Duel VPN - In and Out



  • Hello,  so I'm hoping someone can assist me.  I'm running pfSense with a VPN service (pfSense is configured as the OpenVPN client) so that all of my traffic goes over the VPN service.  In addition to that, I have pfSense set up as an OpenVPN server, to allow me to VPN in from my Android phone.  Both work great by themselves.

    They don't like to play well together.  When pfSense is connected to the VPN service (as a client) I cannot connect to my pfSense OpenVPN server (using DDNS address on my WAN).  That is, unless I set a route under System>Routing>Routes for whatever network I'm trying to VPN from.  So say I'm on my phone, on VZW's network. In order to VPN in successfully, I have to add a route for the VZW IP address and specify my WAN as the gateway.

    The fact that I have to specify a route for every network I want to be able to VPN from largely defeats the purpose of having the VPN server set up.  I wanted it primarily as protection when using public wifi, etc…

    So, I'm sure that I must be missing something.  What do I need to do in order to be able to VPN into pfSense from anywhere, without having to specify a route for the source network, AND while pfSense is connected to the paid VPN service as a client?

    Thank you!



  • did you use the "local user access" (road warrior) wizard to setup this vpn server ?

    sounds like some sort of a configuration problem. you might have configured the vpn-server to be used in a site-to-site setup.
    Post some more detailed info, so we can help figuring it out.

    screenshots of configuration/routes/rules/…  can help us pinpoint the problem



  • Post your routing table when your server is connected to the remote VPN endpoint as a client.



  • Also, check your OpenVPN logs for (set your log settings to 2000 lines if needed):

    event_wait : Interrupted system call (code=4)
    

    There seems to be a problem with OpenVPN in pfSense 2.1

    -nb



  • @heper:

    did you use the "local user access" (road warrior) wizard to setup this vpn server ?

    sounds like some sort of a configuration problem. you might have configured the vpn-server to be used in a site-to-site setup.
    Post some more detailed info, so we can help figuring it out.

    screenshots of configuration/routes/rules/…  can help us pinpoint the problem

    I used the instructions found here when I set up the server (to VPN in from my phone): http://hardforum.com/showthread.php?t=1663797&highlight=pfsense+vpn

    Attached are screenshots of the Server config (VPN in for my phone) and the Client config (VPN out to VPN service), my firewall rules for WAN and OpenVPN, and the IPv4 routing table with pfSense connected to the VPN service as a client (without anything VPNing IN to pfsense).

    @NetBandit:

    Also, check your OpenVPN logs for (set your log settings to 2000 lines if needed):

    event_wait : Interrupted system call (code=4)
    

    There seems to be a problem with OpenVPN in pfSense 2.1

    -nb

    So far I have not seen this message appear in the logs.

    Thanks for the assistance!

    ![pfsense_eriador - Firewall_ Rules - OpenVPN.png](/public/imported_attachments/1/pfsense_eriador - Firewall_ Rules - OpenVPN.png)
    ![pfsense_eriador - Firewall_ Rules - OpenVPN.png_thumb](/public/imported_attachments/1/pfsense_eriador - Firewall_ Rules - OpenVPN.png_thumb)
    ![pfsense_eriador - Firewall_ Rules.png](/public/imported_attachments/1/pfsense_eriador - Firewall_ Rules.png)
    ![pfsense_eriador - Firewall_ Rules.png_thumb](/public/imported_attachments/1/pfsense_eriador - Firewall_ Rules.png_thumb)
    ![pfsense_eriador - OpenVPN_ Client.png](/public/imported_attachments/1/pfsense_eriador - OpenVPN_ Client.png)
    ![pfsense_eriador - OpenVPN_ Client.png_thumb](/public/imported_attachments/1/pfsense_eriador - OpenVPN_ Client.png_thumb)
    ![pfsense_eriador - OpenVPN_ Server.png](/public/imported_attachments/1/pfsense_eriador - OpenVPN_ Server.png)
    ![pfsense_eriador - OpenVPN_ Server.png_thumb](/public/imported_attachments/1/pfsense_eriador - OpenVPN_ Server.png_thumb)
    ![pfsense_eriador - Diagnostics_ Routing tables.png](/public/imported_attachments/1/pfsense_eriador - Diagnostics_ Routing tables.png)
    ![pfsense_eriador - Diagnostics_ Routing tables.png_thumb](/public/imported_attachments/1/pfsense_eriador - Diagnostics_ Routing tables.png_thumb)



  • I think that I know what is happening with your problem. When the VPN client is active on your server it overrides the default gateway but does not replace it, this is where the 0.0.0.0/1 and 128.0.0.0/1 entries in your routing table come from. When you try to connect to your own VPN service the packets come in via the WAN interface but the replies are not sent back via the same WAN interface because of the two routes installed by the VPN client connection, the two routes are more specific than the actual default route so they will be selected for all traffic sent out from the system instead of the default route. This means the replies to connection requests to your VPN service are routed via this VPN client connection and don't make back to the source. I'm not yet sure how to fix it but at least that's what I think is happening.

    Edit: You have the firewall rule on WAN interface that allows the incoming OpenVPN connections to WAN interface, UDP port 11194. Change the gateway option on that rule to be the gateway of the WAN network instead of the system default.



  • try to add this to your ovpn-client advanced field:

    route-nopull
    

    assign the ovpn-client as an interface, configure the necessary rules. It should automagically create a gateway for it. This gateway could then be used in your firewall rules on LAN/ovpn-server/…

    this should disable the default-gateway override.

    Don't do this remotely … you will probably lock yourself out once or twice ;)



  • @kpa:

    I think that I know what is happening with your problem. When the VPN client is active on your server it overrides the default gateway but does not replace it, this is where the 0.0.0.0/1 and 128.0.0.0/1 entries in your routing table come from. When you try to connect to your own VPN service the packets come in via the WAN interface but the replies are not sent back via the same WAN interface because of the two routes installed by the VPN client connection, the two routes are more specific than the actual default route so they will be selected for all traffic sent out from the system instead of the default route. This means the replies to connection requests to your VPN service are routed via this VPN client connection and don't make back to the source. I'm not yet sure how to fix it but at least that's what I think is happening.

    Edit: You have the firewall rule on WAN interface that allows the incoming OpenVPN connections to WAN interface, UDP port 11194. Change the gateway option on that rule to be the gateway of the WAN network instead of the system default.

    Thanks, that's pretty much what I thought was going on, I just wasn't sure how to address it.

    @heper:

    try to add this to your ovpn-client advanced field:

    route-nopull
    

    assign the ovpn-client as an interface, configure the necessary rules. It should automagically create a gateway for it. This gateway could then be used in your firewall rules on LAN/ovpn-server/…

    this should disable the default-gateway override.

    Don't do this remotely … you will probably lock yourself out once or twice ;)

    I think that is exactly what I was missing.  I added that code to the advanced options, disabled my default LAN route, added a new LAN route specifying the VPN as the gateway and now it seems to work as desired.  I'll have to test it out some more, but initially I believe this has done it.  Thank you very much!!


Log in to reply