OpenVPN problem with reaching local hosts versus the internet

  • Thought I had things figured out, but I am struggling once more…

    Am running pfsense as a VPN server to remote clients.

    Under Firewall -> Rules -> OpenVPN Tab I can see the auto-generated VPN wizard rule.

    I have also checked "Force all client generated traffic through the tunnel" in the VPN server setup.

    With the VPN firewall rule unaltered, I can ping and access local hosts from the remote machine when it is VPN'd in. However, I cannot access the internet.

    If I change the Gateway parameter within that rule to WAN_DHCP (instead of default), I can access the internet, but not local hosts.

    I am pretty new to all of this and have not been able to figure out what's going on here. I think something is screwy in my routing tables, but I have never seen routing tables before so they're a bit hard for me to figure out.

    Any suggestions or help?

    x.x.x.x = my internet connection
    y.y.y.y = my PIA virtual address
    z.z.z.z = my PIA remote host
     WAN (wan)       -> re1        -> v4/DHCP4: x.x.x.231/24
     LAN (lan)       -> re2        -> v4:
     OPENVPNVIAPIA (opt2) -> ovpnc2     -> v4: y.y.y.6/32
    [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rn
    Routing tables
    Destination        Gateway            Flags      Netif Expire          y.y.y.5            UGS      ovpnc2
    default            x.x.x.1            UGS         re1
    y.y.y.1/32         y.y.y.5            UGS      ovpnc2
    y.y.y.5            link#9             UH       ovpnc2
    y.y.y.6            link#9             UHS         lo0
    x.x.x.0/24         link#2             U           re1
    x.x.x.231          link#2             UHS         lo0          link#6             UH          lo0        y.y.y.5            UGS      ovpnc2     link#3             U           re2        link#3             UHS         lo0        UGS      ovpns1        link#8             UHS         lo0        link#8             UH       ovpns1
    z.z.z.19/32        x.x.x.1            UGS         re1
    [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -indbhW
    Name               Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll  Drop
    re0               1.5K <link#1>00:0d:b9:34:10:38        0     0     0          0        0     0          0     0     0 
    re1               1.5K <link#2>00:0d:b9:34:10:39     1.3M     0     0       567M     1.6M     0       1.3G     0     0 
    re1                  - x.x.x.0/2     x.x.x.231             309K     -     -       231M      18K     -       1.4M     -     - 
    re2               1.5K <link#3>00:0d:b9:34:10:3a     1.5M     0     0       1.2G     1.2M     0       451M     0     0 
    re2                  -            29K     -     -       2.4M      24K     -       9.4M     -     - 
    pflog0             32K <link#4>0     0     0          0     8.7K     0       2.4M     0     0 
    pfsync0           1.5K <link#5>0     0     0          0        0     0          0     0     0 
    lo0                16K <link#6>0     0     0          0        0     0          0     0     0 
    lo0                  -                0     -     -          0        0     -          0     -     - 
    enc0              1.5K <link#7>0     0     0          0        0     0          0     0     0 
    ovpns1            1.5K <link#8>38K     0     0       6.4M      24K     0        15M     0     0 
    ovpns1               -              0     -     -          0     1.5K     -       913K     -     - 
    ovpnc2            1.5K <link#9>252K     0     0       205M     299K     0       203M     0   298 
    ovpnc2               - y.y.y.6/32    y.y.y.6                78K     -     -        82M      161     -        12K     -     - 
    [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rs
        0 bad routing redirects
        0 dynamically created routes
        0 new gateways due to redirects
        3081 destinations found unreachable
        0 uses of a wildcard route
        0 routes not in table but not freed</link#9></link#8></link#7></link#6></link#5></link#4></link#3></link#2></link#1> 

  • It has something to do with my PIA client connection.

    When the pfSense client VPN (PIA) is down, everything works fine.
    When it's up and connected to PIA, I cannot reach the internet from remote hosts connected to the VPN server running on pfSense.

  • I figured it out.

    In my outbound NAT rules I had to create a mapping for my VPN's subnet (also called the IPv4 Tunnel Network in the OpenVPN server setup).

    I still am not quite sure why my remote VPN clients default to my PIA gateway, but at least now they work when my PIA connection is up.

  • LAYER 8 Netgate

    PIA has the equivalent of your "Force all client generated traffic through the tunnel" setting.  This amounts to them pushing a default route to you.  So, naturally, all traffic is going to go to them when it's connected.

    Add route-nopull; to the advanced settings of the PIA client instance or, if on 2.2, just check the Don't pull routes checkbox and bounce the VPN.

    It will then be up to you to policy route the traffic you want to go to PIA.

    This is the default route:

    Destination        Gateway            Flags      Netif Expire          y.y.y.5            UGS      ovpnc2