Regression #11451
closed
Openvpn wants to use route it should create first
0%
Description
Since Pfsense version 2.5 openvpn is no longer able to connect to the server when the default gateway points to a vpn tunnel, because the system tries to connect through the not yet existing vpn tunnel. If you change the default gateway to Wan wait until the vpn tunnel is established and then change it back it works. The attempt to leave the default gateway on Wan and route the internet traffic over the firewall rules into the tunnel fails because the system ignores the gateway defaults for the tunnel in the firewall rule and continues routing over the Wan port.
Files
Updated by Jim Pingle about 3 years ago
- Tracker changed from Bug to Regression
- Status changed from New to Not a Bug
- Priority changed from Very High to Normal
I'm not sure if this is a change in OpenVPN 2.5.0 or pfSense 2.5.0 here. I don't recall that working the way you describe in earlier versions.
Normally you would not set the system default route to the VPN in the gateway settings, you would set it in OpenVPN settings using something like redirect-gateway def1. That way the internal routing in OpenVPN can work around the catch-22 situation you have created for yourself with the other settings.
I would consider setting the default gateway to a VPN in the manner you describe a misconfiguration, though we don't actively prevent it.
Alternately, you can set a static route for the remote VPN peer if it's a static address. With a static route to the peer in place, changing the default won't affect traffic to the peer.
Updated by Rene Hutschreuther about 3 years ago
The default route of the system is set in the Openvpn settings via Wan but Openvpn ignores the settings and continues to try to connect via the set default gateway. And I have to set the default gateway to the vpn because routing through the firewall rules into the vpn does not work. Interestingly enough it works the other way around I can route through the firewall rules over the wan if I set the default gateway over the vpn. The 2.4.x Pfsense did not have the problem because it ran so stable over 2 years. What I try in any case again to recreate the configuration for the Vpn so far I have always loaded only a backup file from the 2.45.
Updated by Rene Hutschreuther about 3 years ago
With a created static route to the Vpn server it only works if I use the Ip address of the vpn server and not the Dns name as the Vpn provider actually intended so I can only hope that the Ip address behind the Dns name doesn't change otherwise Open Vpn connects to nothing again so this is only a temporary fix.
Updated by Jim Pingle about 3 years ago
There is no bug here, it's a configuration problem, and this site is not for support or diagnostic discussion.
For assistance in solving your configuration issue, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Rene Hutschreuther about 3 years ago
This is an error when openvpn does not use the outgoing interface specified in the openvpn settings and instead tries to use the system defaults. Look the interface is set to Wan but still openvpn tries to connect via another interface which does not work.