one machine, the openvpn server, is a pfsense box (a VPS), so it's also a firewall.
the clients are linux VPS that have some services that need to be accessible only via VPN by multiple dekstop clients on the internet.
Some services on the various VPS also need some ports to be accessible from the internet via the VPN server/Firewall IP.
Some services hosted on the VPS need to reach the internet on their own, without being tunneled through the VPN.
There are private DNS mappings pointing to the VPS private VPN address, and the DNS server is on the VPN itself.
here are the relevant configuration files
OPENVPN SERVER CONFIG
Code: Select all
dev ovpns2
verb 5
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-GCM
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh dada-cloud.vpn"
local PUBLIC IP OF THE OPENVPN SERVER
engine rdrand
tls-server
server 10.0.3.0 255.255.255.0
server-ipv6 fe80:1::/64
client-config-dir /var/etc/openvpn-csc/server2
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user HIDDEN= false server2 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsense-openvpn-server-cert' 1"
lport 1195
management /var/etc/openvpn/server2.sock unix
max-clients 5
push "route 10.0.2.0 255.255.255.0"
push "route-ipv6 fe80::/64"
push "dhcp-option DOMAIN dada-cloud.vpn"
push "dhcp-option DNS 10.0.3.1"
push "register-dns"
push "dhcp-option NTP 10.0.3.1"
client-to-client
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
ncp-ciphers AES-128-GCM:AES-128-CBC
persist-remote-ip
float
topology subnet
fast-io
sndbuf 2097152
rcvbuf 2097152
Code: Select all
dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote OPENVPN.SERVER.IP.ADDRESS 1195 udp
verify-x509-name "pfsense-openvpn-server-cert" name
auth-user-pass vpnlogin.conf
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
HIDDEN
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HIDDEN
-----END OpenVPN Static key V1-----
</tls-auth>
verb 5
fast-io
sndbuf 2097152
rcvbuf 2097152
Code: Select all
# ip route show
default via VPS.PUBLIC.GATEWAY.ADDRESS dev eth0
10.0.2.0/24 via 10.0.3.1 dev tun0
10.0.3.0/24 dev tun0 proto kernel scope link src 10.0.3.2
VPS.GATEWAY.ADDRESS/26 dev eth0 proto kernel scope link src VPS.PUBLIC.IP
169.254.0.0/16 dev eth0 scope link metric 1002
Code: Select all
# cat /etc/resolv.conf
nameserver 10.0.3.1
nameserver 8.8.8.8
nameserver 8.8.4.4
and this is what I really don't get:
Code: Select all
ping www.google.com
Code: Select all
ping -I tun0 www.google.com
Code: Select all
ping 10.0.3.1
I think the problem is on the client side of things (centos 7) because I have other OpenVPN servers running on the same box that do redirect all client traffic, so on client where the default routes points to the VPN gateway they do surf the net via the VPN and ping -I tun0 www.google.com works as expected, so I think the problem is on the client side of things, why isn't ping -I tun0 working if I don't redirect the default gw?