Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specific VLAN over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adamjs83
      last edited by

      I am trying to set up my pfsense such that all traffic from a particular vlan is routed out over OpenVPN.  Following tutorials on these forums and elsewhere I believe I have things configured such that it should be working however I am unable to access the internet from that VLAN.  Does anyone have any ideas for how I can troubleshoot where the problem is?  I don't now if I should be focusing on the rules or the vpn configuration.

      Below is my relevant configuration:

      STATUS|OPENVPN shows a status of up with a virtual ip address

      
      Name 	     Status 	Connected Since 	        Virtual Addr 	Remote Host 	   Bytes Sent      Bytes Rcvd 	
      PIA VPN UDP 	up 	Wed Oct 7 23:33:40 2015 	10.107.1.6 	108.61.27.139 	7.07 MB 	      1.07 MB 	
      
      

      STATUS| GATEWAYS shows the vpn gateway is down

      
      PIAVPN_VPNV4 	10.107.1.5 	10.107.1.5 	0ms 	100% 	
       Offline 
      Last check:
      Thu, 08 Oct 2015 14:20:09 -0400
      
      

      I have created the following rules under FIREWALL|NAT|Outbound

      
      Interface              Source 	Source Port 	Destination 	Destination Port 	NAT Address 	      NAT Port 	Static Port 	Description
      PIAVPN   	127.0.0.0/8 	 * 	        * 	                * 	      PIAVPN address 	      * 	         NO 
      PIAVPN   	10.10.80.0/24 	* 	         * 	              500 	      PIAVPN address 	      * 	         YES
      PIAVPN  	10.10.80.0/24 	* 	          * 	                * 	      PIAVPN address 	      * 	          NO 
      
      

      I have the following rule in VLAN80 which is the VLAN which should be going out over the VPN

      
      ID 	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description 	
      
                IPv4 * 	* 	* 	* 	* 	PIAVPN_VPNV4 	none 	  	  
      
      

      For further reference below aremy OpenVPN logs after restarting the service.

      
      Oct 8 14:37:44 	openvpn[6743]: port_share_port = 0
      Oct 8 14:37:44 	openvpn[6743]: client = ENABLED
      Oct 8 14:37:44 	openvpn[6743]: pull = ENABLED
      Oct 8 14:37:44 	openvpn[6743]: auth_user_pass_file = '/etc/openvpn-password.txt'
      Oct 8 14:37:44 	openvpn[6743]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
      Oct 8 14:37:44 	openvpn[6743]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
      Oct 8 14:37:44 	openvpn[6918]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
      Oct 8 14:37:44 	openvpn[6918]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible
      Oct 8 14:37:44 	openvpn[6918]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Oct 8 14:37:44 	openvpn[6918]: LZO compression initialized
      Oct 8 14:37:44 	openvpn[6918]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
      Oct 8 14:37:44 	openvpn[6918]: Socket Buffers: R=[42080->65536] S=[57344->65536]
      Oct 8 14:37:44 	openvpn[6918]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
      Oct 8 14:37:44 	openvpn[6918]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
      Oct 8 14:37:44 	openvpn[6918]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
      Oct 8 14:37:44 	openvpn[6918]: Local Options hash (VER=V4): '41690919'
      Oct 8 14:37:44 	openvpn[6918]: Expected Remote Options hash (VER=V4): '530fdded'
      Oct 8 14:37:44 	openvpn[6918]: UDPv4 link local (bound): [AF_INET]74.108.30.118
      Oct 8 14:37:44 	openvpn[6918]: UDPv4 link remote: [AF_INET]108.61.57.220:1194
      Oct 8 14:37:44 	openvpn[6918]: TLS: Initial packet from [AF_INET]108.61.57.220:1194, sid=9c337db2 84e34e97
      Oct 8 14:37:44 	openvpn[6918]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Oct 8 14:37:44 	openvpn[6918]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
      Oct 8 14:37:44 	openvpn[6918]: Validating certificate key usage
      Oct 8 14:37:44 	openvpn[6918]: ++ Certificate has key usage 00a0, expects 00a0
      Oct 8 14:37:44 	openvpn[6918]: VERIFY KU OK
      Oct 8 14:37:44 	openvpn[6918]: Validating certificate extended key usage
      Oct 8 14:37:44 	openvpn[6918]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Oct 8 14:37:44 	openvpn[6918]: VERIFY EKU OK
      Oct 8 14:37:44 	openvpn[6918]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
      Oct 8 14:37:45 	openvpn[6918]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Oct 8 14:37:45 	openvpn[6918]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 8 14:37:45 	openvpn[6918]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Oct 8 14:37:45 	openvpn[6918]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 8 14:37:45 	openvpn[6918]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
      Oct 8 14:37:45 	openvpn[6918]: [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.57.220:1194
      Oct 8 14:37:47 	openvpn[6918]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
      Oct 8 14:37:47 	openvpn[6918]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.113.1.1,topology net30,ifconfig 10.113.1.10 10.113.1.9'
      Oct 8 14:37:47 	openvpn[6918]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
      Oct 8 14:37:47 	openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
      Oct 8 14:37:47 	openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
      Oct 8 14:37:47 	openvpn[6918]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
      Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: timers and/or timeouts modified
      Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: LZO parms modified
      Oct 8 14:37:47 	openvpn[6918]: OPTIONS IMPORT: --ifconfig/up options modified
      Oct 8 14:37:47 	openvpn[6918]: TUN/TAP device ovpnc2 exists previously, keep at program end
      Oct 8 14:37:47 	openvpn[6918]: TUN/TAP device /dev/tun2 opened
      Oct 8 14:37:47 	openvpn[6918]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Oct 8 14:37:47 	openvpn[6918]: /sbin/ifconfig ovpnc2 10.113.1.10 10.113.1.9 mtu 1500 netmask 255.255.255.255 up
      Oct 8 14:37:47 	openvpn[6918]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.113.1.10 10.113.1.9 init
      Oct 8 14:37:47 	openvpn[6918]: Initialization Sequence Completed
      
      
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Kind of confusing having the OpenVPN interface the same name as the OpenVPN interface group.  What's really the deal?

        Hmm.  The interface group is selectable in the outbound NAT config.  As far as I know you cannot use the OpenVPN "interface" which is really an interface group as I understand it, for NAT.  You have to create an assigned interface and NAT on that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          adamjs83
          last edited by

          That is actually a mistake which I had caught prior to sending the post and it should actually look like this

          Interface              Source Source Port Destination Destination Port NAT Address       NAT Port Static Port Description
          PIAVPN  127.0.0.0/8 *         *                 *       PIAVPN address       *         NO
          PIAVPN  10.10.80.0/24 *         *               500       PIAVPN address       *         YES
          PIAVPN  10.10.80.0/24 *           *                 *       PIAVPN address       *           NO

          I will correct above as well.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What's not working? Define "Can't access the internet." Can you ping 8.8.8.8? Resolve names?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A
              adamjs83
              last edited by

              There was no internet connectivty on devices on VLAN 80.  After numerous restarts of the service and the router it just started working with no changes to config.  Thanks anyway.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                @adamjs83:

                There was no internet connectivty on devices on VLAN 80.  After numerous restarts of the service and the router it just started working with no changes to config.  Thanks anyway.

                You might try out to set up for the entire VLAN80 the OpenVPN Gateway as their Gateway or on the clients inside
                of the VLAN80 you might set up their the OpenVPN Gateway as their Gateway.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.