Hi All,
I seem to have some sort of route issue with OpenVPN. This is my situation:
- Home/office server with pfSense, OpenVPN, some port forwards to local servers and HAproxy acting as a reverse proxy for some other servers. All on one WAN IP (the target)
- several remote clients, all of which connect to the pfSense OpenVPN server with their respective OpenVPN clients on Linux/Gentoo/KDE, Windows 10 and Android. Note that all use the same OpenVPN configuration.
What I want to achieve is that ALL traffic is routed over the VPN connection (for security reasons). This works for the Android client, but not for the Linux and Windows clients.
The problem for these clients is that the traffic targeted to the WAN IP address of the pfSense/OpenVPN server is routed over the local WAN IP address/WiFi instead as over the VPN tunnel.
It seems that there is some sort of weird routing issue. If I use ârouteâ there indeed is an entry routing traffic to the pfSense/OpenVPN server via the local WiFi gateway instead of the OpenVPN connection/gateway. Changing that, however, breaks all traffic.
Any idea what I need to do/change to have the same behaviour on Linux/Windows as on the Android client (routing ALL traffic over the VPN)?
â edit â
Note that all other traffic targeted at NOT the WAN IP of the pfSense/OpenVPN server (i.e. the rest of the internet) is correctly routed over the VPN tunnel
On your server config âRedirect IPv4 Gatewayâ needs to be checked to force all the traffic through the VPN. Thatâs the first thing Iâd check.
You might also have older versions of the OpenVPN clients running, that might be worth checking if you still have the problem.
Then check the client export certs are the correct ones from pfsense for your device.
Thanks for your swift reply!
Yes âForce all client-generated IPv4 traffic through the tunnel.â is checked on the server. And also works as expected, since all traffic is routed though the VPN, except all traffic targeted at the WAN IP of the OpenVPN server itself (e.g. webservers etc running behind NAT on that WAN IP).
All clients are recent. On Linux its OpenVPN 2.5.2.
Both the client and the server certs are properly exported and assigned on both the client and server side (also using TLS).
I have the feeling something in the routes is going wrong. These are the (anon) outputs from the ârouteâ command on Linux:
-
Without OpenVPN active
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.4.1 0.0.0.0 UG 600 0 0 wlan0
192.168.4.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
-
With OpenVPN active
default 192.168.90.1 0.0.0.0 UG 50 0 0 tun0
default 192.168.4.1 0.0.0.0 UG 600 0 0 wlan0
openvpn.server.uri 192.168.4.1 255.255.255.255 UGH 600 0 0 wlan0
192.168.4.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
192.168.4.1 0.0.0.0 255.255.255.255 UH 600 0 0 wlan0
192.168.90.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
openvpn.server.uri is not the real url/IP off course
Any clue?
â edit â
the 192.168.90.0/24 net is the remote OpenVPN server net
the 192.168.4.0/24 net is the local (client) net in which the clients have an IP assigned by the local (non pfSense) router
Not too sure.
Sounds like you have configured Openvpn correctly.
Perhaps on the clients they have DoT or DoH in their browsers bypassing the DNS ?
Can you replicate the same issues ? Load up the OpenVPN client on your laptop and inspect the results.
The IP is correctly resolved (even using the DNS resolver on the pfSense / OpenVPN server which I have set in the OpenVPN config). The request also results in a connection to the right pfSense port forward or HAproxy entries. THe problem is that the request is routed over the local Wifi connection instead of over the VPN. I know (and want) the NAT reflection on the pfSense to be used. This would be needed since the OpenVPN server runs locally on the pfSense box. On an Android client this works as expected.
I have tried to remove and change the route entry:
openvpn.server.uri 192.168.4.1 255.255.255.255 UGH 600 0 0 wlan0
but this breaks all connection. I expect that OpenVPN itself (on the client) needs this route to connect tpo the OpenVPN server.
Any other ideas?
Seems like a simple/often encountered situation to meâŚ
Nobody any clue what I can do else?
I assume your pfSense WAN IP (whether static or dynamic) is also the OpenVPN Server IP (âremote x.x.x.x) from the clientâs perspective. Youâre going to struggle to route traffic over the VPN tunnel to the same IP the VPN requires to establish the tunnel with in the first place. From the LAN perspective, you would require something like NAT reflection, but youâre coming over a routed VPN tunnel.
Youâve got a couple options, depending on your exact security concerns:
- Leave it as is, if youâre using certs and HAProxy to front https requests then that already takes care of some âsecurity reasonsâ. Yes that particular traffic wonât traverse the tunnel, but it is traversing the net encrypted after all.
- Otherwise use split DNS (point all the names youâre serving behind HAProxy to pfSense LAN IP), let your VPN server push a DNS server to clients (pfSense LAN IP), and configure HAProxy to listen on the LAN IP as well.
1 Like