Solved: OpenVPN client connects successfully, but accessing websites fails



  • Alright, so I'm having a bit of a problem setting up an OpenVPN tunnel for my home connection.  I'm trying to route traffic to certain websites through a European endpoint, and to that end I've set up the OpenVPN client to connect to a public VPN server.  I've more or less followed the steps laid out in the stickied StrongVPN tutorial, with obvious changes depending on the configuration of the particular VPN (I've tried several).

    The other difference of course is that rather than routing all my traffic through the VPN, I'm only routing certain websites and IPs.  I've set up an Alias containing those, then added a Firewall rule to the LAN interface forwarding all traffic from the LAN subnet to a destination in that Alias through the OpenVPN gateway.

    Now when I check the status on the various bits of the VPN everything seems okay.  The OpenVPN status page says the connection is up and running, System Logs > OpenVPN shows the expected "Initialization Sequence Completed" message, and the gateway page lists everything as up and running.  Both the Gateway and OpenVPN status pages show me as having an IP address.

    With the rule enabled, traffic does indeed get forwarded through the connection - enabling logging for the rule generates the expected log entries - but the data seems to be sent into the void, never to return.  Pings receive no replies, website access ends in timeout, on and on and on.  At first I thought it was the server I chose, so I switched… then I switched again.  I've used two completely separate services, VPN Gate and VPNBook, and both exhibit the exact same symptoms.

    I'm at a complete loss as to what could be going on here.  Does anybody have any ideas?



  • Firewall->NAT Outbound. Change to manual outbound NAT. In 2.1 you should get some good rules that NAT outbound on the VPN link. On 2.1.1 onwards, you need to add a rule/s yourself, in similar style to the ones on WAN.



  • Ah yeah, I'd already had NAT outbound set to manual.  Figured that would complicate things.

    Now so I get this right, I just need a simple NAT rule on the VPN interface allowing traffic from the LAN to VPN addresses, yeah?



  • It is actually not a pass rule (the pass rule/s are on the LAN interface for traffic that arrives/initiated from LAN).
    But yes, an Outbound NAT rule on the VPN interface that matches traffic (like source LANnet, destination any) and NATs to VPN address. Then your traffic will go out to the VPN provider with source IP as the IP address that the VPN provider allocated on the OpenVPN link, and so the VPN provider will route the return traffic back to you.



  • Great.  Okay.  New problem: ALL my traffic is now routed through the VPN, despite the VPN not being the default gateway and despite the firewall rule only routing traffic matching the Alias through the gateway.



  • It does usually work according to exactly what LAN rules match traffic and push it to the VPN gateway. Take a look at all your rules and aliases and just double-check that things are as you think.
    Post your rules and alias definition if you are stuck - might be something that someone else will notice easily.



  • Well I'm at a complete loss then.  Literally all I've added to the LAN table that isn't standard is a rule at the top of the list for IPv4 traffic, souce LAN net, destination Alias, gateway VPN, all other fields wildcard.  Below that are the default LAN to any rules for IPv4 and IPv6 (source LAN net, all other fields wildcard).  Do I need to add another rule specifying WAN traffic go to my internet gateway? Seems like the default routing table should be smart enough to handle that automatically.



  • Found the solution to the issue in this thread.  Turns out you have to add "route-nopull;" as an argument in advanced options.  Otherwise the OpenVPN client tries to grab all outgoing traffic.

    That's kind of a major thing to not have a dedicated option for.  I'm thinking the GUI should have an option specifically to enable or disable that.  Is there a way I should officially propose that?



  • That's kind of a major thing to not have a dedicated option for.  I'm thinking the GUI should have an option specifically to enable or disable that.  Is there a way I should officially propose that?

    Feature requests and bug reports are entered at https://redmine.pfsense.org


Log in to reply