next »

[rcasas]

Hi,

I have a dual wan installation of pfSense with an OpenVPN server running. The OpenVPN works only if clients connect through the default route of the pfSense box. OpenVPN is listenning on all interfaces by default, but the problem is that the OpenVPN server takes the default gateway of the machine, not the default gw of the interface.

I think this is a problem of the implementation of OpenVPN, but I want to know if anyone have an OpenVPN server working the way I want.

Greetings

Roberto

[hoba]

This problem is similiar what you encounter if you try to setup ipsec at an opt interface. Not sure if there is a way to work around that. This is still an unsolved issue atm, might turn out to be a limitation in 1.0 but that is not sure yet.

[rcasas]

This problem is similiar what you encounter if you try to setup ipsec at an opt interface. Not sure if there is a way to work around that. This is still an unsolved issue atm, might turn out to be a limitation in 1.0 but that is not sure yet.

But IPsec have the option to choose which interface to use, and then it searches which is the gateway, am I right?

[Numbski]

Okay, clear something up for me.

You're listening on all interfaces.  Then you have the issue that the connecting client uses its own default gateway, or the gateway of the pfSense box?

There are all kinds of push/pull statements available to pfSense clients and servers to force the client to conform to your will.  Have you looked at the example configs at the OpenVPN site?

[critter]

Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:

--float
              Allow  remote  peer to change its IP address and/or port number,
              such as due to DHCP (this is the  default  if  --remote  is  not
              used).   --float  when specified with --remote allows an OpenVPN
              session to initially connect to a peer at a known address,  how-
              ever if packets arrive from a new address and pass all authenti-
              cation tests, the new address will take control of the  session.
              This  is  useful when you are connecting to a peer which holds a
              dynamic address such as a dial-in user or DHCP client.

              Essentially, --float tells OpenVPN to accept authenticated pack-
              ets  from  any address, not only the address which was specified
              in the --remote option.

[rcasas]

Okay, clear something up for me.

You're listening on all interfaces.  Then you have the issue that the connecting client uses its own default gateway, or the gateway of the pfSense box?

There are all kinds of push/pull statements available to pfSense clients and servers to force the client to conform to your will.  Have you looked at the example configs at the OpenVPN site?

When I said 'default gateway', I wanted to say 'pfSense OPT1 default GW'

I have 2 WAN connections, the WAN connection has default gw GW1, and OPT1 has default gw GW2. When I connect any other service in the pfSense box, the service send packets over the GW from which he received incoming packets. In the case of OpenVPN, he takes the default gw from the system, so he always have GW1, and whenever he receives any packets (it doesn't matter if by WAN or OPT1), he replies by GW1.

[rcasas]

Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:

I have tried, but it doesn't work yet. But I think it can be the solution.

[Numbski]

I would suggest you look at the example configs on the OpenVPN website.  There are definitely route push statements that will fix this for you.

[critter]

Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:

I have tried, but it doesn't work yet. But I think it can be the solution.

Are you getting warning messages of packages from other IPs than expected? If so, I think "float" will fix it. Use it on the client box, the box with only one WAN.

[rcasas]

I would suggest you look at the example configs on the OpenVPN website.  There are definitely route push statements that will fix this for you.

My problem is with the gateway of the server, not with the client.

[rcasas]

Are you getting warning messages of packages from other IPs than expected? If so, I think "float" will fix it.

No, it simply don't connect

Use it on the client box, the box with only one WAN.

Yes, yes, I know.

[Numbski]

there are also route-up and route-down, plus just plain route statments that can be placed into your server config. 

Please look more carefully at the examples.  You'll be amazed at how customized openvpn can get.