OpenVPN - not routing Internet traffic?

ki3den · February 13, 2025, 12:42am

I am trying to set up a simple VPN at home with my pfSense 1100g. I want all traffic routed thru the VPN.

The behavior that I’m getting is that the VPN connects, I’m able to access site-local resources, but unable to route to the Internet.

I can ping everything internal, all servers and services, DNS is working within the tunnel. I just can’t get Internet things to work.

pfSense is running the latest version.
Latest version of Windows OpenVPN as a client.
Lastest version of OpenVPN Connect on both Android and iPhone as well.

Firewall rules:
OpenVPN interface

States 		Protocol 	Source 		Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
0/0 B		IPv4 * 		pfB_Top_v4	*		* 				* 		*			none 	 			pfB_Top_v4 auto rule 	
0/10 KiB	IPv4 * 	* 	* 	pfB_Top_v4 	* 	* 	none 	  	pfB_Top_v4 auto rule 	
0/0 B		IPv4 * 	* 	* 	pfB_PRI1_v4 	* 	* 	none 	  	pfB_PRI1_v4 auto rule 	
0/0 B		IPv4 ICMP	any			* 		* 	* 	* 	* 	none 	  	ICMP from OpenVPN 	
0/995 KiB	IPv4 UDP 	* 			* 		* 				53 (DNS) 	* 	none 	  	DNS from OpenVPN 	
		0/0 B
	IPv4 TCP 	* 	* 	* 	80 (HTTP) 	* 	none 	  	HTTP from OpenVPN 	
		0/0 B
	IPv4 TCP 	* 	* 	* 	443 (HTTPS) 	* 	none 	  	HTTP from OpenVPN 	
		0/44.55 MiB
	IPv4 * 	* 	* 	* 	* 	WAN_DHCP 	none 	  	Allow OpenVPN Out 	
		0/0 B
	IPv4 * 	* 	* 	* 	* 	* 	none 	  	OpenVPN HomeVPN-new wizard

( tried forcing use of the WAN_DHCP gateway in case that was the issue )

WAN interface:

 		States 	Protocol 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description 	Actions
		0/44.05 MiB	* 	RFC 1918 networks 	* 	* 	* 	* 	* 		Block private networks 	
		0/23 KiB	* 	Reserved
Not assigned by IANA 	* 	* 	* 	* 	* 		Block bogon networks 	
		0/24.24 MiB	IPv4 * 	pfB_Top_v4 	* 	* 	* 	* 	none 	  	pfB_Top_v4 auto rule 	
		0/181 KiB	IPv4 TCP 	* 	* 	WAN address 	1195 	* 	none 	  	OpenVPN HomeVPN-new wizard 	
		0/73.10 MiB	IPv4 UDP 	* 	* 	WAN address 	1194 (OpenVPN) 	* 	none 	  	OpenVPN HomeVPN wizard 	
		0/7 KiB	IPv4 TCP 	* 	* 	* 	22 (SSH) 	* 	none 	  	Explicit Block: SSH >> WAN 	
		0/750 B	IPv4 TCP/UDP 	* 	* 	* 	5353 	* 	none 	  	Drop MDNS silently 	
		0/322 KiB	IPv4 TCP 	* 	* 	172.16.90.254 	80 (HTTP) 	* 	none 	  	NAT Redirect HTTP to HTTPS in DMZ 	
		0/10.48 MiB	IPv4 TCP 	* 	* 	172.16.90.254 	443 (HTTPS) 	* 	none 	  	NAT HTTPS Forward to DMZ 	
		0/649 KiB	IPv4 TCP 	* 	* 	* 	* 	* 	none 	  	WAN TCP Connection Blocked 	
		0/665 KiB	IPv4 UDP 	* 	* 	* 	* 	* 	none 	  	WAN UDP Connection Blocked 	
		0/203 KiB	IPv4+6 * 	* 	* 	* 	* 	* 	none 	  	WAN - Unsupported Protocol Blocked

Most of those are commented enough to be straightforward, lmk if there’s anything weird looking.

server config:

dev ovpns2
disable-dco
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh the.domain"
local myactualip
tls-server
server 192.168.110.0 255.255.255.0
client-config-dir /var/etc/openvpn/server2/csc
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user somestringhere false server2 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'the.domain.com' 1"
lport 1195
management /var/etc/openvpn/server2/sock unix
max-clients 6
push "dhcp-option DOMAIN the.domain"
push "dhcp-option DNS 172.16.30.1"
push "block-outside-dns"
push "register-dns"
push "dhcp-option NTP 172.16.30.1"
push "redirect-gateway def1"
capath /var/etc/openvpn/server2/ca
cert /var/etc/openvpn/server2/cert
key /var/etc/openvpn/server2/key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server2/tls-auth 0
data-ciphers CHACHA20-POLY1305
data-ciphers-fallback CHACHA20-POLY1305
allow-compression no
persist-remote-ip
float
topology subnet
inactive 300
tun-mtu 1450

mssfix 1420

example client config:

dev tun
persist-tun
persist-key
data-ciphers CHACHA20-POLY1305
data-ciphers-fallback CHACHA20-POLY1305
auth SHA256
tls-client
client
resolv-retry infinite
remote myactualip 1195 tcp4
nobind
verify-x509-name "the.domain.com" name
auth-user-pass
remote-cert-tls server
<ca>
 ... ca ...
</ca>
<cert>
 ... cert ...
</cert>
<key>
 ... key ...
</key>
key-direction 1
<tls-auth>
 ... key ...
</tls-auth>

Does anyone see any issues…? I’m stumped.

I can also post pictures of the pfSense settings if that’s easier and allowed. lmk!

Any help is very much appreciated!

( in the process of editing the firewall rules for more clarity )

LTS_Tom · February 13, 2025, 10:28am

To get all traffic to route make sure you have the correct rules in the pfesnes and in the OpenVPN server settings that you have “Redirect IPv4 Gateway” “Force all client-generated IPv4 traffic through the tunnel.” checked.

This is my latest guide for OpenVPN on pfsense

ki3den · February 14, 2025, 12:48pm

Hi there! Exciting to hear from you love all your videos.

I just got it working!

Since I kept banging my head against the problem, I was considering switching to Wireguard. Your video on that points out the need for outbound NAT for the Wireguard network - which I was able to do for OpenVPN, and it works!