# OpenVPN routing issues



## cybersans (Aug 5, 2021)

so SirDice in your opinion, what should i do to the routing table so that freebsd can access the internet via openvpn tun0, while accepting incoming connection from the internet to the eth0?

for your information, the eth0 is connected to the internet via gateway that has incoming port forwarding some port to the freebsd's eth0
when the openvpn command launced, the freebsd machine connected to the internet through tun0 while blocking incoming internet access to the eth0, which only allow incoming from lan only.

i already view the routing table via netstat -rn and i couldn't notice which line should be removed.

i don't have any problem with windows openvpn. in windows, i can connect to the vpn, using vpn internet connection which accepting incoming connection from the internet to lan via port forwarding.

thank you
sans


----------



## PMc (Aug 5, 2021)

From my knowledge, openvpn does not do such a thing, except when specifically configured.

And even if you don't understand the routing table, you can compare it (with and without openvpn running) and see what changes. You also could go thru your openvpn config options and read in the docs which of them might influence the routing. (I do not care what windows does or not does, because I dumped msdos in 1990, when there was no windows yet.)

I am running a similar configuration: an instance that has a native connection to the internet, plus two openvpn tunnels which also connect it to the internet (via different paths). I do not subscribe to the view of SirDice that such things could be achieved with the routing table; instead I did resort to `ipfw fwd`.


----------



## covacat (Aug 5, 2021)

you can probably to that with setfib
ex have all your externally accessible services have a default route to your home router fib=1
run said daemons via setfib

fib=0 default route via tun0
also set a /32 route to your openvpn server via the home router


----------



## covacat (Aug 5, 2021)

```
FBSD                                   ROUTER

ETHER-192.168.1.5-----------------------192.168.1.1----- // INTERNET // -------------OPENVPN SERVER

    TUN0-10.9.2.7------------------------------------------------------------------------10.9.2.8
```
i assume you have a setup like above
you can also use ipfw fwd and forward any packet originating on 192.168.1.5 to 192.168.1.1 and forget about fibs
you still need the /32 route to openvpn server via 192.168.1.1


----------



## cybersans (Aug 5, 2021)

dear all,

seems like my reply from some topic has been moved here. nevermind, i continue.

covacat : to answer your question;
eth0: 10.10.10.10 GW 10.10.10.1 which the GW has inbound port forward, lets say port 22 to the eth0. it work fine when openvpn not connected

when tun0 up, i can't access the port forward from outside anymore. i already view the routing table and seems like i don't know which caused that.

which one i should change so that the port forwarding to eth0 working while i can access the outbound internet via tun0? routing table?
and why the openvpn config.ovpn simply blocked the incoming to the eth0 from the internet? this is not happening while using windows (openvpn gui).

is there any settings i need to change in the config.ovpn? or the openvpn binary has its config to be set?

thank you
sans


----------



## covacat (Aug 5, 2021)

cybersans said:


> dear all,
> 
> seems like my reply from some topic has been moved here. nevermind, i continue.
> 
> ...


probably openvpn pushes default route thru the vpn tun device
you need to either set an alternate default route and use fibs and set fibs in rc.conf sshd_fib="1" (read about routing and fibs)
or use ipfw or pf to forward any packet from 10.10.10.10 to 10.10.10.1
ipfw add 99 skipto 101 ip from 10.10.10.0/24 to 10.10.10.0/24 via eth0
ipfw add 100 fwd 10.10.10.1 ip from 10.10.10.10 to any


----------



## cybersans (Aug 5, 2021)

covacat said:


> probably openvpn pushes default route thru the vpn tun device
> you need to either set an alternate default route and use fibs and set fibs in rc.conf sshd_fib="1" (read about routing and fibs)
> or use ipfw or pf to forward any packet from 10.10.10.10 to 10.10.10.1
> ipfw add 99 skipto 101 ip from 10.10.10.0/24 to 10.10.10.0/24 via eth0
> ipfw add 100 fwd 10.10.10.1 ip from 10.10.10.10 to any


do you mean forwarding the packet from eth0 to gateway, or from gateway to eth0?
can you advice how to put inside the pf.conf?

anyway, i am using pf as a firewall. thank you.


----------



## covacat (Aug 5, 2021)

any packet originating on eth should be fwd to gw
no idea what pf syntax is for this

seems to be route-to


----------



## cybersans (Aug 6, 2021)

covacat well, i am give up. try many things, including recompile the kernel with ROUTETABLES=2 and sysctl net.fibs=2 whatsoever

didn't work.
i don't understand with the openvpn dialer alter the routing that caused inbound connection to ethernet failed. suppose it don't disturbing the access unless i specify it into the firewall.

so this is it. i just get used to it.


----------



## covacat (Aug 6, 2021)

```
sysctl net.fibs=2
setfib 1 route add 10.10.10.0/24 -iface eth0
setfib 1 route add default 10.10.10.1
sshd_fib=1 /etc/rc.d/sshd restart
```
try this from root shell (assuming bourne shell)


----------



## cybersans (Aug 6, 2021)

covacat nice! finally it works!

anyway for your information, the 1st line already defined in the /boot/defaults/loader.conf

while issuing line 2: route already in table
the line 3 successful.
line 4 already specified in the rc.conf

thank you
sans


----------

