I'm still working on this. I got OpenVPN to connect, but I'm having issues with it routing traffic. I haven't had much time to troubleshoot and figure it out though. Again, thanks for all the help. :)
The route command is your friend when it comes to figure out why things are routed or not. ;-)
1 Like
I'm also not able to ping between the client and server using the OpenVPN subnet of 10.8.0.0, don't know if that has anything to do with issues.
How does your routing table (via route) look like? Is there an entry for 10.8.0.0/8 or a matching default gateway? If not, then you need to check why your OpenVPN client doesn't configure the routing table. If you want, you can try adding a manual route yourself to send all packets for 10.8.0.0/8 to the OpenVPN server on the VPN's network interface.
When I connect to an OpenVPN server, my routing table looks something like this:
$ route -n
Network dest. Router Netmask Iface
0.0.0.0 10.211.1.150 0.0.0.0 tun0 <-- default gateway on the VPN interface
0.0.0.0 192.168.1.1 0.0.0.0 eth0 <-- default gateway outside of VPN
10.211.1.150 0.0.0.0 255.255.255.255 tun0 <-- private IP address of the VPN server is available over default gateway of the VPN interface
123.234.45.56 192.168.1.1 255.255.255.255 eth0 <-- route public IP address of VPN server over my home router via the ethernet interface
192.168.1.0 0.0.0.0 255.255.255.0 eth0 <-- route private LAN via default gateway of the ethernet interface
1 Like
Here's the server.
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 68.169.41.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
68.169.41.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0I found when connecting a client like my Chromebook I'm able to access the IPv4 internet, but not when connecting my pfSense router. I'm guessing that has to do with routing on pfSense which I'll have to look further into.
I'm still wanting to connect to the IPv6 internet through the OpenVPN connection though. Is that possible? Is it possible to tunnel that over an IPv4 connection?
That table is more interesting on the client side ;-)
I think pfSense has a similar view via the WebGUI, but you can probably also run that command from the shell too.
That seems to be an issue of the pfSense box to me too. It sounds like the pfSense doesn't route the whole IPv4 internet over the VPN, probably just the private network the VPN server holds.
Yes, that is entirely possible. The OpenVPN website has a Wiki on that. Basically you need to find out if you can have a separate IPv6 address block that is routed to your server (this is recommended by them, but probably hard to get and possibly expensive) or if you want to split up the IPv6 subnet your server already got. The connecting clients then get an address from that block.
However, if your server only has a single IPv6 address and no subnet, you need to do look into a different setup, where you are masquerading (similar to a NAT) the clients with the server's IPv6 address.
1 Like
I changed the OpenVPN IP subnet to 10.2.0.1/24. Here's the pfSense's route equivalent.
default 172.16.0.1 UGS 18856 1500 ue0
10.1.0.0/24 link#1 U 78753809 1500 re0
10.1.0.1 link#1 UHS 0 16384 lo0
10.2.0.1/32 10.2.0.5 UGS 57 1500 ovpnc1
10.2.0.5 link#8 UH 2586 1500 ovpnc1
10.2.0.6 link#8 UHS 0 16384 lo0
69.27.0.130 00:05:1b:b1:17:63 UHS 0 1500 ue0
69.27.0.131 00:05:1b:b1:17:63 UHS 0 1500 ue0
127.0.0.1 link#6 UH 5988 16384 lo0
172.16.0.0/16 link#7 U 17601 1500 ue0
172.16.1.27 link#7 UHS 0 16384 lo0You need to ask yourself, what happens if you try to access some random IP address in the IPv4 address space? Since it will find no entry matching that random IP address in your routing table, it will route to the default route, which in your case is 172.16.0.1 via the ue0 interface. This means that the public IPv4 addresses will not be sent via the VPN but via the "normal" Internet connection, just like without the VPN.
What you need to change is that the default gateway is your OpenVPN server's private IP address. You could add this manually to the routing table, but this might make the pfSense box unable to talk to the internet if the tunnel breaks. The better way would be that you add the redirect-gateway autolocal option to the client configuration file or add the same option to the server, so it pushes that configuration to the clients. This way the client software on the pfSense box automatically adds the default route itself and removes it, when the tunnel is closed (either by you or by some error).
1 Like
You need to change your outbound NAT settings to include the new (VPN) gateway. This is under firewall>NAT>outbound.
You need to change the mode from auto to manual and if it doesn't automatically create the rules for both your WAN and VPN networks then you need to copy the default rules it generates for WAN and change the NAT address to your VPN. Then restart the router and it should be working.
EDIT: I missed a step, you also need to create a VPN interface. So if you have your openvpn client configured on pfsense and it's able to connect go to interfaces>assign and assign a new interface to the openvpn client (it will be called ovpnc1 or something like that). Once you have created the interface it will probably be called OPT1 or something, go to that interface in the interface menu and change the IPv4 and IPv6 configuration both to none, leave everything else as default (you can change the name if you like). Then do the outbound NAT thing I mentioned earlier (you may have to restart the openvpn service after creating the interface).
1 Like
You saying that helped me find this. Exactly what I needed. I now have IPv4 traffic routing over the VPN. (I'm pretty sure the VPS I'm using is hosted by my ISP because it adds at most 3ms ping to everything, nothing more).
Now to fiddle with the settings to get IPv6 working. I contacted my VPS host and they told me I only get one IPv6 address, however, the ip a command says inet6 inet6 2607:fc98:0:40:216:3eff:fe18:4c53/64 with CIDR that gives me 18446744073709551616 IPv6 addresses. I am a networking beginner though so maybe that's just what their DHCPv6 chooses from?
Okay, ended up switching providers. VPS.net refused to give me a IPv6 block. I now have a block of /48 IPv6 addresses, but OpenVPN doesn't natively support that. I'm getting Options error: --server-ipv6 settings: only /64../112 supported right now (not /48) Any advice for getting around this?
Technically a /48 is bigger, i.e. more addresses, than a /64. So you should be able to just prefix it yourself and just use a /64 portion of your /48 block.
For example, given you got 2001:db80:cafe::/48, you could pretend you only got 2001:db80:cafe:abcd::/64 and feed that to the server. Since the whole /48 is routed to your VPS, it shouldn't matter that you only use a part of it.
In the simplest case you can just change the CIDR to /64 and essentially prefix with zeros.
2 Likes
Okay, I've been trying to research if I'd need to setup any special routing or network interface rules to get that /48 to a /64 subnet. I'm glad it should be that easy. Thanks for helping such a beginner with this.
1 Like
So I contacted a technician at my ISP as a last shot and was told that IPv6 was supported and it was strange I didn't actually have it. They came to the apartment complex and enabled it for everyone. (Along with doubling our speed for free.) So I don't really have a need for the VPN anymore. I'm glad I learned how to get one (sorta) working. And I think I'll keep it up for when I'm out and about on unsecured WiFi.
I'd like to thank everyone for their help. I really appreciate it.
1 Like