[Solved] Opnsense 20.7.3 and PIA VPN

[Chrome]

Before I try wireguard script I was wondering if anyone has an idea why I see this error when I select Don't pull routes?

Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.0.0.243,dhcp-option DNS 10.0.0.242,ping 10,comp-lzo no,route-gateway 10.11.112.1,topology subnet,ifconfig 10.11.112.3 255.255.255.0,auth-token'

I don't have the answer... but I do remember seeing those errors in my log as well.

I really seems like something is broken in 20.7.4 and OPENVPN setup...

[s4rs]

I isolated the issue with the Lan rule for PIA. It got corrupted somehow. I deleted it rebooted, recreated it and all is working now.

The icmp and udp issues still exist but everything else is working. I am redirecting DNS requests to a PiHole DNS

[djbmister]

VPN -> OpenVPN -> Clients -> Don't pull routes

Incase anyone else stumbles upon having this issue.

The way the opnsense firewall works with openvpn and gateways, it uses the route_vpn_gateway environment variable to set the dynamic gw address - this requires that the 'Dont pull  routes' is unticked (enabled) and the 'Dont add/remove routes' option is disabled (ticked).

'Dont add/remove routes' option if enabled will override your global routing table to use the vpn gw as the default for all internet traffic.

so the opposite of what this picture is showing.

Otherwise what happens is the vpn client ip address is set as the gw, which wont allow the nat to send traffic from the clients via the vpn connection - as it has no way of routing traffic across.

You dont need to set the dynamic gateway in the interface of the vpn as the openvpn client program will set the correct gw address for you.

[s4rs]

For me with Don't Pull Routes checked it all works. But I can test it like you suggested

[s4rs]

I finally figured out my last issue. It appears in System->Settings->General->DNS Servers you should only have one override. I was adding one for WAN and one for PIA. When I removed the entry for PIA everything worked as expected.

[hoolieco]

For me with Don't Pull Routes checked it all works. But I can test it like you suggested

Hi s4rs,

I'm sorry to pester you on this but I wasn't clear on what you did to resolve this issue as a whole. I have the exact same issue as you and tried all matter of things to resolve it but to no luck.

[s4rs]

I followed the pfsense guide on page one of this thread. I also found if you want to use system DNS override, add it to your ISP gateway and not the VPN gateway.

I would also do things in steps. First make sure your OpenVPN client connection is solid. Once connected create the VPN gateway. Once that is done do the routing. Every time to change routing bounce the OpenVPN client. Connections are state-full so you need to bounce so the rule will take affect. Hope this helps

[BeNe]

I just came across this thread here because i encounter also strange routing problems as VPN Client (PIA VPN)
Fixed the problem by add this change here by hand in 20.7.5-> https://github.com/opnsense/core/commit/0ad3ec432ff0d1ee45d9969424b7e5b19eb903e2

More about the issue -> https://github.com/opnsense/core/issues/4419

May it helps the one or other!

[itsme]

Hi

I used Jason's script to, but im having issues routing devices through it.

I would like to pass through a few devices, and have setup an alias, but cannot work out how to route them through it

how did you manage to get it working? Thanks!

[s4rs]

Can you post your configuration?