Interesting routing issue



  • Hello!

    I use 2.2 and Openvpn server in tun mode.
    When client connects all is working as intended except one route goes wrong.

    See below:

    Correct traceroute, traffic goes troug tunnel:

    Tracing route to google-public-dns-a.google.com [8.8.8.8]
    over a maximum of 30 hops:
    
      1    14 ms    14 ms    14 ms  10.15.20.1
      2    15 ms    41 ms    15 ms  2903.burek.net [YY.YY.YY.1]
      3    63 ms    23 ms    45 ms  mx-vi1-te-0-0-0.burek.net [IP HERE]
      4    44 ms    43 ms    43 ms  72.14.211.66
      5    45 ms    45 ms    45 ms  216.239.46.115
      6    45 ms    44 ms    45 ms  216.239.48.137
      7    45 ms    45 ms    45 ms  google-public-dns-a.google.com [8.8.8.8]
    Trace complete.
    

    INCORRECT route, traffic goes trough local firewall instead of tunnel:

    Tracing route to [XX.XX.XX.12]
    over a maximum of 30 hops:
    
      1    <1 ms    <1 ms    <1 ms  firewall.domain.local [192.168.1.1]
      2    13 ms    13 ms    13 ms  gw1.net [ZZ.ZZZ.0.1]
      3    12 ms    12 ms    12 ms  gw2.net [IP HERE]
      4    13 ms    12 ms    13 ms  six.burek.net [IP HERE]
      5    14 ms    14 ms    13 ms  [XX.XX.XX.12]
    Trace complete.
    

    [XX.XX.XX.12] is my WAN IP.
    So if I connect from anywhere and login to my website (I have no SSL) anyone with access to router I`m connected to could see my login details.
    Why only WAN IP is routed trough local gateway instead of tunnel?

    Thanks!



  • Oh IPv6 is working great and as it should.


  • Rebel Alliance Global Moderator

    Well what are the routes on the box?  Clearly you have route that says when trying to go [XX.XX.XX.12] go to firewall.domain.local [192.168.1.1]



  • At this point, we can't confirm anything, we need more info.

    Post your server1.conf and the routing table from PFsense and a connected client.



  • I was thinking…
    There is actually no need for routing table...
    Let me explain.

    If I connect to XX.XX.XX.XX with openvpn, clearly XX.XX.XX.XX MUST go trough local firewall and not trough the tunnel. If it would go trough the tunnel, openvpn woul not work :)
    So this is by design IMHO.



  • That all depends on your config, routing and full tunnel vs split tunnel.  We are all just speculating without looking at the config and your routing tables.