Any way to add a Gateway on an openvpn interface?


  • Working on converting a bunch of site-to-site tunneled networks from ASAs to pfsense.

    Anyway, to simplify, we'd like just to add another gateway attached to the openvpn interface and just change our existing static routes to use that.  But, I don't see a way to do it, since the interface, ovpns1, doesn't appear in the drop-down list.

    I know we can add the networks to the openvpn config in a couple of different ways, but managing a comma separated list is cumbersome, especially without the ability to comment it, and the push "route" option in custom config is even worse.

    Any ideas?

  • Rebel Alliance Developer Netgate

    If you assign the openvpn interface on Interfaces > (assign) then you get an automatic gateway that shows up.

    But you'll find that using static routes to manage those on a VPN is a mess and will break frequently. It's best to use OpenVPN's built-in route handling.


  • Ok, great.

    The reasoning is this:

    Most of these networks are tunneled with an ASA at a remote site.  Right now, the tunnels to that remote site are handled by an ASA in our local site.  The static routes in pfsense point to the local ASA.  There are a LOT of them, and keeping them as static routes allows us to comment them by customer.

    We are wishing to get rid of the ASA in our local site and keep the one in the remote site to handle our user access and tunnels to our customers.  We want to tunnel our internal traffic using pfsense.  So, we need to have traffic destined for these customer sites transported across an OpenVPN (or ipsec) tunnel.

    We are trying to do it with OpenVPN because the number of phase 2 entries with ipsec would be gigantic.

    Why would it break frequently doing it this way?


  • Thanks… I have it working, at least somewhat.

    The first time I added the interface, I manually input my IP and gateway addresses....  I realized that was unnecessary.

    I removed it, re-added it, and then tried to add a static route using the ovpns1 gateway that was created (as you said) when I added the interface.  Because it wasn't (yet) addressed, I was unable to do so.  Restarting openvpn fixed that.

    I added the route, and tried to send traffic. It wasn't making it across the tunnel until I sent some traffic directly to the endpoint on the other side.  Then I was also able to send traffic to the routed network.

    So, the plan (if this passes more testing) is to set up the openvpn connections on pfsense with all our internal tunneled networks (the networks that are attached directly to the pfsense endpoints) in the openvpn config, and use static routes for all the networks that are reachable via the ASA at the remote site.

    Does that make sense?

    Thanks for the help.
    Matt


  • Ok, now I see what you mean.  Everything works great until I change a static route to use the OpenVPN gateway, then OpenVPN stops passing traffic until it is restarted.


  • One more update.  We figured a workaround, for now.  Basically, we have defined the openvpn tunnel with all of our local subnets in the config.  Then, we tunnel those same subnets using ipsec.  This adds up to 50 or so phase 2 entries, but those are pretty static; we don't have to change them often.

    Apparently, the ipsec tunnels take priority in the routing table over the OpenVPN ones.  This means that when we have to add a new route to the OpenVPN tunnel, and thus restart OpenVPN, traffic over the ipsec tunnels still flows and only the traffic to the customer sites (which is minimal, at least from the site that we're dealing with) is interrupted by the OpenVPN restart.