Table of Contents
PFSense - VPN - OpenVPN - Troubleshooting - Traffic not flowing through VPN connection
Want specific clients to automatically go out the VPN Gateway, without having to configure them specifically.
This is done by using the IP address of the client to determine whether it should go out via the VPN.
Problem Statement
VPN interface is up.
Confirmed by many steps as shown below.
NAT is set up to use the VPN Gateway.
Firewall rule is configured to route specific Clients through the VPN Gateway.
Problem seems to be that routing is not working.
Check VPN Interface is UP
Check the Interface on the Dashboard.
It has an IP and is connected.
Check VPN Graph
On Dashboard, VPN graph shows mostly static up and down data.
Check VPN Gateway is Online
Navigate to Status → Gateways.
Shows the OpenVPN Gateway is Online.
Check VPN is UP
Navigate to Status → OpenVPN, shows the VPN is up.
Navigate to Diagnostics → Routes.
As can be seen, only the Monitor IP setup against OpenVPN is showing as connected to ExpressVPN Gateway.
NAT configured to use the VPN
Navigate to Firewall → NAT → Outbound.
A copy of the automatically created rule, LAN to WAN, and simply changing Interface to the VPN one.
Firewall Rules
Firewall rule configured to redirect specific clients out the VPN Gateway.
Navigate to VPN → OpenVPN → Clients.
ExpressVPN:
fast-io; persist-key; persist-tun; remote-random; pull; comp-lzo; tls-client; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; verb 3; sndbuf 524288; rcvbuf 524288
NornVPN:
tls-client; remote-random; tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; persist-key; persist-tun; reneg-sec 0; remote-cert-tls server;
Private Internet Access:
persist-key persist-tun remote-cert-tls server reneg-sec 0
Custom Options:
fast-io; persist-key; persist-tun; remote-random; #pull; #route-nopull; comp-lzo; tls-client; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; verb 3; sndbuf 524288; rcvbuf 524288; resolv-retry infinite; #push "route 0.0.0.0 255.255.255.0 $1 1"; #push "route 0.0.0.0 255.255.255.0 0.0.0.0 1"; #push "route 0.0.0.0 255.255.255.255 0.0.0.0 1"; #push "redirect-gateway def1 bypass-dhcp"; #push "redirect-gateway def1"; #push "redirect-gateway"; #up "ROUTE add 10.145.0.0 mask 255.255.0.0 192.168.50.66"; #push "route 192.168.50.66 255.255.255.255"; #push "route 192.168.50.66 255.255.255.255 $1 1"; #route-nopull; #route 192.168.1.66 255.255.255.255; #route 192.168.50.66 255.255.255.255; #route 192.168.1.66 255.255.255.255 vpn_gateway; #route 192.168.50.66 255.255.255.255 vpn_gateway; #push "route 192.168.50.66 255.255.255.0"; #route 0.0.0.0 255.255.255.255 vpn_gateway;