Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why assign an OpenVPN connection as its own interface?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 2 Posters 813 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oldschoolrouterjockey
      last edited by

      My goal is to have 2 OpenVPN connections on my SG1100, a server for my remote clients and a netgate client to an external VPN service (ExpressVPN, Nord, etc). I also have 2 different internal LANs on my netgate a "secure" one (LAN) and an "insecure" one (OPT), where I wish the secure one to route out to the internet via the WAN connection and for the insecure one to route to the internet via the external OpenVPN connection.

      I created the local OpenVPN server first, and my remote clients connected fine and can access anywhere they need to, local resources as well as through to the internet via local WAN. I allowed any/any on the OpenVPN section under Firewall but Ive not assigned any OpenVPN connection to be its own interface yet.

      Then I set up the external OpenVPN connection and it came up fine to the provider, but then my remote clients of the netgate OpenVPN server could connect but couldnt route anywhere.

      Would assigning interfaces for each OpenVPN connection fix this? If so, what should I do with that "allow any/any" rule that is sitting under Firewall->OpenVPN right now? Delete that or change it to something else or just delete it?

      Finally, where do I configure things to make the OPT network users route to the internet via the OpenVPN external service?

      TIA!

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @oldschoolrouterjockey
        last edited by DaddyGo

        @oldschoolrouterjockey said in Why assign an OpenVPN connection as its own interface?:

        Would assigning interfaces for each OpenVPN connection fix this? If so, what should I do with that "allow any/any" rule that is sitting under Firewall->OpenVPN right now? Delete that or change it to something else or just delete it?

        Hi,

        As I can see there are a lot of wounds in this setup or you need to work on your pfSense knowledge and everything will be fine... ๐Ÿ˜‰

        1. point: for the OVPN server, use this guide and you won't need to get an interface for.....: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html
        (but I think this is pretty much done, it just needs to be refined)

        2. point: for the external VPN provider(s) use this description(s), they are all pretty much the same:

        • https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark
          -https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm
          -https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

        here you need to assign an interface to route the traffic this is also the answer to point 3.

        1. something like this (GW on SSVPN):
          22fc494a-654a-4285-8742-bef37860a00f-image.png

        7797f396-8bef-48a0-adba-fbd415011850-image.png

        bff77e37-005f-4d12-88e4-c2bb4877beef-image.png

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        O 1 Reply Last reply Reply Quote 0
        • O
          oldschoolrouterjockey @DaddyGo
          last edited by

          @daddygo ah oh thanks. as you said, I already had points 1 and 2 completed.

          BUT as soon as I activated the OpenVPN client in my Step 2 to connect to my external service, then my remote clients that I had working after step 1, all stop routing. Even by adding the interface to the external OpenVPN service doesnt help those remote clients to start working again. They can connect OK, but just cannot route to anywhere.

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @oldschoolrouterjockey
            last edited by

            @oldschoolrouterjockey said in Why assign an OpenVPN connection as its own interface?:

            They can connect OK, but just cannot route to anywhere.

            on the server, configure the local networks you want to reach....
            (or where you want to route clients exactly?)

            55e324a6-48f9-4c86-a430-32f0e83d8c98-image.png

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            1 Reply Last reply Reply Quote 0
            • O
              oldschoolrouterjockey
              last edited by

              @daddygo what I have done is check that "Redirect IPv4 Gateway" box so as to force all client-generated IPv4 traffic through the tunnel. When I do that the "IPv4 Local network(s)" option disappears (for good reason).

              O 1 Reply Last reply Reply Quote 0
              • O
                oldschoolrouterjockey @oldschoolrouterjockey
                last edited by

                OK so I figured out the last parts to make this all work:

                • disable automatic route entries under the external VPN provider's OVPN config
                • had to add an outbound nat entry for the internal network that I want to use the VPN provider

                thanks for the guidance on setting the external ovpn provider as its own interface, and leaving the local server w/o an interface, that was another part I was missing.

                DaddyGoD 1 Reply Last reply Reply Quote 0
                • DaddyGoD
                  DaddyGo @oldschoolrouterjockey
                  last edited by

                  @oldschoolrouterjockey said in Why assign an OpenVPN connection as its own interface?:

                  OK so I figured out the last parts to make this all work:

                  I knew it was all there in the descriptions, but if you work hard to succeed, you'll know how to do it next time ๐Ÿ˜‰ ๐Ÿ˜‰ ๐Ÿ˜‰

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.