Pfsense as commercial VPN client - gateway trouble



  • I had posted this about 2.1.1:

    @ckraimer:

    This Post spells it out perfectly https://forum.pfsense.org/index.php?topic=58399.10%3bwap2 - there are situations with commercial vpn providers where the gateway is assigned and pfSense takes the netmask as gateway instead of the ipaddress.  This causes lots of challenges  If that was fixed my problem would be solved, but it would also be nice to be able to set it manually like the original poster asked for in 2.1.

    If it can't be fixed - does anyone know how to change that gateway in the General Setup/Routing/Gateways from the command line or using a script?

    I'm back on 2.1 and I believe others would have struggled with this too.  I want a commercial vpn but I don't want it to set the 0.0.0.0 and 128.0.0.0 default routes, I'd rather manually route traffic to the vpn tunnels as well as have multiple tunnels.  To do this, I've tried a couple of different methods:
    route-nopull - this is what I'm currently using.  The problem is when this option is used the $route_vpn_gateway variable is not set in openvpn client - so pfsense's "/usr/local/sbin/ovpn-linkup" script grabs the 5th element of the command line variables which is always the netmask, not the gateway.  Here's a snip from the ovpn-linkup script:

    ifindex="${1##?????}"
    if [ -e /dev/tun$ifindex ]; then
            if [ "" != "$route_vpn_gateway" ]; then
                    /bin/echo $route_vpn_gateway > /tmp/$1_router
            else
                    /bin/echo $5 > /tmp/$1_router
            fi

    The thing is with route-nopull - that variable ($route-vpn_gateway) isn't set so there's no way that I can tell for pfsense to know the vpn's gateway.

    To make matters worse, sometimes my vpn provider will have a gateway that's not part of the vpn network.  For example, here:

    openvpn[11513]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.16.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.24.95 255.255.255.0'

    My work around has been to go into "System, Routing" and manually set the VPN's gateway and monitor ip.  However, in the above scenario if I try to set teh 172.20.16.1 gateway it will fail because the vpn is assigned a 172.20.24.0 address and pfsense will say:

    "The gateway address 172.20.16.1 does not lie within one of the chosen interface's subnets."

    I just tried "route-noexec" instead of "route-nopull".  The 172.20.16.1 gateway is properly assigned but there is no route for the 172.20.16.0 network, so it fails.  The only vpn relevant routing establised is this:

    172.20.24.0/24 172.20.24.95 UGS 0 0 1500 ovpnc4
    172.20.24.95 link#9 UH 0 0 1500 ovpnc4

    Has anyone dealt with this before?



  • I'm having this same issue.  Did you ever come up with a solution?



  • This is how you set up multiple VPNs.  Tell me if I need more details.

    1. Set up all your VPNs

    2)  Choose one as default and restart them until your router uses that.  It may help if your defaults outbound NAT rules for default VPN are on top.

    3)  Assign static DHCP leases for clients using t he other VPNS

    4)  Add fire wall rules above the rule that gives you internet to your random DHCP leases that specifically ports that static DHCP lease through an alteernate VPN.  The rule looks something like this.

    Interface: LAN
    Source:  <static dhcp="" lease="" number="">(single host or alias)
    Destination: Any
    Gateway: <alternative vpn=""></alternative></static>


Log in to reply