Default Gateway changes to OpenVPN
-
Hi there. I have more or less followed the directions here: https://forum.pfsense.org/index.php/topic,29944.0.html to connect to a VPN service.
One difference is that I didn't create my rules in the LAN section of the rules, but the floating tab instead (LAN did not seem to be taking effect at all). I also checked the quick option for the floating rule. I set the source for the rule to an Alias so I can easily add and remove hosts to the Alias and not have to fool around with rules every time.
Now, the strange thing that I am seeing is when I connect the OpenVPN I can go to Diagnostics > Routes and see that the default route changes to the OpenVPN interface address.
This shouldn't be happening and I can't see what I have done to make it happen. I don't have my OVPN GW set to default.
I have rebooted pfsense, but no difference.
What happens when I connect, as you may have deduced by now, is that I get no connectivity beyond pfsense. This is to say that neither hosts in or out of the alias can connect to the internet. I am a bit stumped at this point.
I am running 2.1.1-RELEASE (amd64) -
put "route-nopull" (no quotes)
to the end of the advanced client section -
Thanks for the tip on the command. That gets me one step closer. Now I can hit the internet with my hosts that aren't defined in my floating rule, but the floating rule hosts still can't get anywhere.
-
Not sure about floating rules and the order everything is applied, but it works fine putting the rules on LAN. Put the special rules first (to direct particular traffic to the OpenVPN gateway or to WAN gateway). Then have the general pass all rule at the end, that will match anything else.
-
I moved the rule over to LAN, as suggested, but no change. I moved to manual NAT and added an entry for my VPN traffic and moved it to the top of the list, but still nothing. Here is what a state currently looks like.
udp 8.8.8.8:53 <- 10.0.0.2:51979 NO_TRAFFIC:SINGLE
udp 10.0.0.2:51979 -> 10.10.10.194:48963 -> 8.8.8.8:53 SINGLE:NO_TRAFFICEvery VPNbound state looks like this.
-
I figured it out! So it looks like I do need to have that manual outbound NAT after all, it's just a bummer that I can't use aliases for that either. So I looked in my openvpn logs and saw there were a bunch of encryption/decryption errors. So I changed my cipher from AES-256 to BF and now I am up and running! Now to test for any leaking. Thanks for all the help guys, you were all very helpful and friendly.