OpenVPN problem with reaching local hosts versus the internet
-
Thought I had things figured out, but I am struggling once more…
Am running pfsense as a VPN server to remote clients.
Under Firewall -> Rules -> OpenVPN Tab I can see the auto-generated VPN wizard rule.
I have also checked "Force all client generated traffic through the tunnel" in the VPN server setup.
With the VPN firewall rule unaltered, I can ping and access local hosts from the remote machine when it is VPN'd in. However, I cannot access the internet.
If I change the Gateway parameter within that rule to WAN_DHCP (instead of default), I can access the internet, but not local hosts.
I am pretty new to all of this and have not been able to figure out what's going on here. I think something is screwy in my routing tables, but I have never seen routing tables before so they're a bit hard for me to figure out.
Any suggestions or help?
x.x.x.x = my internet connection y.y.y.y = my PIA virtual address z.z.z.z = my PIA remote host WAN (wan) -> re1 -> v4/DHCP4: x.x.x.231/24 LAN (lan) -> re2 -> v4: 192.168.1.1/24 OPENVPNVIAPIA (opt2) -> ovpnc2 -> v4: y.y.y.6/32 [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire 0.0.0.0/1 y.y.y.5 UGS ovpnc2 default x.x.x.1 UGS re1 y.y.y.1/32 y.y.y.5 UGS ovpnc2 y.y.y.5 link#9 UH ovpnc2 y.y.y.6 link#9 UHS lo0 x.x.x.0/24 link#2 U re1 x.x.x.231 link#2 UHS lo0 127.0.0.1 link#6 UH lo0 128.0.0.0/1 y.y.y.5 UGS ovpnc2 192.168.1.0/24 link#3 U re2 192.168.1.1 link#3 UHS lo0 192.168.2.0/24 192.168.2.2 UGS ovpns1 192.168.2.1 link#8 UHS lo0 192.168.2.2 link#8 UH ovpns1 z.z.z.19/32 x.x.x.1 UGS re1 [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -indbhW Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll Drop re0 1.5K <link#1>00:0d:b9:34:10:38 0 0 0 0 0 0 0 0 0 re1 1.5K <link#2>00:0d:b9:34:10:39 1.3M 0 0 567M 1.6M 0 1.3G 0 0 re1 - x.x.x.0/2 x.x.x.231 309K - - 231M 18K - 1.4M - - re2 1.5K <link#3>00:0d:b9:34:10:3a 1.5M 0 0 1.2G 1.2M 0 451M 0 0 re2 - 192.168.1.0/2 192.168.1.1 29K - - 2.4M 24K - 9.4M - - pflog0 32K <link#4>0 0 0 0 8.7K 0 2.4M 0 0 pfsync0 1.5K <link#5>0 0 0 0 0 0 0 0 0 lo0 16K <link#6>0 0 0 0 0 0 0 0 0 lo0 - 127.0.0.0/8 127.0.0.1 0 - - 0 0 - 0 - - enc0 1.5K <link#7>0 0 0 0 0 0 0 0 0 ovpns1 1.5K <link#8>38K 0 0 6.4M 24K 0 15M 0 0 ovpns1 - 192.168.2.1/3 192.168.2.1 0 - - 0 1.5K - 913K - - ovpnc2 1.5K <link#9>252K 0 0 205M 299K 0 203M 0 298 ovpnc2 - y.y.y.6/32 y.y.y.6 78K - - 82M 161 - 12K - - [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -rs routing: 0 bad routing redirects 0 dynamically created routes 0 new gateways due to redirects 3081 destinations found unreachable 0 uses of a wildcard route 0 routes not in table but not freed</link#9></link#8></link#7></link#6></link#5></link#4></link#3></link#2></link#1> -
It has something to do with my PIA client connection.
When the pfSense client VPN (PIA) is down, everything works fine.
When it's up and connected to PIA, I cannot reach the internet from remote hosts connected to the VPN server running on pfSense. -
I figured it out.
In my outbound NAT rules I had to create a mapping for my VPN's subnet (also called the IPv4 Tunnel Network in the OpenVPN server setup).
I still am not quite sure why my remote VPN clients default to my PIA gateway, but at least now they work when my PIA connection is up.
-
PIA has the equivalent of your "Force all client generated traffic through the tunnel" setting. This amounts to them pushing a default route to you. So, naturally, all traffic is going to go to them when it's connected.
Add route-nopull; to the advanced settings of the PIA client instance or, if on 2.2, just check the Don't pull routes checkbox and bounce the VPN.
It will then be up to you to policy route the traffic you want to go to PIA.
This is the default route:
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 y.y.y.5 UGS ovpnc2
