====== PFSense - VPN - OpenVPN - Troubleshooting - Traffic not flowing through VPN connection ====== Want specific clients to automatically go out the VPN Gateway, without having to configure them specifically. This is done by using the IP address of the client to determine whether it should go out via the VPN. ---- ===== Problem Statement ===== VPN interface is up. Confirmed by many steps as shown below. NAT is set up to use the VPN Gateway. Firewall rule is configured to route specific Clients through the VPN Gateway. Problem seems to be that routing is not working. ---- ===== Check VPN Interface is UP ===== Check the Interface on the Dashboard. It has an IP and is connected. {{:pfsense:openvpn:troubleshooting:pfsense_-_interfaces_-_expressvpn_-_france_-_1_-_connected.png?800|}} ---- ===== Check VPN Graph ===== On Dashboard, VPN graph shows mostly static up and down data. {{:pfsense:openvpn:troubleshooting:pfsense_-_interfaces_-_expressvpn_-_france_-_1_-_connected_-_graph.png?800|}} ---- ===== Check VPN Gateway is Online ===== Navigate to **Status -> Gateways**. Shows the OpenVPN Gateway is Online. {{:pfsense:openvpn:troubleshooting:pfsense_-_status_-_gateways_-_expressvpn_-_paris_-_1_-_connected.png?800|}} ---- ===== Check VPN is UP ===== Navigate to **Status -> OpenVPN**, shows the VPN is up. {{:pfsense:openvpn:troubleshooting:pfsense_-_status_-_openvpn_-_expressvpn_-_paris_-_1_-_up.png?800|}} ---- Navigate to **Diagnostics -> Routes**. As can be seen, only the Monitor IP setup against OpenVPN is showing as connected to ExpressVPN Gateway. {{:pfsense:openvpn:troubleshooting:pfsense_-_dianostics_-_routes_-_expressvpn_-_only_monitor.png?800|}} ---- ===== NAT configured to use the VPN ===== Navigate to **Firewall -> NAT -> Outbound**. A copy of the automatically created rule, LAN to WAN, and simply changing **Interface** to the VPN one. {{:pfsense:openvpn:troubleshooting:pfsense_-_firewall_-_nat_-_outbound_-_expressvpn_-_france_-_paris_-_1.png?800|}} ---- ===== Firewall Rules ===== Firewall rule configured to redirect specific clients out the VPN Gateway. ---- Navigate to **VPN -> OpenVPN -> Clients**. ExpressVPN: fast-io; persist-key; persist-tun; remote-random; pull; comp-lzo; tls-client; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; verb 3; sndbuf 524288; rcvbuf 524288 NornVPN: tls-client; remote-random; tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; persist-key; persist-tun; reneg-sec 0; remote-cert-tls server; Private Internet Access: persist-key persist-tun remote-cert-tls server reneg-sec 0 Custom Options: fast-io; persist-key; persist-tun; remote-random; #pull; #route-nopull; comp-lzo; tls-client; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; verb 3; sndbuf 524288; rcvbuf 524288; resolv-retry infinite; #push "route 0.0.0.0 255.255.255.0 $1 1"; #push "route 0.0.0.0 255.255.255.0 0.0.0.0 1"; #push "route 0.0.0.0 255.255.255.255 0.0.0.0 1"; #push "redirect-gateway def1 bypass-dhcp"; #push "redirect-gateway def1"; #push "redirect-gateway"; #up "ROUTE add 10.145.0.0 mask 255.255.0.0 192.168.50.66"; #push "route 192.168.50.66 255.255.255.255"; #push "route 192.168.50.66 255.255.255.255 $1 1"; #route-nopull; #route 192.168.1.66 255.255.255.255; #route 192.168.50.66 255.255.255.255; #route 192.168.1.66 255.255.255.255 vpn_gateway; #route 192.168.50.66 255.255.255.255 vpn_gateway; #push "route 192.168.50.66 255.255.255.0"; #route 0.0.0.0 255.255.255.255 vpn_gateway;