pfSense, openVPN routes

Hi All,

I seem to have some sort of route issue with OpenVPN. This is my situation:

  • Home/office server with pfSense, OpenVPN, some port forwards to local servers and HAproxy acting as a reverse proxy for some other servers. All on one WAN IP (the target)
  • several remote clients, all of which connect to the pfSense OpenVPN server with their respective OpenVPN clients on Linux/Gentoo/KDE, Windows 10 and Android. Note that all use the same OpenVPN configuration.

What I want to achieve is that ALL traffic is routed over the VPN connection (for security reasons). This works for the Android client, but not for the Linux and Windows clients.

The problem for these clients is that the traffic targeted to the WAN IP address of the pfSense/OpenVPN server is routed over the local WAN IP address/WiFi instead as over the VPN tunnel.

It seems that there is some sort of weird routing issue. If I use ‘route’ there indeed is an entry routing traffic to the pfSense/OpenVPN server via the local WiFi gateway instead of the OpenVPN connection/gateway. Changing that, however, breaks all traffic.

Any idea what I need to do/change to have the same behaviour on Linux/Windows as on the Android client (routing ALL traffic over the VPN)?

— edit —
Note that all other traffic targeted at NOT the WAN IP of the pfSense/OpenVPN server (i.e. the rest of the internet) is correctly routed over the VPN tunnel

On your server config “Redirect IPv4 Gateway” needs to be checked to force all the traffic through the VPN. That’s the first thing I’d check.

You might also have older versions of the OpenVPN clients running, that might be worth checking if you still have the problem.

Then check the client export certs are the correct ones from pfsense for your device.

Thanks for your swift reply!

Yes “Force all client-generated IPv4 traffic through the tunnel.” is checked on the server. And also works as expected, since all traffic is routed though the VPN, except all traffic targeted at the WAN IP of the OpenVPN server itself (e.g. webservers etc running behind NAT on that WAN IP).

All clients are recent. On Linux its OpenVPN 2.5.2.

Both the client and the server certs are properly exported and assigned on both the client and server side (also using TLS).

I have the feeling something in the routes is going wrong. These are the (anon) outputs from the ‘route’ command on Linux:

  • Without OpenVPN active
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default UG 600 0 0 wlan0 U 600 0 0 wlan0

  • With OpenVPN active
    default UG 50 0 0 tun0
    default UG 600 0 0 wlan0
    openvpn.server.uri UGH 600 0 0 wlan0 U 600 0 0 wlan0 UH 600 0 0 wlan0 U 50 0 0 tun0

openvpn.server.uri is not the real url/IP off course

Any clue?

— edit —
the net is the remote OpenVPN server net
the net is the local (client) net in which the clients have an IP assigned by the local (non pfSense) router

Not too sure.

Sounds like you have configured Openvpn correctly.

Perhaps on the clients they have DoT or DoH in their browsers bypassing the DNS ?

Can you replicate the same issues ? Load up the OpenVPN client on your laptop and inspect the results.

The IP is correctly resolved (even using the DNS resolver on the pfSense / OpenVPN server which I have set in the OpenVPN config). The request also results in a connection to the right pfSense port forward or HAproxy entries. THe problem is that the request is routed over the local Wifi connection instead of over the VPN. I know (and want) the NAT reflection on the pfSense to be used. This would be needed since the OpenVPN server runs locally on the pfSense box. On an Android client this works as expected.

I have tried to remove and change the route entry:
openvpn.server.uri UGH 600 0 0 wlan0

but this breaks all connection. I expect that OpenVPN itself (on the client) needs this route to connect tpo the OpenVPN server.

Any other ideas?

Seems like a simple/often encountered situation to me…

Nobody any clue what I can do else?

I assume your pfSense WAN IP (whether static or dynamic) is also the OpenVPN Server IP (–remote x.x.x.x) from the client’s perspective. You’re going to struggle to route traffic over the VPN tunnel to the same IP the VPN requires to establish the tunnel with in the first place. From the LAN perspective, you would require something like NAT reflection, but you’re coming over a routed VPN tunnel.

You’ve got a couple options, depending on your exact security concerns:

  • Leave it as is, if you’re using certs and HAProxy to front https requests then that already takes care of some “security reasons”. Yes that particular traffic won’t traverse the tunnel, but it is traversing the net encrypted after all.
  • Otherwise use split DNS (point all the names you’re serving behind HAProxy to pfSense LAN IP), let your VPN server push a DNS server to clients (pfSense LAN IP), and configure HAProxy to listen on the LAN IP as well.
1 Like