F5F Stay Refreshed Power Users Networks Routing problems with OpeVPN Issue with establishing or maintaining a stable connection.

Routing problems with OpeVPN Issue with establishing or maintaining a stable connection.

Routing problems with OpeVPN Issue with establishing or maintaining a stable connection.

N
Nashiko57
Senior Member
Find
485
01-24-2016, 07:44 AM
#1
Hello everyone, I'm trying to improve my networking knowledge. My current configuration uses Internet → Pfsense with OpenVPN → Unifi USG. Everything works fine except for my OpenVPN setup. I can still connect and reach devices on the same subnet as the Pfsense router, but I need to forward all traffic from anyone using OpenVPN directly to the Unifi USG network. I suspect it might be a simple routing rule issue on the Pfsense side, but I'm not sure how to fix it. Any suggestions?
Reply
Reply
N
Nashiko57
01-24-2016, 07:44 AM #1

Hello everyone, I'm trying to improve my networking knowledge. My current configuration uses Internet → Pfsense with OpenVPN → Unifi USG. Everything works fine except for my OpenVPN setup. I can still connect and reach devices on the same subnet as the Pfsense router, but I need to forward all traffic from anyone using OpenVPN directly to the Unifi USG network. I suspect it might be a simple routing rule issue on the Pfsense side, but I'm not sure how to fix it. Any suggestions?

Reply
Reply
V
Vtcraft_PvP
Junior Member
Find
38
02-03-2016, 12:22 PM
#2
You're puzzled about the presence of a Unifi USG, since pfSense already serves as a router and firewall. Setting up a double NAT there isn't ideal unless you configure it in bridged mode.
Reply
Reply
V
Vtcraft_PvP
02-03-2016, 12:22 PM #2

You're puzzled about the presence of a Unifi USG, since pfSense already serves as a router and firewall. Setting up a double NAT there isn't ideal unless you configure it in bridged mode.

Reply
Reply
J
JXMESxD
Member
Find
89
02-03-2016, 06:09 PM
#3
I have a clear strategy and the NAT problem is resolved. The main goal is to set up multiple servers at home while keeping my internal network separate, which I can achieve both physically and through virtual means.
Reply
Reply
J
JXMESxD
02-03-2016, 06:09 PM #3

I have a clear strategy and the NAT problem is resolved. The main goal is to set up multiple servers at home while keeping my internal network separate, which I can achieve both physically and through virtual means.

Reply
Reply
L
Lagden404
Junior Member
Find
36
02-10-2016, 06:02 AM
#4
Alrighty then. I don't have confidence in any of the answers I could provide you in regards to the issue at hand. It may be because I still don't fully understand what it is you're trying to do. I think I have an idea of what you're asking though and it does sound like a simple routing issue but at the same time if you setup a static route how would the router distinguish between traffic destined for the immediate network vs traffic going to the USG? A static route specifically for the OpenVPN service on pfSense I wouldn't know how to configure.
Reply
Reply
L
Lagden404
02-10-2016, 06:02 AM #4

Alrighty then. I don't have confidence in any of the answers I could provide you in regards to the issue at hand. It may be because I still don't fully understand what it is you're trying to do. I think I have an idea of what you're asking though and it does sound like a simple routing issue but at the same time if you setup a static route how would the router distinguish between traffic destined for the immediate network vs traffic going to the USG? A static route specifically for the OpenVPN service on pfSense I wouldn't know how to configure.

Reply
Reply
S
SrKaner
Member
Find
222
02-13-2016, 04:49 AM
#5
You're aiming to have your pfSense firewall operate transparently only when connected via VPN. Once the VPN is active, traffic should automatically go through without any further inspection or blocking by pfSense.
Reply
Reply
S
SrKaner
02-13-2016, 04:49 AM #5

You're aiming to have your pfSense firewall operate transparently only when connected via VPN. Once the VPN is active, traffic should automatically go through without any further inspection or blocking by pfSense.

Reply
Reply
S
Sandaletto01
Member
Find
165
02-13-2016, 12:27 PM
#6
The OpenVPN client cannot obtain an address on the internal network when only connected to the USG. To resolve this, PFSense needs its own IP address on the internal network (behind the USG) so VPN clients can bypass it. However, this causes issues because regular internet traffic would route through the USG, leading to reverse path filtering that blocks the connection. Segmentation isn't feasible in this setup. Removing the USG would eliminate the problem. The main concern is maintaining control over who manages the PFSense while keeping certain access separate. You could either allow client IPs on the PFSense network with firewall rules or set up VPN on the USG and forward ports.
Reply
Reply
S
Sandaletto01
02-13-2016, 12:27 PM #6

The OpenVPN client cannot obtain an address on the internal network when only connected to the USG. To resolve this, PFSense needs its own IP address on the internal network (behind the USG) so VPN clients can bypass it. However, this causes issues because regular internet traffic would route through the USG, leading to reverse path filtering that blocks the connection. Segmentation isn't feasible in this setup. Removing the USG would eliminate the problem. The main concern is maintaining control over who manages the PFSense while keeping certain access separate. You could either allow client IPs on the PFSense network with firewall rules or set up VPN on the USG and forward ports.

Reply
Reply