Even with OpenVPN running on the router? I'll look out for issues, thanks. 👍🏻
TBH I never did try to get it working on my router because I didnt want to send all my traffic through a VPN. I mainly got frustrated with trying to get the client working on my gaming machine and gave up. So make of that what you will. I also didnt want to have to run a specialized client on the devices I wanted to connect when most things supported l2tp out of the box.
I mainly use a VPN to bury my torrent traffic from my ISP. I have no other use for one otherwise.
1 Like
Ran into a hitch with the current version of pfSense and my Surface Ethernet Adapter, it's not detecting it as a NIC so I'm going to look into the beta version or how to add a driver to FreeBSD. I'll have to work on it later tonight.
I figure the even though it's using USB 3 it shouldn't cause a problem with my WAN connection which maxes out at 50mpbs.
Would you mind sharing how exactly you are tunneling a specific application's traffic through a VPN? ;-)
I'm not, I'm just doing one computer instead of my whole network.
I have 4 desktops, 2 laptops, 3 chromecasts, and a NAS. I dont want them all on a tunnel.
I have had the same problem as you and posted a solution to some of your problems here: https://forum.level1techs.com/t/vpn-reverse-proxy-ssl-madness/113287
I pretty much use a VPS and a VPN to my local pfSense box. I have a ping of 10ms to the VPS so pretty ok I guess.
Mind you, it's not that easy but doable.
2 Likes
I see, I though you were just using the VPN for one app on one computer for that purpose ;-)
How are you making sure that that PC's traffic completely runs over the VPN and the app doesn't bypass it? I heard that's a common issue with using VPN for that purpose..
I'm not. I have no reason to believe that the traffic isnt being routed properly through the VPN. My public IP changes, my ping goes up, Netflix displays different stuff, the youtube logo gets a CA next to it (I typically use the canadian server). In every surface check of the connection it appears to be working as intended. I suppose I should fire up wireshark or something and check 100% but, FWIW my ISP has stopped sending me letters.
1 Like
I'll definitely read over your post. Thanks!
2 Likes
I cannot for the life of me get OpenVPN working. I'm just trying to do (what I thought would be simple) static key or site to site VPN. The VPS is running Ubuntu 16.04 LTS and my router is running pfSesne 2.3.3. Is anyone familiar with OpenVPN .conf files?
I can't say that it is still fresh in my mind, but I remember looking into this for a project, +/- four years ago. I confess that I had to read all the way through the documentation at least three times, before it clicked for me. Like most Linux/Unix documentation, it is accurate, but not very friendly. After getting the basic gist of it, I found it helpful to collect a couple of sample working configs and decipher them, line by line. After that I found that creating my own config was much simpler.
Coincidentally, my client was also behind a pfSense box and it worked a treat. IIRC, I used pfSense to generate the keys. I was able to get a couple of laptops and Android phones to access the network with no trouble, whatsoever. The key for me was to recognize that there was no shortcut, slow down and resign myself to the fact that I would need to get a grip on the documentation. If I had recognized that from the beginning, it would have saved me a couple of days and a lot of frustration.
1 Like
I'm still working on this. I got OpenVPN to connect, but I'm having issues with it routing traffic. I haven't had much time to troubleshoot and figure it out though. Again, thanks for all the help. :)
The route command is your friend when it comes to figure out why things are routed or not. ;-)
1 Like
I'm also not able to ping between the client and server using the OpenVPN subnet of 10.8.0.0, don't know if that has anything to do with issues.
How does your routing table (via route) look like? Is there an entry for 10.8.0.0/8 or a matching default gateway? If not, then you need to check why your OpenVPN client doesn't configure the routing table. If you want, you can try adding a manual route yourself to send all packets for 10.8.0.0/8 to the OpenVPN server on the VPN's network interface.
When I connect to an OpenVPN server, my routing table looks something like this:
$ route -n
Network dest. Router Netmask Iface
0.0.0.0 10.211.1.150 0.0.0.0 tun0 <-- default gateway on the VPN interface
0.0.0.0 192.168.1.1 0.0.0.0 eth0 <-- default gateway outside of VPN
10.211.1.150 0.0.0.0 255.255.255.255 tun0 <-- private IP address of the VPN server is available over default gateway of the VPN interface
123.234.45.56 192.168.1.1 255.255.255.255 eth0 <-- route public IP address of VPN server over my home router via the ethernet interface
192.168.1.0 0.0.0.0 255.255.255.0 eth0 <-- route private LAN via default gateway of the ethernet interface
1 Like
Here's the server.
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 68.169.41.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
68.169.41.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0I found when connecting a client like my Chromebook I'm able to access the IPv4 internet, but not when connecting my pfSense router. I'm guessing that has to do with routing on pfSense which I'll have to look further into.
I'm still wanting to connect to the IPv6 internet through the OpenVPN connection though. Is that possible? Is it possible to tunnel that over an IPv4 connection?
That table is more interesting on the client side ;-)
I think pfSense has a similar view via the WebGUI, but you can probably also run that command from the shell too.
That seems to be an issue of the pfSense box to me too. It sounds like the pfSense doesn't route the whole IPv4 internet over the VPN, probably just the private network the VPN server holds.
Yes, that is entirely possible. The OpenVPN website has a Wiki on that. Basically you need to find out if you can have a separate IPv6 address block that is routed to your server (this is recommended by them, but probably hard to get and possibly expensive) or if you want to split up the IPv6 subnet your server already got. The connecting clients then get an address from that block.
However, if your server only has a single IPv6 address and no subnet, you need to do look into a different setup, where you are masquerading (similar to a NAT) the clients with the server's IPv6 address.
1 Like
I changed the OpenVPN IP subnet to 10.2.0.1/24. Here's the pfSense's route equivalent.
default 172.16.0.1 UGS 18856 1500 ue0
10.1.0.0/24 link#1 U 78753809 1500 re0
10.1.0.1 link#1 UHS 0 16384 lo0
10.2.0.1/32 10.2.0.5 UGS 57 1500 ovpnc1
10.2.0.5 link#8 UH 2586 1500 ovpnc1
10.2.0.6 link#8 UHS 0 16384 lo0
69.27.0.130 00:05:1b:b1:17:63 UHS 0 1500 ue0
69.27.0.131 00:05:1b:b1:17:63 UHS 0 1500 ue0
127.0.0.1 link#6 UH 5988 16384 lo0
172.16.0.0/16 link#7 U 17601 1500 ue0
172.16.1.27 link#7 UHS 0 16384 lo0You need to ask yourself, what happens if you try to access some random IP address in the IPv4 address space? Since it will find no entry matching that random IP address in your routing table, it will route to the default route, which in your case is 172.16.0.1 via the ue0 interface. This means that the public IPv4 addresses will not be sent via the VPN but via the "normal" Internet connection, just like without the VPN.
What you need to change is that the default gateway is your OpenVPN server's private IP address. You could add this manually to the routing table, but this might make the pfSense box unable to talk to the internet if the tunnel breaks. The better way would be that you add the redirect-gateway autolocal option to the client configuration file or add the same option to the server, so it pushes that configuration to the clients. This way the client software on the pfSense box automatically adds the default route itself and removes it, when the tunnel is closed (either by you or by some error).
1 Like