OpenVPN bug(?) if there is more than one VPN-Server



  • I have three OpenVPN-Server in use. Of course this is for very different clients and there are totally differnet access-rules.
    The OpenVPN-Interface are

    LAN 10.10.10.0/24
    VPN1 10.10.90.1/32 (This is for Laptops/Smartphones) -> via 10.10.90.x/30 -> Single IP per VPN-Client / no NAT
    VPN2 10.10.91.1/32 (This is Site2Site) -> NET 10.10.20.0/24
    VPN3 10.10.92.1/32 (several external stuff) -> via 10.10.92.x/30 -> Adresse 192.160.x.0/24 (every client with separate NAT-NET. / "x" = 1-20)

    If I configure Outbound-NAT for VPN3
    OpenVPN  any * 192.168.1.0/24 * interfaceAdresse
    than pfSense actually uses RoundRobin for this rule.

    The first packet is NATed to 10.10.90.1
    The second to 10.10.91.1
    The third to 10.10.92.1 (this is the right one)
    The fourth to 10.10.90.1 again.

    This way only one out of three packets finds the right path.
    As the NET 192.168.1.0/24 is ONLY routed behind VPN3 the pfSense should know that it is not valid to NAT it to another Interface that 10.10.92.1

    I have to use that rule instead:
    OpenVPN  any * 192.168.1.0/24 * 10.10.91.1/32 (or use an Alias for that)

    Is that "normal" or a bug?



  • That's the expected behavior. OpenVPN is a group, using its "interface address" will be a round-robin through that group. Assign the individual ovpnsX interfaces if you want to do that without round robin and specifying "interface address".



  • Thanks for the answer.
    I found several users with the very same problem of understanding. As everywhere the IF-adresses (WAN/LAN/…) automatically are available in drop-down-menues. There is no hint, that in this case "Interface Adress" is a group.  It would be great if this is more clear that "InterfaceAdress" is ment as a group of all VPN-interfaces here.

    Also I don't understand in what case this behavior may be intended by user. Only with exact one VPN the result is what someone needs.

    And at last, why is there no dropdown-entry for each of the several Interfaces of a multi-VPN-setup?

    regards



  • It's not "interface address" that's a group, "OpenVPN" is a group. That's widely documented. The individual connections show up if you assign their interfaces.



  • Probably you're right with "That's widely documented", as you are in that theme and an admin here.
    I did'nt find anything about that anyway. Maybe you can point me to a good place to start reading about?

    Even if pfSense is not for beginners, there are lot's of things where I feel the documentation is not comprehensive enough.
    To have that "InterfaceAdress" at that dropdown at least is missleading.

    As I can't imagine where someone can use that intentional than.
    If I have one VPN it will do, but adding a second VPN will break the outbound-NAT for the first one. So it should recommended that you better not use "InterfaceAdress" there, because this can cause Problems later, when you allready forgot the Outbound-NAT-Rules depending to the first VPN are affected than.


Log in to reply