I am trying to get Opnsense to route certain IPs on my network to PIA VPN. I have the OpenVPN client setup and connected and assigned as a gateway. I can't get traffic from my LAN to PIA Gateway. I looked a many guides and nothing. To verify I check one of the Whats my IP websites on the client I am trying to route and it shows my ISPs assigned address instead of the PIA address. Any suggestions to what to look for and what I might be missing.
Pictures below:
Gateway info and state
(https://lh3.googleusercontent.com/RPQrYnqRTr2au1eQ5xXiJ2eQpw747HA5QQ7X91DhwcSWW27XVRvZHj8IxGcaXUsUzXuSSKCOrmFM_l2w_cr4Waqyj4Fbodbw4uR5UbWqDZohVngeNSE2UEBl6ly7WlDRWnB86U1rG-s=w2400)
Alias for the a system I want to route. Once this starts working I will add more IPs
(https://lh3.googleusercontent.com/6te0jpBuI6bqi6ilo0uIXK3hra88REcPWUikRvy4ouqYBaBPWPaZNsm372yO3qpM3Ud2DbRReZDev98tL-hp-V98dVPhV3LYTY8sGnSvz7_v_XzbHG3bL7JcrbbqA2QzM0e_RJoGF8s=w2400)
Firewall -> NAT -> Outbound
(https://lh3.googleusercontent.com/UZk48tzFJCEKqkQB-kME_rN4Z9XRjpKRm4f1kTm1g0T2xKi4bt9nJUfxX_JMlqgOwUN2BWPyLFUMkjUeGHraFq2IovLlQ6zvHgsvdQf7xkZj99HRK2N-7bNhISqzBU0-G2Y6xNu-eFQ=w2400)
Firewall -> Rules -> Lan
(https://lh3.googleusercontent.com/2iMh8bqrsA6D1F2oNuuiX_1qMYORSH_RkCPAEur-_W_SiYYhZ0Dn0YC1qH9kRc7s_efqLESwnZKn8n_eFU97pJ4I2MhLhGQd78IcdUjtmvx9zXV4ON5MlfKUeFQSXwbw0cC9LqZOUMc=w2400)
VPN -> OpenVPN -> Clients -> Don't pull routes
(https://lh3.googleusercontent.com/p0O-oU8NF8Gi8J3w_UI3stN9mftL3igZp3_xT8E_5o-dECVDtf4qxp_VEgTEW7bQirspiJJAxDlYMwyrBYIN6BOSsYb8rDThzWf3V1TiDTyAudX0HnXyAGv35Da6OhdlmGHSWeFMtBI=w2400)
Followup 01-01-21
I see a few come across this post and have questions. First if things don't work post your config so people can help.
Since I posted this I noticed things I missed mentioning in the original post which I think will help.
First: Gateway Priority. Check it, and make sure your ISPs priority is higher than your VPNs priority. Higher means lower value. I now set my ISP Gateway priority to 250, and add 2 to any VPN added. Adjust as necessary.
(https://tinyurl.com/gatewaypriority)
Just an observation. when you setup PIA Wireguard (use Johnny's excellent script https://github.com/FingerlessGlov3s/OPNsensePIAWireguard (https://github.com/FingerlessGlov3s/OPNsensePIAWireguard)) a Nat Outbound Automatic rule is created. No need to do anything. However if you do use OpenVPN then create a Hybrid as described in all the HowTo's. I have both setup to test, and don't see any difference between the two. I do have to say Wireguard VPN performance on a standalone Linux system is better than Opnsense Wireguard. Probably the difference between Userspace and Kernel implementations.
(https://tinyurl.com/outboundhybrid)
Speaking of Wireguard, make sure when the interface is added you set the MSS (Maximum Segment Size) to 1380.Not sure why this isn't negotiated at connect time, but its not and your performance will suffer. Johnny does mention this, but I wanted to reinforce the point.
(https://tinyurl.com/piawgmss)
Finally I want to mention the Kill Switch. Somehow I kept missing adding to the tag to the Lan rule and matching the tag to the Wan Floating rule. You will probably have to hit the Advanced Show/Hide to see the field. Again I just wanted to reinforce this.
Create Local Tag in Lan rule for your Aliases
(https://tinyurl.com/createLocalTag)
Finally the Wan Floating Match Local Tag set to block VPN destined traffic if the VPN goes down.
Match Local Tag. Remember to click on Advanced Show/Hide
(https://tinyurl.com/matchlocaltag)
The Block Rule
(https://tinyurl.com/wanfloating)
Under Manual Outbound Nat Rules, the source should be the subnet, in this case 10.10.3.0/24.
