OpenVPN and IPSec VPN both providing internet


  • I have pfSense set up on a VPS, and have created an IPSec VPN from my router providing internet service.  (My router only supports IPSec, not OpenVPN.)  This all works great.

    However, I would like to add an OpenVPN connection as well so that I can connect through the VPN when I am away from home.  I have set everything up through the Wizard in pfSense 2.1.5, and exported the Windows and Android client configurations.  Both get proper IP addresses assigned, but neither gets internet access.  I can ping the pfSense server from the PC from the OpenVPN IP address though (192.168.1.1).

    Before I troubleshoot farther I just wanted to make sure it is possible to have both IPSec and OpenVPN connections to the internet?  I see from the Site-to-Site configuration How-to page (https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site):

    Both IPSec and OpenVPN may be enabled/in use at the same time, however, not for the same subnets. Any IPSec tunnel that references the same pair of subnets configured for use in OpenVPN must be disabled. IPSec and OpenVPN do not conflict otherwise.

    Both of my connections need to use 0.0.0.0/0.  However, the other end of each of these is different.

    Am I correct thinking that this should work okay?


  • More information.  Here is the server side config file:

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xxx.xxx.xxx.xxx
    tls-server
    server 10.0.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 5
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DNS 192.168.1.1"
    push "dhcp-option NTP 192.168.1.1"
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    
    

    And the client side for the OpenVPN Windows program:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194 udp
    lport 0
    verify-x509-name "CarsonOpenVPNServerCert" name
    auth-user-pass
    pkcs12 pfsense-udp-1194-mcarson75.p12
    tls-auth pfsense-udp-1194-mcarson75-tls.key 1
    ns-cert-type server
    comp-lzo
    
    

    Thanks,
    -Matt