Overlapping routes

[lordlukan 3]

I have 3 AirVPN connections established in Pfsense. Each connection is to a different server on a different port (all UDP). With 2 connections, the clients are assigned different addresses on different subnets (10.4.x.x and 10.30.x.x). However, adding the third client assigns an address in the same subnet as one of the other clients. Is this avoidable? Error from openvpn log is

ERROR: FreeBSD route add command failed: external program exited with error status: 1

However, the connection is established and appears to work. DNSleaktest shows only 2 DNS servers and not 3.

 

**Update**

Changing one client to TCP fixed this. All have different IP's on different subnets

[NaDre 159]

I have 3 AirVPN connections established in Pfsense. Each connection is to a different server on a different port (all UDP). With 2 connections, the clients are assigned different addresses on different subnets (10.4.x.x and 10.30.x.x). However, adding the third client assigns an address in the same subnet as one of the other clients. Is this avoidable? Error from openvpn log is

ERROR: FreeBSD route add command failed: external program exited with error status: 1

However, the connection is established and appears to work. DNSleaktest shows only 2 DNS servers and not 3.

 

**Update**

Changing one client to TCP fixed this. All have different IP's on different subnets

 

 

I trust you realize that only one interface can be the default gateway at a time? If each connection adds routing table entries with a 128.0.0.0 net mask, it is unclear which interface will be used by default. You probably want to add 4 entries with a 192.0.0.0 net mask to determine clearly which interface is to be the default gateway.

 

To avoid sub-net overlaps you can use the "--client-nat snat|dnat network netmask alias" OpenVPN directive. See the man page. The problem is you need to know the local IP address (as seen by the server) before you start the connection. Can you write your own script for running OpenVPN on pfSense? You may need to abandon the GUI interface. If so, you can run OpenVPN once with the "--ifconfig-noexec" directive, generate the needed additional configuration directives in an "--up" script using the ifconfig_local and route_vpn_gateway environment variables, and then make the real connection. I do this in Windows in order to have multiple connections using UDP. The additional directives I generate are like this:

pull-filter ignore topology 
pull-filter ignore dhcp-option 
pull-filter ignore route-gateway 
pull-filter ignore ifconfig 
client-nat snat 10.88.2.2 255.255.255.255 10.4.12.103 
client-nat dnat 10.88.2.1 255.255.255.255 10.4.0.1 
ifconfig 10.88.2.2 10.88.2.1

The value 10.4.12.103 came from ifconfig_local and the 10.4.0.1 value came from route_vpn_gateway.

 

In BSD (which pfSense is), in order to use an interface that is not the default gateway, you will have to set up "source address routing", and bind programs to the non-default interface. Some methods for doing this in BSD (using "setfib", "ipfw" and "pf") are discussed here:

 

https://airvpn.org/topic/21340-airvpn-tor-obfs4-bridges/?p=58426

[lordlukan 3]

Thanks NaDre. I found the answer here:

https://airvpn.org/specs/

Each port uses a different subnet and DNS server. My setup had two different ports, but were using the same subnet and DNS servers (2018 & 41185). I have corrected this now.