OpenVPN
Assigned Interfaces
While not strictly necessary, it is possible to assign individual interfaces for OpenVPN servers and clients alike. However doing
so may yield unexpected behaviour of firewall rules. Most notably, rules created on an assigned interface of an OpenVPN Roadwarrior
server are created with the reply-to
directive by default, which breaks client connectivity.
Tip
In cases as described above, it can be observed that incoming traffic matches and passes the corresponding firewall rule, but reply traffic is never sent back to the connected client. This can be verified via the Web GUI by going to
and optionally by performing a packet capture on the affected interface.There are multiple ways to fix this problem. For most setups, it will be sufficient to disable the automatically created IPv4 and
IPv6 Gateways under reply-to
directive to rules created on the interface, and client connectivity will be restored.
Another option is to manually select the option “Disable Reply-To” on each firewall rule you generate on the assigned interface. See Rules for further details.
The third option is to globally disable the generation of reply-to
completely as described in
(Advanced) Settings. However this method can break Multi-WAN setups.