Policy Based Routing over VPN

Just upgraded to pfsense 2.5 and my settings for PBR via my VPN no longer work. I had followed Tom’s guide on youtube pfsense OpenVPN Policy Routing With Kill Switch Using PIA / Private Internet Access - YouTube and had it working fine. My tunnel is connected as I’m able to send pings out through that interface. The kill switch is working as it should also, but no traffic is able to leave through the VPN. Wondering if something changed in this new version.


thanks for the heads up

As written in the other post, I just finished upgrading - saw a similar issue. All my Advanced rules with a dedicated WAN override were broken too. They were in place but not loaded. So in case you use 2 WAN or like you one rule to push something over VPN it may break.

So again a warning to everybody: If you hit upgrade now, be sure it’s a non ciritcal system and you have hands on possiblity. If your WAN Rules drop there’s is no remote recovery :slight_smile:

Thanks for confirming it may be a bug. Ugh, need this working so looks like I’m going back to 2.4.5…

I was able to fix it by removing everything associated with the PBR over VPN - CA, VPN Client, NAT rules and firewall rules. I then reconfigured everything from scratch and got it working. I still need to restart pfsense and see if they stick.

I was so involved in getting the VPN gateway to work on specific clients that I didn’t notice that my entire network was utilizing the VPN. Ugh.

Another follow-up. I just can’t get policy based routing to work with an OpenVPN client. But I was able to get Wireguard setup and working with policy based rules. I’m not sure if this is a PBR issue, an OpenVPN issue or a combination of the two. Seems related to either the new version of pfsense and/or OpenVPN. Anyone get this working after upgrading pfsense?

On the Netgate forum someone mentioned the CA Cert being a possible issue from the upgrade.

In case anyone is following this thread:

I’m using AirVPN, on their servers you can see which version of OpenVPN they are running.

Just a thought, you might want to ensure you are also connected to an OpenVPN server running 2.5 from your provider.

Have a feeling if you were to completely rebuild pfSense it would all work as before, obviously seems to be many issues with upgrading.

The thought has crossed my mind but it would take me an entire day to go through it, with no guarantee it would even work. There’s a known bug that regarding non-local gateways failing to come back up after reboot. Seems possible it applies here since I experienced the same issue upon reboot after getting it connected (albeit eveyrthing on my network using it for some reason). Even that is one issue of the total problem which I suspect is part pfsense and part openvpn.


Just wanted to give an update. I got it working and I finally figured out what it was.

I’m using Torguard, and with the newest version of OpenVPN there were some settings that were added and/or removed since their last guide to setting up a client. The issues I was experiencing all fell on one setting that their guide says to leave unchecked - “Dont pull routes”.

I never had this setting enabled on version 2.4.5. Plus some new settings that didnt get applied properly, so obviously it explains why everything went down after the upgrade.

With the “Don’t pull routes” disabled, EVERYTHING was being routed via the VPN client, no matter what PBR I had in place. So if the client was configured wrong and not up, my entire network would go down as well. Once enabled, PBR would only route via the VPN client and everything else through the WAN.

What a fucking shit show the last week has been trying to figure this shit out.

Good of you to post your findings … It sounds like having a “reference build” to compare with would save a lot of time. Must admit from the start of using pfsense I’ve wanted to document my build. The best I have come up with are screenshots of each config page … c.200.

Think I will definitely wait until 2.5.1 unless I have a spare weekend to do a clean build.

I thought it relevant because in Tom’s configuration video that I included above, he does not enable “Don’t pull routes”. While that guide and option disabled worked for me on 2.4.5, 2.5.0 requires it enabled if you want to do selective routing. Otherwise, everything on your network is going to route over the client, and if that gateway goes down for whatever reason, you’ll have no internet access on anything even though your WAN gateway is up.