Hi all,
I've got a single WAN connection and an OpenVPN client interface connecting to a VPN provider, which I only wish to use for specific firewall rules by changing the Gateway in the rule.
No matter what I do, the OpenVPN client ends up being the default route, so I have to actually specify the WAN connection gateway on all the rules that I don't want to go over the OpenVPN connection.
I have set the WAN gateway priority to 1 and also to the upstream gateway, then set the OpenVPN client gateway priority to 255. Even with this configuration, the OpenVPN client gateway gets to be the default route.
Am I missing something obvious or can anyone offer advice on this?
OPNsense 23.1.1_2-amd64
Many thanks
Further clarification on this, if I look in the routing table, the correct pppoe WAN gateway has the destination 'default', but any firewall rules using gateway 'default' end up going out the OpenVPN client gateway.
Did you a reboot or killed states? Maybe there are active states in use, routed over the wrong GW.
Can you provide screenshots of your ruleset?
Thanks for getting back to me. The issues persists after reboot, I have tried several times.
Attached screenshots of gateways, routes and LAN rules. If I leave any outgoing rules on the 'default' gateway, they go out via the VPN gateway, hence why they are all directly specified to use the pppoe WAN interface per rule currently. It works as is, but causes problems for other things like acme renewal, etc.
0.0.0.0/1 in routing table looks strange. I remember we had this some days or weeks ago. Not sure what the reason was, but the solution was to set up the VPN from scratch, if I remember correctly.
Why is there a shedule for default allow LAN?
Thanks. I'll try re-creating the VPN profile and report back. The schedule is there to stop all general internet access overnight from 23:00, but it's not a factor in the issue, as I had the same behaviour before I added that schedule.
Hi. Have you found a solution to this problem? I have an identical problem with identical symptoms, but it only affects one of the two VPN clients. One VPN client is a commercial service and works correctly, i.e. it does not force being the default gateway. When you restart opnsense, everything turns on and connects as it should. However, when I add an additional VPN client that connects to my own server abroad, the problems described in this thread begin. One of the annoying things is that after restarting opnsense the first client (commercial) will not connect properly. You need to turn off client no. 2 (which usually connects faster than client 1 and becomes the default gateway - but it shouldn't!), restart client no. 1 and only then start no. 2. Then it works fine until one of the servers goes down. It looks like the first VPN client is trying to connect through the gateway created by client no. 2. This server is blocking the UDP port on which client no. 1 is running, but changing the port to TCP 443 makes client no. 1 work properly.
For now, I have moved client no. 2 to another device and defined this device as a gateway in opnsense. This is a workaround, so I am interested in solving this problem in a proper way.
Came across this one looking for something else. But you probably don't have these options enabled / checked:
- Don't pull routes
- Don't add/remove routes
This will cause the OpenVPN connection to insert itself into the OpnSense routing table and this can cause a real mess.
Check these and then the OpenVPN connection will only be used if you explicitly route traffic to it.
Quote from: wojdae on September 01, 2023, 12:05:33 PM
Hi. Have you found a solution to this problem? I have an identical problem with identical symptoms, but it only affects one of the two VPN clients. One VPN client is a commercial service and works correctly, i.e. it does not force being the default gateway. When you restart opnsense, everything turns on and connects as it should. However, when I add an additional VPN client that connects to my own server abroad, the problems described in this thread begin. One of the annoying things is that after restarting opnsense the first client (commercial) will not connect properly. You need to turn off client no. 2 (which usually connects faster than client 1 and becomes the default gateway - but it shouldn't!), restart client no. 1 and only then start no. 2. Then it works fine until one of the servers goes down. It looks like the first VPN client is trying to connect through the gateway created by client no. 2. This server is blocking the UDP port on which client no. 1 is running, but changing the port to TCP 443 makes client no. 1 work properly.
For now, I have moved client no. 2 to another device and defined this device as a gateway in opnsense. This is a workaround, so I am interested in solving this problem in a proper way.
I didn't, but ended up switching to using Wireguard to connect to the VPN provider and haven't had the issue since. Pretty sure I did have 'Don't pull routes' enabled though when I was using OpenVPN.