OpenVPN not working with dual WAN

christophdb

Hi everybody,

I need your help. Currently I have two systems with pfsense. One at home and one in a small office. At home OpenVPN is working perfectly. I can connect, ping all systems in the lan network and can browse the internet with the new ip.

At the office my OpenVPN is only working half:

• I can connect to the pfsense via OpenVPN (via 10.0.8.1 and 192.168.5.1)
• all traffic is routed over this secure connection (whatismyip.com shows the ip of office)
• I can ping the pfsense with the LAN-IP

But:

• If I do a speedtest at speedtest.net It shows me an uploadspeed of zero.
• I can not ping or connect to other systems in the LAN environment
• I can not access some webpages like our plesk system (some are working like whatismyip.com - but most not)
• FTP is not working

I already know that the problem has to be related with our second WAN line. If I disable the second WAN everything is working correctly. But why?

Here is my setting:

1. Network:

• LAN-Netzwork: 192.168.5.x/24
• OpenVPN-Subnet: 10.0.8.x/24
• WAN1: fixed line with fixe IP Adress. Over this line I connect with openvpn
• WAN2: PPPoE dsl with changing IP.

OpenVPN:

• Connection over Port ##### with User + Auth and SSL/TLS
• Protocol: udp, Device mode: tun, Interface: WAN1

Rules:

• OpenVPN: IPv4, Source *, Port *, Destination *, Port *, Gateway: WAN1, Queue: none
• WAN1: IPv4, Source *, Port *, Destination: WAN1 address, Port *, Gateway: *, Queue: none

I already tried to change the interface in openvpn server from wan1 to localhost (like described in this article: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN) but with no success.

Can you help me how I can debug the situation? I can see no blocked packages in the logs.
The order "route" on my linux client shows me the following:

Ziel            Router          Genmask        Flags Metric Ref    Use Iface
default        10.0.8.5        128.0.0.0      UG    0      0        0 tun0
default        192.168.0.1    0.0.0.0        UG    0      0        0 wlan0
10.0.8.1        10.0.8.5        255.255.255.255 UGH  0      0        0 tun0
10.0.8.5        *              255.255.255.255 UH    0      0        0 tun0
37.148.xxx.xx  192.168.0.1    255.255.255.255 UGH  0      0        0 wlan0
128.0.0.0      10.0.8.5        128.0.0.0      UG    0      0        0 tun0
192.168.0.0    *              255.255.255.0  U    9      0        0 wlan0
192.168.5.0    10.0.8.5        255.255.255.0  UG    0      0        0 tun0

Is that correct?
Thank you very much for your help.
Best regards
Christoph

phil.davis

I guess you are using policy-routing rules on your LAN, to direct traffic to WAN1 and WAN2 according to your failover and load-balancing needs.
In that case, you need to have a rule on LAN that matches source LANnet, destination OpenVPN tunnel subnet (10.0.8.0/24), gateway none. That will allow the traffic returning from LAN to the OpenVPN client to be passed normally to the routing table, which knows how to route it to across the OpenVPN tunnel to the client.
Without that, the traffic can be forced out WAN1 or WAN2 by a policy-routing rule, and of course never reaches the OpenVPN client.