Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN problem with reaching local hosts versus the internet

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 924 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ILLCOMM
      last edited by

      Thought I had things figured out, but I am struggling once more…

      Am running pfsense as a VPN server to remote clients.

      Under Firewall -> Rules -> OpenVPN Tab I can see the auto-generated VPN wizard rule.

      I have also checked "Force all client generated traffic through the tunnel" in the VPN server setup.

      With the VPN firewall rule unaltered, I can ping and access local hosts from the remote machine when it is VPN'd in. However, I cannot access the internet.

      If I change the Gateway parameter within that rule to WAN_DHCP (instead of default), I can access the internet, but not local hosts.

      I am pretty new to all of this and have not been able to figure out what's going on here. I think something is screwy in my routing tables, but I have never seen routing tables before so they're a bit hard for me to figure out.

      Any suggestions or help?

      
      x.x.x.x = my internet connection
      y.y.y.y = my PIA virtual address
      z.z.z.z = my PIA remote host
      
       WAN (wan)       -> re1        -> v4/DHCP4: x.x.x.231/24
       LAN (lan)       -> re2        -> v4: 192.168.1.1/24
       OPENVPNVIAPIA (opt2) -> ovpnc2     -> v4: y.y.y.6/32
      
      [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rn
      Routing tables
      
      Internet:
      Destination        Gateway            Flags      Netif Expire
      0.0.0.0/1          y.y.y.5            UGS      ovpnc2
      default            x.x.x.1            UGS         re1
      y.y.y.1/32         y.y.y.5            UGS      ovpnc2
      y.y.y.5            link#9             UH       ovpnc2
      y.y.y.6            link#9             UHS         lo0
      x.x.x.0/24         link#2             U           re1
      x.x.x.231          link#2             UHS         lo0
      127.0.0.1          link#6             UH          lo0
      128.0.0.0/1        y.y.y.5            UGS      ovpnc2
      192.168.1.0/24     link#3             U           re2
      192.168.1.1        link#3             UHS         lo0
      192.168.2.0/24     192.168.2.2        UGS      ovpns1
      192.168.2.1        link#8             UHS         lo0
      192.168.2.2        link#8             UH       ovpns1
      z.z.z.19/32        x.x.x.1            UGS         re1
      
      [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -indbhW
      Name               Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll  Drop
      re0               1.5K <link#1>00:0d:b9:34:10:38        0     0     0          0        0     0          0     0     0 
      re1               1.5K <link#2>00:0d:b9:34:10:39     1.3M     0     0       567M     1.6M     0       1.3G     0     0 
      re1                  - x.x.x.0/2     x.x.x.231             309K     -     -       231M      18K     -       1.4M     -     - 
      re2               1.5K <link#3>00:0d:b9:34:10:3a     1.5M     0     0       1.2G     1.2M     0       451M     0     0 
      re2                  - 192.168.1.0/2 192.168.1.1            29K     -     -       2.4M      24K     -       9.4M     -     - 
      pflog0             32K <link#4>0     0     0          0     8.7K     0       2.4M     0     0 
      pfsync0           1.5K <link#5>0     0     0          0        0     0          0     0     0 
      lo0                16K <link#6>0     0     0          0        0     0          0     0     0 
      lo0                  - 127.0.0.0/8   127.0.0.1                0     -     -          0        0     -          0     -     - 
      enc0              1.5K <link#7>0     0     0          0        0     0          0     0     0 
      ovpns1            1.5K <link#8>38K     0     0       6.4M      24K     0        15M     0     0 
      ovpns1               - 192.168.2.1/3 192.168.2.1              0     -     -          0     1.5K     -       913K     -     - 
      ovpnc2            1.5K <link#9>252K     0     0       205M     299K     0       203M     0   298 
      ovpnc2               - y.y.y.6/32    y.y.y.6                78K     -     -        82M      161     -        12K     -     - 
      
      [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rs
      routing:
          0 bad routing redirects
          0 dynamically created routes
          0 new gateways due to redirects
          3081 destinations found unreachable
          0 uses of a wildcard route
          0 routes not in table but not freed</link#9></link#8></link#7></link#6></link#5></link#4></link#3></link#2></link#1> 
      
      1 Reply Last reply Reply Quote 0
      • I
        ILLCOMM
        last edited by

        It has something to do with my PIA client connection.

        When the pfSense client VPN (PIA) is down, everything works fine.
        When it's up and connected to PIA, I cannot reach the internet from remote hosts connected to the VPN server running on pfSense.

        1 Reply Last reply Reply Quote 0
        • I
          ILLCOMM
          last edited by

          I figured it out.

          In my outbound NAT rules I had to create a mapping for my VPN's subnet (also called the IPv4 Tunnel Network in the OpenVPN server setup).

          I still am not quite sure why my remote VPN clients default to my PIA gateway, but at least now they work when my PIA connection is up.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            PIA has the equivalent of your "Force all client generated traffic through the tunnel" setting.  This amounts to them pushing a default route to you.  So, naturally, all traffic is going to go to them when it's connected.

            Add route-nopull; to the advanced settings of the PIA client instance or, if on 2.2, just check the Don't pull routes checkbox and bounce the VPN.

            It will then be up to you to policy route the traffic you want to go to PIA.

            This is the default route:

            Internet:
            Destination        Gateway            Flags      Netif Expire
            0.0.0.0/1          y.y.y.5            UGS      ovpnc2

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.