Interface PIA_OVPN
Source 10.10.3.0/24
Then in your firewall rules, use PIA as the gateway under the LAN rule allowing traffic out. In other words PIA_VPN_Traffic as the source, destination any, and set the gateway to use PIA. This rule should be above the default allow all.
10.10.3.0/24 is my incoming OpenVPN (Opnsense OpenVPN server network) not the PIA Outgoing (Client) network. I have OpenVPN server setup so I can come into my network.
Okay, it should be your LAN subnet, whatever it is.
The source is the alias I created for the single address 192.168.1.235
I'm not sure then. I run the same set up except a few differences not worth mentioning.
Looks like when I set up any Outbound NAT rule to PIA_VPN it fails. Any help with this setup?
bump
So if I understood correctly PIA_VPN_Traffic is the IP_addresses that should go to VPN, the rest should go over WAN. On high level it should be like this:
WAN outbound:
Interface: PIA_OPVN_VPNV4, Source PIA_VPN_Traffic - allow everything from IPs to go over VPN
Interface: WAN, Source: Any (or LAN) - Allow everything else to go to WAN
LAN rules:
Protocol IPv4 (both tcp/udp), Source: PIA_VPN_Traffic, Gateway: PIA_OPNVPN_VPNV4
Protocol IPv4 (both tcp/udp), Source: LAN, Gateway: WAN_DHCP
First rule routes PIA_VPN_Traffic ips traffic over PIA VPN GW. Second rule routes the rest from LAN to WAN_DCHP GW. Note that here the rule order matter; it takes first rule first and matches, then next etc.
Paul,
Thanks for the update. But isn't what you described how I have things setup? Can you see the screen shots I posted?
Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.
Try checking "Skip rules when gateway is down" under Firewall->Settings->Advanced and "Gateway monitoring". If you read it it behaves like anti-kill switch and I noticed many times devices estabilished routes over WAN gw before VPN GW came up -> stayed on that until I did a manual firewall reset.
After that try putting your laptop into PIA_VPN_Traffic list; do you get IP from DHCP, and if you do can you do a dns lookup? If you can then doesn't ipleak.net show correct aka PIA IP?
Port 500 is usually for IPSEC.. if you are using OpenVPN you shouldn't need it.
Quote from: paul_a2 on October 10, 2020, 08:00:00 PM
Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.
In addition to what has already been stated, is the Deny PIA_Traffic to WAN really necessary? Don't see that you have any logging enabled and that would be the same as default deny all traffic, no? If you change the source to LAN Net instead of your alias does it work?
Quote from: l0stnyc on October 11, 2020, 12:14:53 AM
In addition to what has already been stated, is the Deny PIA_Traffic to WAN really necessary? Don't see that you have any logging enabled and that would be the same as default deny all traffic, no? If you change the source to LAN Net instead of your alias does it work?
Thanks for the comments. The Deny PIA_Traffic to WAN is supposed to block PIA_Traffic from going out the WAN if the PIA VPN goes down.
I have logging turned on for the PIA rules but never see anything. I tried any for PIA and it doesn't work. Still going over the WAN. Its as if the PIA Manual rules are not being implemented. Any other suggestions?
(https://lh3.googleusercontent.com/-tmCMLxWsmYEbcIYtiyLbPhaSk9WH6XwNcOqgv94eH5t5UCUGTfhIc2jtBnrZkV2yZE7CeAHbE0DF2Dymru9yCa4gwySjO0o1RObGL-Q6ntPSTF9hUTuB1VCCDH95gVlYHINEV-oprM=w2400)
This is a manual which I used to do what you want to achieve:
https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/ (https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/)
It's for pfSense but it's really easy to adopt it.
Quote from: Gauss23 on October 14, 2020, 04:29:31 PM
This is a manual which I used to do what you want to achieve:
https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/ (https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/)
It's for pfSense but it's really easy to adopt it.
I went through the guide and it was the same as other guides I have followed. Anyway its working. I think the key was after changes I did a refresh from VPN -> OpenVPN -> Connection Status -> Restart . All my other attempts I would would go to VPN -> OpenVPN -> Clients -> PIA stop start.. Thanks everyone for your support..
I think I am having the same problem that you were having. Trying to setup PIA for a small group of IPs...
Opnsense estabilishes the connection with PIA (it seems fine here).
I have the LAN rule to send out traffic from those IPs to the PIA_gateway....
but when I do a traceroute it just times out... I am pulling my hair out with this. PIA doesn't have an OPNsense guide... they should...and I hope they will soon!
In the meantime...any ideas? Your post is the most recent I could find...I tried some older posts/guides.. but they just don't work. I am running 20.7.4 like you are.
