Default route from the router itself to NOT use the VPN



  • I have, most likely, a simple question:  I have correctly setup a VPN client on pfSense, and made it so, using firewall rules on the LAN interface make it so the traffic goes thru the VPN only on select source IPs.

    That being done, now, I noticed that all the traffic coming FROM my router goes thru the VPN as the system as both a default route and a 0.0.0.0 route so it always goes thru the VPN.

    How can I make it so that traffic coming from the various services running on my pfsense box doesn't go thru the VPN after the VPN has been initiated? (I'm thinking here DNS, NTP, postfix forwareder, etc…)?


  • Rebel Alliance Developer Netgate

    If your VPN client is OpenVPN and it receives its default route dynamically over that channel (e.g. "redirect-gateway def1" on the server) then you'll need to use "route-nopull" in the advanced options so that the client will ignore the default route information.



  • @jimp:

    If your VPN client is OpenVPN and it receives its default route dynamically over that channel (e.g. "redirect-gateway def1" on the server) then you'll need to use "route-nopull" in the advanced options so that the client will ignore the default route information.

    Hmm, Jim, if I do that I get:

    ]

    | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) |
    | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) |
    | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) |
    | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) |
    | Jan 3 15:29:30 | openvpn[73188]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.124.1.1,topology net30,ifconfig 10.124.1.6 10.124.1.5' |
    | Jan 3 15:29:30 | openvpn[73188]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1) |
    | Jan 3 15:29:28 | openvpn[73188]: [Private Internet Access] Peer Connection Initiated with [AF_INET]x.x.x.x.:1194 |
    | Jan 3 15:29:28 | openvpn[73188]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA |
    | Jan 3 15:29:28 | openvpn[73188]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication |
    | Jan 3 15:29:28 | openvpn[73188]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key |
    | Jan 3 15:29:28 | openvpn[73188]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication |
    | Jan 3 15:29:28 | openvpn[73188]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key |
    | Jan 3 15:29:28 | openvpn[73188]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com[/t][/t][/t]

    My settings are:

    |

    auth-user-pass /etc/openvpn-password.txt;
    ca /etc/ca.crt;
    verb 3;
    route-nopull;
    

    What might this mean?

    Thank you  ;D


Log in to reply