guide to get my server setup:
    Youtube Video

    Then to force all client generated traffic through the tunnel I did the following:
    1. clicked "redirect Gateway"
    2. Selected "Provide a DNA server list to clients"
    3. I used the IP address to log into my pfsense box for server #1
    4. Clicked save
    5. Went to Firewall -> NAT -> Outbound

    What I did was delete all the rules, then i selected "Automatic outbound NAT rule generation (IPsec passthrough included)" and clicked save and then i selected "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" and clicked save. This automatically added all the rules that I needed.

    Hopefully that helps.



  • Probably the biggest obstacle I see to really simple VPN is that not all OSs honour "push" from openvpn.  When they don't, you need to enter the command on the client side rather than "pushing" to client from the server.  PITA.


Log in to reply