pfSense Support Subscription

Author Topic: outbound openvpn to Expressvpn and route voIP traffic through it only - Bid $  (Read 18656 times)

0 Members and 1 Guest are viewing this topic.

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
as the title suggests, i need to create a openvpn connection to expressvpn servers which is similar to strongvpn and i was able to get the config file from their support and able to even connect but the problem being all my lan traffic goes through the vpn where as i need to make all traffic to my voip server only go through vpn and the rest directly through the isp only.

once i enable AON all traffic goes through vpn so need some1 to fix that so only voip traffic goes through vpn to my voip server

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Did you follow a guide or howto to get as far as you did?
Thinking about how I would do this I wouldn't use manual outbound NAT.

Steve

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
yes i followed the guide and got the openvpn tunnel up and running but as soon as i switch AON to manual, all lan traffic goes through tunnel and if i leave it to auto then the traffic doesnt go out at all nor through tunnel or isp wan.

i just want a way to make selected voip traffic to go out through the tunnel and the rest directly through the isp

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
steps i did were

setup openvpn client with server specific settings such as certificates, keys etc
assign an interface
created a gateway under routing

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
What guide did you follow?

Steve

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Ah OK.
Pretty much exactly what I had in mind. I would probably have tried to use a tap interface but if you can use tun so much the better.

It's not obvious why AON has to be enabled, and clearly it wasn't required when that guide was first written, I'll have to read through the thread.

Did you change the firewall rule so it only routed traffic from your VOIP server? Following the guide exactly would indeed route all your traffic via the VPN.
Also make sure the VPN gateway is not set as default and that the correct outbound NAT rules are in place after you switch to AON.

Steve

Edit: OK the AON requirement is explained here.
« Last Edit: April 30, 2012, 02:14:20 pm by stephenw10 »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
There's also Chris's comment in that thread:
That's ok for your typical home setup, but what you're actually doing there is overriding the fact that StrongVPN is pushing you a default route and modifying your firewall's routing table so it sends everything over the VPN (unless you override it with policy routing as you're doing). That will cause a number of issues with more advanced setups, as it's going to default to sending traffic initiated from the firewall out of the VPN which is usually going to be undesirable.

If the VPN connection is indeed pushing a new default route, which is undesirable, then that too would explain your problem.
You could get around this by changing the gateway of the default 'LAN to any' rule but as Chris says that won't help traffic generated by pfSense.
A better solution would be to prevent the default route changing the pfSense routing table but I'm unsure how to do that.

Steve

Offline pkwong

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +1/-0
    • View Profile
    • Swimming in thought
It's doable.  Pick your voip adapter, run siproxd and have the outgoing interface point to the vpn interface.  In other words, create an interface and assign the openvpn tunnel to it.  You'll have more flexibility with the way it's set up.
When all else fails, don't blame the machine.  Blame your architecture.

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
Ah OK.
Pretty much exactly what I had in mind. I would probably have tried to use a tap interface but if you can use tun so much the better.

It's not obvious why AON has to be enabled, and clearly it wasn't required when that guide was first written, I'll have to read through the thread.

Did you change the firewall rule so it only routed traffic from your VOIP server? Following the guide exactly would indeed route all your traffic via the VPN.
Also make sure the VPN gateway is not set as default and that the correct outbound NAT rules are in place after you switch to AON.

Steve

Edit: OK the AON requirement is explained here.

the vpn gateway isnt set as default, default would be the pppoe connection to my isp on the wan interface. after some openvpn changes mentioned in the same thread, its now required to switch to AON to make all ur lan traffic to route through the vpn, the only problem i face is to route everything on wan but just voip traffic through vpn.

i havent changed any firewall rules, tried to create a few but didnt work, will need to try to edit the default lan to any to route using wan and lan to voip server using vpn, will let u know if that works.

what i wanted to know is once i switch to AON, do i need to create rules there to route differently?

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
It's doable.  Pick your voip adapter, run siproxd and have the outgoing interface point to the vpn interface.  In other words, create an interface and assign the openvpn tunnel to it.  You'll have more flexibility with the way it's set up.


if i do this how do i still stop rest of the lan traffic going through vpn?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
When you switch to AON the existing auto rules should be filled in for you. If you then subsequently add any further interfaces you will have to manually add rules.
If you post some screen shots I'm sure we can resolve this for you.

If it is a problem with the remote VPN network pushing a new default route to you then you should be able to see that change in Diagnostics: Routes: in the GUI.

Steve
« Last Edit: May 01, 2012, 06:41:38 am by stephenw10 »

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
i managed to get it up and routing properly

enabled AON
in rules edited the default lan to any rule and set it to wan gateway
created a new rule under lan for lan to sip server ip and set it to vpn gateway

this did it for me but some other issues came up

under floating i have 2 rules for lan to sip server and sip server to lan without any gateway specified but given the voip queue so traffic shaper can prioritize that, but after setting this vpn up, i only see the qVoIP on LAN getting pupulated and the the uplaod goes to the default qp2p instead of the qVoIP on WAN, any fix for that so this voip over vpn goes to the proper up and down qVoIP queue?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Reading through this:
http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
and then this:
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

It would appear that the reason your routing table is being overwritten is due to the advanced command in the openvpn client setup: redirect-gateway def1
Assuming you copied this from the StrongVPN guide.

First check that your routing table is being changed as I outlined in my previous post. Then try removing this command and recheck.
If this successfully prevents your default route changing then you can remove the gateway settings from the 'lan to any' rule.

Steve

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
well i didnt, i use the below commands only

fast-io;route-delay 2;verb 5;tun-mtu 1500;mssfix 1450;fragment 1300;persist-key;

expressvpn gave me a ovpn file with the below contents so could u recommend what commands should i use out of them

Code: [Select]
dev tun
fast-io
#proto tcp-client
persist-key
persist-tun
replay-persist cur-replay-protection.cache
nobind
remote canada-cluster.expressnetwork.net 1194
remote canada-cluster2.expressnetwork.net 1194
remote canada-cluster3.expressnetwork.net 1194
remote canada-cluster4.expressnetwork.net 1194
remote-random
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
verb 3
cert ssl/client.crt
key ssl/client.key
ca ssl/ca.crt

route-method exe
route-delay 2

tun-mtu 1500
fragment 1300
mssfix 1450