OpenVPN Client always the default gateway

Started by simonwoodhall, March 04, 2023, 04:05:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 04, 2023, 04:05:19 PM
Hi all,

I've got a single WAN connection and an OpenVPN client interface connecting to a VPN provider, which I only wish to use for specific firewall rules by changing the Gateway in the rule.

No matter what I do, the OpenVPN client ends up being the default route, so I have to actually specify the WAN connection gateway on all the rules that I don't want to go over the OpenVPN connection.

I have set the WAN gateway priority to 1 and also to the upstream gateway, then set the OpenVPN client gateway priority to 255. Even with this configuration, the OpenVPN client gateway gets to be the default route.

Am I missing something obvious or can anyone offer advice on this?

OPNsense 23.1.1_2-amd64

Many thanks
March 04, 2023, 04:53:53 PM #1
Further clarification on this, if I look in the routing table, the correct pppoe WAN gateway has the destination 'default', but any firewall rules using gateway 'default' end up going out the OpenVPN client gateway.
March 04, 2023, 06:28:06 PM #2
Did you a reboot or killed states? Maybe there are active states in use, routed over the wrong GW.
Can you provide screenshots of your ruleset?
i am not an expert... just trying to help...
March 04, 2023, 07:30:09 PM #3
Thanks for getting back to me. The issues persists after reboot, I have tried several times.

Attached screenshots of gateways, routes and LAN rules. If I leave any outgoing rules on the 'default' gateway, they go out via the VPN gateway, hence why they are all directly specified to use the pppoe WAN interface per rule currently. It works as is, but causes problems for other things like acme renewal, etc.
March 04, 2023, 07:59:21 PM #4
0.0.0.0/1 in routing table looks strange. I remember we had this some days or weeks ago. Not sure what the reason was, but the solution was to set up the VPN from scratch, if I remember correctly.
i am not an expert... just trying to help...
March 04, 2023, 08:00:23 PM #5
Why is there a shedule for default allow LAN?
i am not an expert... just trying to help...
March 05, 2023, 10:07:44 AM #6
Thanks. I'll try re-creating the VPN profile and report back. The schedule is there to stop all general internet access overnight from 23:00, but it's not a factor in the issue, as I had the same behaviour before I added that schedule.
September 01, 2023, 12:05:33 PM #7
Hi. Have you found a solution to this problem? I have an identical problem with identical symptoms, but it only affects one of the two VPN clients. One VPN client is a commercial service and works correctly, i.e. it does not force being the default gateway. When you restart opnsense, everything turns on and connects as it should. However, when I add an additional VPN client that connects to my own server abroad, the problems described in this thread begin. One of the annoying things is that after restarting opnsense the first client (commercial) will not connect properly. You need to turn off client no. 2 (which usually connects faster than client 1 and becomes the default gateway - but it shouldn't!), restart client no. 1 and only then start no. 2. Then it works fine until one of the servers goes down. It looks like the first VPN client is trying to connect through the gateway created by client no. 2. This server is blocking the UDP port on which client no. 1 is running, but changing the port to TCP 443 makes client no. 1 work properly.
For now, I have moved client no. 2 to another device and defined this device as a gateway in opnsense. This is a workaround, so I am interested in solving this problem in a proper way.
June 10, 2024, 12:50:21 PM #8
Came across this one looking for something else. But you probably don't have these options enabled / checked:
- Don't pull routes
- Don't add/remove routes

This will cause the OpenVPN connection to insert itself into the OpnSense routing table and this can cause a real mess.
Check these and then the OpenVPN connection will only be used if you explicitly route traffic to it.
June 10, 2024, 05:39:09 PM #9
Quote from: wojdae on September 01, 2023, 12:05:33 PM
Hi. Have you found a solution to this problem? I have an identical problem with identical symptoms, but it only affects one of the two VPN clients. One VPN client is a commercial service and works correctly, i.e. it does not force being the default gateway. When you restart opnsense, everything turns on and connects as it should. However, when I add an additional VPN client that connects to my own server abroad, the problems described in this thread begin. One of the annoying things is that after restarting opnsense the first client (commercial) will not connect properly. You need to turn off client no. 2 (which usually connects faster than client 1 and becomes the default gateway - but it shouldn't!), restart client no. 1 and only then start no. 2. Then it works fine until one of the servers goes down. It looks like the first VPN client is trying to connect through the gateway created by client no. 2. This server is blocking the UDP port on which client no. 1 is running, but changing the port to TCP 443 makes client no. 1 work properly.
For now, I have moved client no. 2 to another device and defined this device as a gateway in opnsense. This is a workaround, so I am interested in solving this problem in a proper way.

I didn't, but ended up switching to using Wireguard to connect to the VPN provider and haven't had the issue since. Pretty sure I did have 'Don't pull routes' enabled though when I was using OpenVPN.
Print
Go Up Pages1
User actions