https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162015-11-24T15:50:45ZpfSense bugtrackerpfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229542015-11-24T15:50:45ZHeiler Bemerguyheiler.bemerguy@gmail.com
<ul></ul><p>We just had a LOT of trouble understanding something like this.</p>
<p>I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..</p>
<p>so you get: client -> serverIP4<br />but the reply: serverIP1 -> client</p>
<p>Of course no connection (even UDP 'connections') can be established like that. Lots of icmp "port unreachable" coming in to the server..</p> pfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229552015-11-24T15:56:42ZJim Pingle
<ul></ul><p>Heiler Bemerguy wrote:</p>
<blockquote>
<p>I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..</p>
</blockquote>
<p>That is the expected behavior with UDP and that is not the proper way to use OpenVPN with Multi-WAN. See here: <a class="external" href="https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN">https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN</a></p> pfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229632015-11-25T01:14:58ZMoritz Hartwigmori@heldenhaft.de
<ul></ul><p>The bug I describe is on outgoing OpenVPN Client, not the Server. I have set up OpenVPN Server in MultiWAN without problems.</p>
<p>I will clarify again:</p>
<p>On my pfsense client I have WAN1 and WAN2.<br />I configure the OpenVPN Client to use WAN2.<br />(But on WAN1 is the default Gateway.)</p>
<p>The OpenVPN connection will use WAN2 IP address, BUT will go out of WAN1 interface (there is NAT so the address is rewritten to WAN1 address).</p>
<p>So on the OpenVPN Server I will get an incoming connection from the clients WAN1 address.</p> pfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229642015-11-25T07:23:01ZJim Pingle
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>OpenVPN Client not using configured interface</i> to <i>Add static routes for OpenVPN client remote peer addresses when using non-default WANs</i></li><li><strong>Category</strong> changed from <i>Routing</i> to <i>OpenVPN</i></li><li><strong>Affected Architecture</strong> <i>All</i> added</li><li><strong>Affected Architecture</strong> deleted (<del><i></i></del>)</li></ul><p>I was responding to the other person who placed an unrelated issue on the ticket.</p>
<p>In your case it looks like you need a static route pointing that destination (the server address to which the client connects) out the second WAN. We automate that for IPsec, but apparently not for OpenVPN.</p> pfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229662015-11-25T08:39:32ZMoritz Hartwigmori@heldenhaft.de
<ul></ul><p>I think a static route would not be the best solution. This way you bind all traffic to that destination through the interface.</p>
<p>Is it not possible to apply policy based routing like I can do in the firewall rules?</p>
<p>So you can bind source IP destination IP and port to use the defined WAN GW.</p> pfSense - Feature #5525: Add static routes for OpenVPN client remote peer addresses when using non-default WANshttps://redmine.pfsense.org/issues/5525?journal_id=229672015-11-25T08:44:08ZJim Pingle
<ul></ul><p>No, that is not currently possible for traffic originating from the firewall itself. Especially with UDP services.</p>