Project

General

Profile

Actions

Feature #5525

open

Add static routes for OpenVPN client remote peer addresses when using non-default WANs

Added by Moritz Hartwig about 9 years ago. Updated about 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
11/24/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

using pfsense 2.2.5 with multiple WAN uplinks

OpenVPN clients are configured for site-to-site VPN.
In the configuration settings, a specific WAN interface is set for outbound connection.

Problem:
The connection will always use the default gateway for outgoing traffic, not the configured interface from above.

Another observation:
If there is a static route to the VPN target through another (LAN) interface, the connection will use that route.

It seems like the kernel routing table is used for all outgoing connections.
Setting the interface in the OpenVPN client configuration should force using that interface and its gateway.

Actions #1

Updated by Heiler Bemerguy about 9 years ago

We just had a LOT of trouble understanding something like this.

I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..

so you get: client -> serverIP4
but the reply: serverIP1 -> client

Of course no connection (even UDP 'connections') can be established like that. Lots of icmp "port unreachable" coming in to the server..

Actions #2

Updated by Jim Pingle about 9 years ago

Heiler Bemerguy wrote:

I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..

That is the expected behavior with UDP and that is not the proper way to use OpenVPN with Multi-WAN. See here: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

Actions #3

Updated by Moritz Hartwig about 9 years ago

The bug I describe is on outgoing OpenVPN Client, not the Server. I have set up OpenVPN Server in MultiWAN without problems.

I will clarify again:

On my pfsense client I have WAN1 and WAN2.
I configure the OpenVPN Client to use WAN2.
(But on WAN1 is the default Gateway.)

The OpenVPN connection will use WAN2 IP address, BUT will go out of WAN1 interface (there is NAT so the address is rewritten to WAN1 address).

So on the OpenVPN Server I will get an incoming connection from the clients WAN1 address.

Actions #4

Updated by Jim Pingle about 9 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from OpenVPN Client not using configured interface to Add static routes for OpenVPN client remote peer addresses when using non-default WANs
  • Category changed from Routing to OpenVPN
  • Affected Architecture All added
  • Affected Architecture deleted ()

I was responding to the other person who placed an unrelated issue on the ticket.

In your case it looks like you need a static route pointing that destination (the server address to which the client connects) out the second WAN. We automate that for IPsec, but apparently not for OpenVPN.

Actions #5

Updated by Moritz Hartwig about 9 years ago

I think a static route would not be the best solution. This way you bind all traffic to that destination through the interface.

Is it not possible to apply policy based routing like I can do in the firewall rules?

So you can bind source IP destination IP and port to use the defined WAN GW.

Actions #6

Updated by Jim Pingle about 9 years ago

No, that is not currently possible for traffic originating from the firewall itself. Especially with UDP services.

Actions

Also available in: Atom PDF