• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Any way to add a Gateway on an openvpn interface?

Scheduled Pinned Locked Moved OpenVPN
6 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    whosmatt
    last edited by Jan 31, 2014, 12:27 AM

    Working on converting a bunch of site-to-site tunneled networks from ASAs to pfsense.

    Anyway, to simplify, we'd like just to add another gateway attached to the openvpn interface and just change our existing static routes to use that.  But, I don't see a way to do it, since the interface, ovpns1, doesn't appear in the drop-down list.

    I know we can add the networks to the openvpn config in a couple of different ways, but managing a comma separated list is cumbersome, especially without the ability to comment it, and the push "route" option in custom config is even worse.

    Any ideas?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 31, 2014, 6:41 PM

      If you assign the openvpn interface on Interfaces > (assign) then you get an automatic gateway that shows up.

      But you'll find that using static routes to manage those on a VPN is a mess and will break frequently. It's best to use OpenVPN's built-in route handling.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • W
        whosmatt
        last edited by Jan 31, 2014, 6:59 PM

        Ok, great.

        The reasoning is this:

        Most of these networks are tunneled with an ASA at a remote site.  Right now, the tunnels to that remote site are handled by an ASA in our local site.  The static routes in pfsense point to the local ASA.  There are a LOT of them, and keeping them as static routes allows us to comment them by customer.

        We are wishing to get rid of the ASA in our local site and keep the one in the remote site to handle our user access and tunnels to our customers.  We want to tunnel our internal traffic using pfsense.  So, we need to have traffic destined for these customer sites transported across an OpenVPN (or ipsec) tunnel.

        We are trying to do it with OpenVPN because the number of phase 2 entries with ipsec would be gigantic.

        Why would it break frequently doing it this way?

        1 Reply Last reply Reply Quote 0
        • W
          whosmatt
          last edited by Jan 31, 2014, 10:22 PM

          Thanks… I have it working, at least somewhat.

          The first time I added the interface, I manually input my IP and gateway addresses....  I realized that was unnecessary.

          I removed it, re-added it, and then tried to add a static route using the ovpns1 gateway that was created (as you said) when I added the interface.  Because it wasn't (yet) addressed, I was unable to do so.  Restarting openvpn fixed that.

          I added the route, and tried to send traffic. It wasn't making it across the tunnel until I sent some traffic directly to the endpoint on the other side.  Then I was also able to send traffic to the routed network.

          So, the plan (if this passes more testing) is to set up the openvpn connections on pfsense with all our internal tunneled networks (the networks that are attached directly to the pfsense endpoints) in the openvpn config, and use static routes for all the networks that are reachable via the ASA at the remote site.

          Does that make sense?

          Thanks for the help.
          Matt

          1 Reply Last reply Reply Quote 0
          • W
            whosmatt
            last edited by Jan 31, 2014, 11:48 PM

            Ok, now I see what you mean.  Everything works great until I change a static route to use the OpenVPN gateway, then OpenVPN stops passing traffic until it is restarted.

            1 Reply Last reply Reply Quote 0
            • W
              whosmatt
              last edited by Feb 1, 2014, 3:24 AM

              One more update.  We figured a workaround, for now.  Basically, we have defined the openvpn tunnel with all of our local subnets in the config.  Then, we tunnel those same subnets using ipsec.  This adds up to 50 or so phase 2 entries, but those are pretty static; we don't have to change them often.

              Apparently, the ipsec tunnels take priority in the routing table over the OpenVPN ones.  This means that when we have to add a new route to the OpenVPN tunnel, and thus restart OpenVPN, traffic over the ipsec tunnels still flows and only the traffic to the customer sites (which is minimal, at least from the site that we're dealing with) is interrupted by the OpenVPN restart.

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received