Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Routing WAN traffic over VPN server

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matzus
      last edited by

      Hello,

      I have set up an OpenVPN client to connect with IPvanish as described here: https://forum.pfsense.org/index.php?topic=66467.0. It seems to work in that I receive an IP address from IPvanish. However, I am unable to reach anything on the WAN side when the OpenVPN client is running. Any suggestions are much appreciated! Please see below my OpenVPN log:

      Jan 26 05:43:35	openvpn[67468]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
      Jan 26 05:43:35	openvpn[67468]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
      Jan 26 05:43:35	openvpn[67468]: WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
      Jan 26 05:43:35	openvpn[67794]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Jan 26 05:43:35	openvpn[67794]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jan 26 05:43:40	openvpn[67794]: UDPv4 link local (bound): [AF_INET]192.168.0.15
      Jan 26 05:43:40	openvpn[67794]: UDPv4 link remote: [AF_INET]81.171.81.9:443
      Jan 26 05:43:40	openvpn[67794]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Jan 26 05:43:41	openvpn[67794]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'
      Jan 26 05:43:41	openvpn[67794]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
      Jan 26 05:43:41	openvpn[67794]: [ams-a20.ipvanish.com] Peer Connection Initiated with [AF_INET]81.171.81.9:443
      Jan 26 05:43:43	openvpn[67794]: TUN/TAP device ovpnc2 exists previously, keep at program end
      Jan 26 05:43:43	openvpn[67794]: TUN/TAP device /dev/tun2 opened
      Jan 26 05:43:43	openvpn[67794]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
      Jan 26 05:43:43	openvpn[67794]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Jan 26 05:43:43	openvpn[67794]: /sbin/ifconfig ovpnc2 172.20.19.121 172.20.16.1 mtu 1500 netmask 255.255.252.0 up
      Jan 26 05:43:43	openvpn[67794]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1569 172.20.19.121 255.255.252.0 init
      Jan 26 05:43:43	openvpn[67794]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Jan 26 05:43:43	openvpn[67794]: Initialization Sequence Completed
      

      Best,

      matzus.

      1 Reply Last reply Reply Quote 0
      • M
        matzus
        last edited by

        anyone?

        1 Reply Last reply Reply Quote 0
        • kesawiK
          kesawi
          last edited by

          Probably because the VPN becomes the default route. See /index.php?topic=106305.0. You need to make sure don't pull default roots is selected and then create firewall rules to direct traffic out of the appropriate interface.

          1 Reply Last reply Reply Quote 0
          • M
            matzus
            last edited by

            Thank you. I got it to work now; for some reason, AON failed to create the necessary NAT rules, so I had to implement them myself. I then set the VPN interface as my LAN gateway, and that was it.

            I do have a DNS leak, however. dnsleaktest.com shows my real location. Any mitigations i can use?

            1 Reply Last reply Reply Quote 0
            • M
              mrgoodkat
              last edited by

              Have you tried adding the DNS servers under System > General Setup ?
              Choose the VPN under "Use Gateway"

              SG-2220

              1 Reply Last reply Reply Quote 0
              • M
                matzus
                last edited by

                Yes, I had that set. The solution was to select the VPN interface at Services -> DNS resolver -> Outgoing Network Interfaces.

                Thank you too!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.