OpenVPN and policy based routing

  • I've got a setup with 2 computers connected by 2 pfSense routers through a p2p OpenVPN tunnel. I want to use policy routing instead of static routes. It's just not working without the static routes. If I ping from computerA to computerB, the ping goes through the tunnel and reaches computerB. ComputerB is sending the reply, but the Lan interface on pfsenseB thinks there's no route, but there is a policy routing rule active, it's just not using it on the reply.

    This is the data I got from the Packet Capture, when I ping from Computer A to B, but the reverse (B to A) is the same:

    pfSenseA Lan > ICMP echo request

    pfSenseA openvpn tunnel > ICMP echo request

    pfSenseB openvpn tunnel > ICMP echo request

    pfSenseB Lan > ICMP echo request > ICMP echo reply > ICMP host unreachable

    The reason I want to use policy based routing is I want to setup 2 tunnels with the gateway fail over functionality.

    Is there a way to make this work properly?

    Best regards.

  • Rebel Alliance Developer Netgate

    Assign the OpenVPN interfaces on both sides (check wiki/forum for details). move the OpenVPN firewall rules to the assigned interface tab. That will activate pf's reply-to functionality for the VPN interfaces and then it will remember the path the packet entered and send the reply back the way it came in.

  • Hi Jimp,

    Thanks for your response. Mine is a "little" late, had some other stuff to deal with unfortunately. I've tried what I think you meant, but that's not working for me so I think I misunderstand. I've added screen shots of my current configuration and wireshark results.

    Is this correct? because it's not working for me.

    Thanks, Maarten

  • Rebel Alliance Developer Netgate

    Make sure you don't have any rules on the OpenVPN tab that would match the traffic.

  • Yes! that was the problem. I thought I'd tried everything. Thanks Jimp!

Log in to reply