Feature #5525
open
Add static routes for OpenVPN client remote peer addresses when using non-default WANs
Added by Moritz Hartwig over 8 years ago.
Updated over 8 years ago.
Description
using pfsense 2.2.5 with multiple WAN uplinks
OpenVPN clients are configured for site-to-site VPN.
In the configuration settings, a specific WAN interface is set for outbound connection.
Problem:
The connection will always use the default gateway for outgoing traffic, not the configured interface from above.
Another observation:
If there is a static route to the VPN target through another (LAN) interface, the connection will use that route.
It seems like the kernel routing table is used for all outgoing connections.
Setting the interface in the OpenVPN client configuration should force using that interface and its gateway.
We just had a LOT of trouble understanding something like this.
I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..
so you get: client -> serverIP4
but the reply: serverIP1 -> client
Of course no connection (even UDP 'connections') can be established like that. Lots of icmp "port unreachable" coming in to the server..
Heiler Bemerguy wrote:
I set an openvpn tunnel to use "any" interface, and it really listened on any interface. But when a client tries to connect to it, it sends all packets with the main IP address of that interface..
That is the expected behavior with UDP and that is not the proper way to use OpenVPN with Multi-WAN. See here: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
The bug I describe is on outgoing OpenVPN Client, not the Server. I have set up OpenVPN Server in MultiWAN without problems.
I will clarify again:
On my pfsense client I have WAN1 and WAN2.
I configure the OpenVPN Client to use WAN2.
(But on WAN1 is the default Gateway.)
The OpenVPN connection will use WAN2 IP address, BUT will go out of WAN1 interface (there is NAT so the address is rewritten to WAN1 address).
So on the OpenVPN Server I will get an incoming connection from the clients WAN1 address.
- Tracker changed from Bug to Feature
- Subject changed from OpenVPN Client not using configured interface to Add static routes for OpenVPN client remote peer addresses when using non-default WANs
- Category changed from Routing to OpenVPN
- Affected Architecture All added
- Affected Architecture deleted (
I was responding to the other person who placed an unrelated issue on the ticket.
In your case it looks like you need a static route pointing that destination (the server address to which the client connects) out the second WAN. We automate that for IPsec, but apparently not for OpenVPN.
I think a static route would not be the best solution. This way you bind all traffic to that destination through the interface.
Is it not possible to apply policy based routing like I can do in the firewall rules?
So you can bind source IP destination IP and port to use the defined WAN GW.
No, that is not currently possible for traffic originating from the firewall itself. Especially with UDP services.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by