Specific VLAN over OpenVPN



  • I am trying to set up my pfsense such that all traffic from a particular vlan is routed out over OpenVPN.  Following tutorials on these forums and elsewhere I believe I have things configured such that it should be working however I am unable to access the internet from that VLAN.  Does anyone have any ideas for how I can troubleshoot where the problem is?  I don't now if I should be focusing on the rules or the vpn configuration.

    Below is my relevant configuration:

    STATUS|OPENVPN shows a status of up with a virtual ip address

    
    Name 	     Status 	Connected Since 	        Virtual Addr 	Remote Host 	   Bytes Sent      Bytes Rcvd 	
    PIA VPN UDP 	up 	Wed Oct 7 23:33:40 2015 	10.107.1.6 	108.61.27.139 	7.07 MB 	      1.07 MB 	
    
    

    STATUS| GATEWAYS shows the vpn gateway is down

    
    PIAVPN_VPNV4 	10.107.1.5 	10.107.1.5 	0ms 	100% 	
     Offline 
    Last check:
    Thu, 08 Oct 2015 14:20:09 -0400
    
    

    I have created the following rules under FIREWALL|NAT|Outbound

    
    Interface              Source 	Source Port 	Destination 	Destination Port 	NAT Address 	      NAT Port 	Static Port 	Description
    PIAVPN   	127.0.0.0/8 	 * 	        * 	                * 	      PIAVPN address 	      * 	         NO 
    PIAVPN   	10.10.80.0/24 	* 	         * 	              500 	      PIAVPN address 	      * 	         YES
    PIAVPN  	10.10.80.0/24 	* 	          * 	                * 	      PIAVPN address 	      * 	          NO 
    
    

    I have the following rule in VLAN80 which is the VLAN which should be going out over the VPN

    
    ID 	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description 	
    
              IPv4 * 	* 	* 	* 	* 	PIAVPN_VPNV4 	none 	  	  
    
    

    For further reference below aremy OpenVPN logs after restarting the service.

    
    Oct 8 14:37:44 	openvpn[6743]: port_share_port = 0
    Oct 8 14:37:44 	openvpn[6743]: client = ENABLED
    Oct 8 14:37:44 	openvpn[6743]: pull = ENABLED
    Oct 8 14:37:44 	openvpn[6743]: auth_user_pass_file = '/etc/openvpn-password.txt'
    Oct 8 14:37:44 	openvpn[6743]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
    Oct 8 14:37:44 	openvpn[6743]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Oct 8 14:37:44 	openvpn[6918]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
    Oct 8 14:37:44 	openvpn[6918]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible
    Oct 8 14:37:44 	openvpn[6918]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 8 14:37:44 	openvpn[6918]: LZO compression initialized
    Oct 8 14:37:44 	openvpn[6918]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
    Oct 8 14:37:44 	openvpn[6918]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Oct 8 14:37:44 	openvpn[6918]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
    Oct 8 14:37:44 	openvpn[6918]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Oct 8 14:37:44 	openvpn[6918]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Oct 8 14:37:44 	openvpn[6918]: Local Options hash (VER=V4): '41690919'
    Oct 8 14:37:44 	openvpn[6918]: Expected Remote Options hash (VER=V4): '530fdded'
    Oct 8 14:37:44 	openvpn[6918]: UDPv4 link local (bound): [AF_INET]74.108.30.118
    Oct 8 14:37:44 	openvpn[6918]: UDPv4 link remote: [AF_INET]108.61.57.220:1194
    Oct 8 14:37:44 	openvpn[6918]: TLS: Initial packet from [AF_INET]108.61.57.220:1194, sid=9c337db2 84e34e97
    Oct 8 14:37:44 	openvpn[6918]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 8 14:37:44 	openvpn[6918]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Oct 8 14:37:44 	openvpn[6918]: Validating certificate key usage
    Oct 8 14:37:44 	openvpn[6918]: ++ Certificate has key usage 00a0, expects 00a0
    Oct 8 14:37:44 	openvpn[6918]: VERIFY KU OK
    Oct 8 14:37:44 	openvpn[6918]: Validating certificate extended key usage
    Oct 8 14:37:44 	openvpn[6918]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Oct 8 14:37:44 	openvpn[6918]: VERIFY EKU OK
    Oct 8 14:37:44 	openvpn[6918]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
    Oct 8 14:37:45 	openvpn[6918]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 8 14:37:45 	openvpn[6918]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 8 14:37:45 	openvpn[6918]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 8 14:37:45 	openvpn[6918]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 8 14:37:45 	openvpn[6918]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Oct 8 14:37:45 	openvpn[6918]: [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.57.220:1194
    Oct 8 14:37:47 	openvpn[6918]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
    Oct 8 14:37:47 	openvpn[6918]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.113.1.1,topology net30,ifconfig 10.113.1.10 10.113.1.9'
    Oct 8 14:37:47 	openvpn[6918]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Oct 8 14:37:47 	openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Oct 8 14:37:47 	openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Oct 8 14:37:47 	openvpn[6918]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: timers and/or timeouts modified
    Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: LZO parms modified
    Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: --ifconfig/up options modified
    Oct 8 14:37:47 	openvpn[6918]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Oct 8 14:37:47 	openvpn[6918]: TUN/TAP device /dev/tun2 opened
    Oct 8 14:37:47 	openvpn[6918]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Oct 8 14:37:47 	openvpn[6918]: /sbin/ifconfig ovpnc2 10.113.1.10 10.113.1.9 mtu 1500 netmask 255.255.255.255 up
    Oct 8 14:37:47 	openvpn[6918]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.113.1.10 10.113.1.9 init
    Oct 8 14:37:47 	openvpn[6918]: Initialization Sequence Completed
    
    

  • LAYER 8 Netgate

    Kind of confusing having the OpenVPN interface the same name as the OpenVPN interface group.  What's really the deal?

    Hmm.  The interface group is selectable in the outbound NAT config.  As far as I know you cannot use the OpenVPN "interface" which is really an interface group as I understand it, for NAT.  You have to create an assigned interface and NAT on that.



  • That is actually a mistake which I had caught prior to sending the post and it should actually look like this

    Interface              Source Source Port Destination Destination Port NAT Address       NAT Port Static Port Description
    PIAVPN  127.0.0.0/8 *         *                 *       PIAVPN address       *         NO
    PIAVPN  10.10.80.0/24 *         *               500       PIAVPN address       *         YES
    PIAVPN  10.10.80.0/24 *           *                 *       PIAVPN address       *           NO

    I will correct above as well.


  • LAYER 8 Netgate

    What's not working? Define "Can't access the internet." Can you ping 8.8.8.8? Resolve names?



  • There was no internet connectivty on devices on VLAN 80.  After numerous restarts of the service and the router it just started working with no changes to config.  Thanks anyway.



  • @adamjs83:

    There was no internet connectivty on devices on VLAN 80.  After numerous restarts of the service and the router it just started working with no changes to config.  Thanks anyway.

    You might try out to set up for the entire VLAN80 the OpenVPN Gateway as their Gateway or on the clients inside
    of the VLAN80 you might set up their the OpenVPN Gateway as their Gateway.


Log in to reply