[solved] Routing WAN traffic over VPN server



  • Hello,

    I have set up an OpenVPN client to connect with IPvanish as described here: https://forum.pfsense.org/index.php?topic=66467.0. It seems to work in that I receive an IP address from IPvanish. However, I am unable to reach anything on the WAN side when the OpenVPN client is running. Any suggestions are much appreciated! Please see below my OpenVPN log:

    Jan 26 05:43:35	openvpn[67468]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Jan 26 05:43:35	openvpn[67468]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jan 26 05:43:35	openvpn[67468]: WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
    Jan 26 05:43:35	openvpn[67794]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 26 05:43:35	openvpn[67794]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 26 05:43:40	openvpn[67794]: UDPv4 link local (bound): [AF_INET]192.168.0.15
    Jan 26 05:43:40	openvpn[67794]: UDPv4 link remote: [AF_INET]81.171.81.9:443
    Jan 26 05:43:40	openvpn[67794]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jan 26 05:43:41	openvpn[67794]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'
    Jan 26 05:43:41	openvpn[67794]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Jan 26 05:43:41	openvpn[67794]: [ams-a20.ipvanish.com] Peer Connection Initiated with [AF_INET]81.171.81.9:443
    Jan 26 05:43:43	openvpn[67794]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Jan 26 05:43:43	openvpn[67794]: TUN/TAP device /dev/tun2 opened
    Jan 26 05:43:43	openvpn[67794]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Jan 26 05:43:43	openvpn[67794]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 26 05:43:43	openvpn[67794]: /sbin/ifconfig ovpnc2 172.20.19.121 172.20.16.1 mtu 1500 netmask 255.255.252.0 up
    Jan 26 05:43:43	openvpn[67794]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1569 172.20.19.121 255.255.252.0 init
    Jan 26 05:43:43	openvpn[67794]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Jan 26 05:43:43	openvpn[67794]: Initialization Sequence Completed
    

    Best,

    matzus.



  • anyone?



  • Probably because the VPN becomes the default route. See /index.php?topic=106305.0. You need to make sure don't pull default roots is selected and then create firewall rules to direct traffic out of the appropriate interface.



  • Thank you. I got it to work now; for some reason, AON failed to create the necessary NAT rules, so I had to implement them myself. I then set the VPN interface as my LAN gateway, and that was it.

    I do have a DNS leak, however. dnsleaktest.com shows my real location. Any mitigations i can use?



  • Have you tried adding the DNS servers under System > General Setup ?
    Choose the VPN under "Use Gateway"



  • Yes, I had that set. The solution was to select the VPN interface at Services -> DNS resolver -> Outgoing Network Interfaces.

    Thank you too!