You need an Outbound NAT rule on the VPN Interface to masquerade outgoing traffic with the ip address of your VPN interface
Quote from: Gauss23 on October 30, 2020, 05:50:10 AM
You need an Outbound NAT rule on the VPN Interface to masquerade outgoing traffic with the ip address of your VPN interface
Its hard to figure out your issue without seeing your config. I posted images of my config which I think is accurate. If you can post yours we can try to figure this out. Just remember when you make changes for sanity sake bounce the interface like I described. I am sure this is what fixed my issue.
@s4rs, @Gauss23,
You both are right...I need to post my config... I have tried restarting the connection via VPN - OpenVPN - Connection Status - Restart each time I make a change... but I can't get this connect to do much other than time out...but if I disable the "PIA_traffic" Rule, the linux box doesn't time out... it goes to the WAN (not what I want..but it works via the WAN).
Here are my screenshots:
PIA VPN Connection:
last screenshot of the VPN connection
Firewall - NAT - OUTBOUND
FIREWALL - RULES - LAN
Firewall: Aliases
VPN - OPENVPN - CONNECTION STATUS
Interfaces: Diagnostics: Trace Route
Please have a look at your NAT rule:
On the PIA_VPN interface you have a rule that has a source of PIA_Traffic but you translate the source to the WAN address, why?
It should be the IP of the PIA interface
I did have it like that...but I was messing with it to try and get the traceroute to do something (using a ubuntu box to test)... however, I did change it...and still nothing.
Can you please show us your:
System: Routes: Status
and:
System: Gateways: Single
Sure! Lemme know what you think!
From my side it looks like there is something wrong with your gateway configuration.
I see PIA is telling your OPNsense that there is the network 10.x.x.0/24 with gateway 10.x.x.1 but in your gateway view it is thinking 10.18.110.2 is the gateway, which is wrong. I had this with NordVPN I think. On some servers the routing was a bit strange and I needed to remove the checkbox from "don't pull routes" from the OpenVPN client configuration (which might be problematic). You can try to remove it and check the routes and gateway again. I think the gateway should be 10.18.110.1.
So, I removed the check from "don't pull routes" ... how do the gateway IPs and routes look now? However, the VPN still doesn't work, and it breaks default internet connectivity.
Yes, internet connectivity was broken because PIA changed the default gateway.
Like I thought the gateway was not ,,.2" but ,,.1".
Can you try to switch ,,don't pull routes" again and try to ping or traceroute something from the OPNsense? Seams as if there was something broken with NAT but the box itself should then be able to send traffic through the tunnel.
You could add
pull-filter ignore redirect-gateway
To custom options. Internet should then still be working while the rest of the routes will be pulled. Please try
And maybe send a screenshot of the OpenVPN interface assignment.
Ok... so, I unticked, " Don't pull routes" and, "Don't add/remove routes". Also, added "pull-filter ignore redirect-gateway;" to the advanced option of the client config... disabled the service the PIA VPN service and then re-enabled it.
traceroute still times out from OPNsense... attached are the VPN config and the interface config for PIA.
I found this....
https://github.com/opnsense/core/pull/4433
I wonder if it would fix my problem?
Seems like OPENVPN is broken is OPNSense?
What do you think?
Possible, one last guess, did you try to tick ,,Dynamic Gateway" on the interface settings page? Maybe that helps.
,,
If I tick, "Dynamic gateway policy", then the gateway goes "offline", So, I restart the connection... but the traecroute still doesn't go anywhere...just times out.
Quote from: Chrome on November 02, 2020, 03:11:30 AM
I found this....
https://github.com/opnsense/core/pull/4433
I wonder if it would fix my problem?
Seems like OPENVPN is broken is OPNSense?
What do you think?
If you ssh into the opnsense console and do a ping -S 10.8.110.<yourIP> google.com does it work?
I just ran into an interesting issue. I have a primary and backup Opnsense install. I upgraded the hypervisor on the primary and switched to the secondary. I set up PIA and ran into an issue. For some reason icmp and udp traffic is getting blocked on the lan gateway address. TCP/IP traffic is fine. I found this since DNS look ups were failing but I could ping external IPs. I setup PiHole as a new DNS server, pointed the PIA systems to its IP and all is fine. Any idea what would cause the protocol block?
I never got this solved... ended up switch the PIA with WIREGUARD... and haven't looked back.
I've got it running just like I did with PFSense..but only better, now using wireguard, which was one of my main reasons for switching.
There's a script to manage the PIA WireGuard tunnel for you. (Created by me)
This is what Chrome used to setup the PIA WireGuard ;)
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard
Jonny is right... the script is a beauty!
