[solved] Routing WAN traffic over VPN server

matzus

Hello,

I have set up an OpenVPN client to connect with IPvanish as described here: https://forum.pfsense.org/index.php?topic=66467.0. It seems to work in that I receive an IP address from IPvanish. However, I am unable to reach anything on the WAN side when the OpenVPN client is running. Any suggestions are much appreciated! Please see below my OpenVPN log:

Jan 26 05:43:35	openvpn[67468]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Jan 26 05:43:35	openvpn[67468]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Jan 26 05:43:35	openvpn[67468]: WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
Jan 26 05:43:35	openvpn[67794]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 26 05:43:35	openvpn[67794]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 26 05:43:40	openvpn[67794]: UDPv4 link local (bound): [AF_INET]192.168.0.15
Jan 26 05:43:40	openvpn[67794]: UDPv4 link remote: [AF_INET]81.171.81.9:443
Jan 26 05:43:40	openvpn[67794]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 26 05:43:41	openvpn[67794]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'
Jan 26 05:43:41	openvpn[67794]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jan 26 05:43:41	openvpn[67794]: [ams-a20.ipvanish.com] Peer Connection Initiated with [AF_INET]81.171.81.9:443
Jan 26 05:43:43	openvpn[67794]: TUN/TAP device ovpnc2 exists previously, keep at program end
Jan 26 05:43:43	openvpn[67794]: TUN/TAP device /dev/tun2 opened
Jan 26 05:43:43	openvpn[67794]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Jan 26 05:43:43	openvpn[67794]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jan 26 05:43:43	openvpn[67794]: /sbin/ifconfig ovpnc2 172.20.19.121 172.20.16.1 mtu 1500 netmask 255.255.252.0 up
Jan 26 05:43:43	openvpn[67794]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1569 172.20.19.121 255.255.252.0 init
Jan 26 05:43:43	openvpn[67794]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Jan 26 05:43:43	openvpn[67794]: Initialization Sequence Completed

Best,

matzus.

matzus

anyone?

kesawi

Probably because the VPN becomes the default route. See /index.php?topic=106305.0. You need to make sure don't pull default roots is selected and then create firewall rules to direct traffic out of the appropriate interface.

matzus

Thank you. I got it to work now; for some reason, AON failed to create the necessary NAT rules, so I had to implement them myself. I then set the VPN interface as my LAN gateway, and that was it.

I do have a DNS leak, however. dnsleaktest.com shows my real location. Any mitigations i can use?

mrgoodkat

Have you tried adding the DNS servers under System > General Setup ?
Choose the VPN under "Use Gateway"

matzus

Yes, I had that set. The solution was to select the VPN interface at Services -> DNS resolver -> Outgoing Network Interfaces.

Thank you too!