When I connect the OpenVPN client to Our PFSense OpenVPN server I have good routing to the remote network (at the server location) as expected, however default rout to the Internet is not working while OpenVPN client is connected.
It tries to route everything (except the VPN remote network) to the VPN connection and Internet/expected default route fails.
I do not have have not configured it to work this way.
The same .ovpn client files import and work on Windows OpenVPN client software and do not exhibit this problem.
While this problem is going on, Default route on the GL*inet router looks normal and like it should work but does not.
But when running a traceroute toward the Internet you can see it is trying to use the VPN connection instead of the default route.
The GL-Inet router is configured as a "repeater" STA mode getting it's WAN/Internet wirelessly from an upstream hotspot or Access Point.
And I am on the latest firmware: 4.3.17
Firmware Type
release2
Compile Time
2024-06-07 4:03:16(UTC+08:00)
Route table on GL-Inet Router:
root@GL-SFT1200:/tmp# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.20.20.1 0.0.0.0 UG 20 0 0 wlan-sta0
44.44.73.0 * 255.255.255.0 U 0 0 0 ovpnclient
172.20.20.0 * 255.255.255.0 U 20 0 0 wlan-sta0
192.168.8.0 * 255.255.255.0 U 0 0 0 br-lan
root@GL-SFT1200:/tmp#
Traceroute to and ping google DNS fails and ca see it shows first hop as trying to use the VPN connection:
root@GL-SFT1200:/tmp# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 44.44.73.1 (44.44.73.1) 27.812 ms 51.321 ms 22.685 ms
2 * * *
If turn off VPN client it works "normally".
And Internet works fine.
root@GL-SFT1200:/tmp# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 * * *
2 be-90-arsc1.pontiac.mi.michigan.comcast.net (68.87.191.193) 97.607 ms 18.264 ms 12.416 ms
OpenVPN client config details:
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote X.X.X.X 1194 udp4
nobind
verify-x509-name "test44" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
I tried "Allow Access WAN"
Reboot and still seeing same behavior.
Default route looks normal in the route table but it is still routing everything toward the VPN connection.
Still struggling getting this to work the way that I want it to.
Wireless interface is being used as the "WAN" connection to the Internet connecting to a wireless AP or hotspot.
I have a wireless "client PC" on the a wired ethernet LAN port of the router.
This gets a DHCP address on 192.168.8.0/24 (out of the box config).
Setting the global policy of "Allow Access WAN" Description: "If this option is enabled, while the VPN is connected, client devices will still be able to access WAN services, e.g. accessing your printer, NAS etc. in the upper subnet. "
This is not helping me.
In order for the client PC to be able to reach the far end VPN network I am using the "IP Masquerading" option in the VPN client settings.
This is so that the PC on 192.168.8.X can reach the far end VPN network.
The router itself (it's VPN tunnel address assigned when the VPN connection is up) can reach the far end VPN network just fine as expected. and the client PC on 192.168.8.X can also reach it just fine via masquerating of this address on the router.
The router itself can also of course reach the Internet just fine.
The problem is that the router is sending EVERYTHING to the VPN route.
I need it to send only traffic destined for the VPN network to the VPN router and everything else to the default (Internet) router and it clearly is not doing this.
I think the "allow access WAN" setting should be doing this and it is not.
Also setting masquerade (in the OpenVpn client settings) should only be masquerading traffic to the VPN route to the VPN not everything!
While masquerading everything else to the default route.
root@GL-SFT1200:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.20.20.1 0.0.0.0 UG 20 0 0 wlan-sta0
44.44.73.0 * 255.255.255.0 U 0 0 0 ovpnclient
172.20.20.0 * 255.255.255.0 U 20 0 0 wlan-sta0
192.168.8.0 * 255.255.255.0 U 0 0 0 br-lan
This may be a limitation in the Interface or the router..
Ideally I'd like to be able to Masquerade 192.168.8.x ---> to the VPN if destination address = remote VPN network.
While (separately maintaing masquerade to the Internet (WAN) if destination does not equal remote VPN network.
Another way to accomplish this would be to build a route to 192.168.8.0/24 at the VPN server back to the GL-SFT1200's specific VPN client address and turn on the "Allow Remote Access LAN" option here.
But man that's ugly!
I see what mess I got myself into here.
I'll probably figure it out eventually.
I need to both masquerade to the Internet for the default route- (this works with VPN off)
And separately masquerade to the remote VPN defined network range (if this is possible)
The router itself can reach the remote VPN network (via it's tunnel network)
The tunnel network is NOT the remote network.. So it's interface resides on the tunnel network.
But of course the actual remote network does not know how to get all the way back to 192.168.8.1 (on this router) with masquerading turned off on the VPN.
Crazy huh? I sort of know what I have to do to make it work, but pretty sure this is not available in the router interface.
Very helpful! I was able to get it working!
I didn't even realize the Global Proxy settings were there.
Simply had to define the remote subnet and masquerading.
-Steve
I'm also able to look in luci/advanced firewall and see what/how it was applied there.
Thanks!
This is my first time doing this with GL-inet router. so getting used to it a bit.