Get it ... and you won't want to deal with OPENVPN... WG just works, and its especially easy with the script.
What needs to be setup before the trying the script? Do I remove all the PIA configuration I have? Can I pick the IPs that get pushed through Wiregaurd?
Before I try wireguard script I was wondering if anyone has an idea why I see this error when I select Don't pull routes?
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.0.0.243,dhcp-option DNS 10.0.0.242,ping 10,comp-lzo no,route-gateway 10.11.112.1,topology subnet,ifconfig 10.11.112.3 255.255.255.0,auth-token'
Quote from: s4rs on November 09, 2020, 09:50:09 PM
What needs to be setup before the trying the script? Do I remove all the PIA configuration I have? Can I pick the IPs that get pushed through Wiregaurd?
You don't need to setup too much before running the script...the README tells you everything you need to know. If you have trouble, myself or Jonny can help.
yes, it is essentially the samething... I didn't remove anything I had setup for OPENVPN, I just setup WG...and made sure that my firewall rules directed traffic through the WG VPN ... instead of the OPENVPN.
Just two different method of transport... train vs plane.
You can still pick your IPs like you always have.... just direct them to WG instead of OPENVPN.
Quote from: s4rs on November 09, 2020, 09:52:20 PM
Before I try wireguard script I was wondering if anyone has an idea why I see this error when I select Don't pull routes?
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.0.0.243,dhcp-option DNS 10.0.0.242,ping 10,comp-lzo no,route-gateway 10.11.112.1,topology subnet,ifconfig 10.11.112.3 255.255.255.0,auth-token'
I don't have the answer... but I do remember seeing those errors in my log as well.
I really seems like something is broken in 20.7.4 and OPENVPN setup...
I isolated the issue with the Lan rule for PIA. It got corrupted somehow. I deleted it rebooted, recreated it and all is working now.
The icmp and udp issues still exist but everything else is working. I am redirecting DNS requests to a PiHole DNS
Quote from: s4rs on October 06, 2020, 11:20:12 PM
VPN -> OpenVPN -> Clients -> Don't pull routes
(https://lh3.googleusercontent.com/p0O-oU8NF8Gi8J3w_UI3stN9mftL3igZp3_xT8E_5o-dECVDtf4qxp_VEgTEW7bQirspiJJAxDlYMwyrBYIN6BOSsYb8rDThzWf3V1TiDTyAudX0HnXyAGv35Da6OhdlmGHSWeFMtBI=w2400)
Incase anyone else stumbles upon having this issue.
The way the opnsense firewall works with openvpn and gateways, it uses the route_vpn_gateway environment variable to set the dynamic gw address - this requires that the 'Dont pull routes' is unticked (enabled) and the 'Dont add/remove routes' option is disabled (ticked).
'Dont add/remove routes' option if enabled will override your global routing table to use the vpn gw as the default for all internet traffic.
so the opposite of what this picture is showing.
Otherwise what happens is the vpn client ip address is set as the gw, which wont allow the nat to send traffic from the clients via the vpn connection - as it has no way of routing traffic across.
You dont need to set the dynamic gateway in the interface of the vpn as the openvpn client program will set the correct gw address for you.
For me with Don't Pull Routes checked it all works. But I can test it like you suggested
I finally figured out my last issue. It appears in System->Settings->General->DNS Servers you should only have one override. I was adding one for WAN and one for PIA. When I removed the entry for PIA everything worked as expected.
Quote from: s4rs on November 12, 2020, 12:19:55 PM
For me with Don't Pull Routes checked it all works. But I can test it like you suggested
Hi s4rs,
I'm sorry to pester you on this but I wasn't clear on what you did to resolve this issue as a whole. I have the exact same issue as you and tried all matter of things to resolve it but to no luck.
I followed the pfsense guide on page one of this thread. I also found if you want to use system DNS override, add it to your ISP gateway and not the VPN gateway.
I would also do things in steps. First make sure your OpenVPN client connection is solid. Once connected create the VPN gateway. Once that is done do the routing. Every time to change routing bounce the OpenVPN client. Connections are state-full so you need to bounce so the rule will take affect. Hope this helps
I just came across this thread here because i encounter also strange routing problems as VPN Client (PIA VPN)
Fixed the problem by add this change here by hand in 20.7.5-> https://github.com/opnsense/core/commit/0ad3ec432ff0d1ee45d9969424b7e5b19eb903e2
More about the issue -> https://github.com/opnsense/core/issues/4419
May it helps the one or other!
Hi
I used Jason's script to, but im having issues routing devices through it.
I would like to pass through a few devices, and have setup an alias, but cannot work out how to route them through it
how did you manage to get it working? Thanks!
Can you post your configuration?